Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dxwebsetup.exe

Overview

General Information

Sample name:dxwebsetup.exe
Analysis ID:1574539
MD5:2cca969570717a0af4f2531eb69cc7c9
SHA1:692243584cca03a41bab00ae6113e6e7a3d14863
SHA256:a9971d2f3b8c1611723938a3ea6578c27f31049d3297e607cf0ee6927a4a26c7
Tags:exeRedlineStealeruser-lontze7
Infos:

Detection

Neshta
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Neshta
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Installs a raw input device (often for capturing keystrokes)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dxwebsetup.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\dxwebsetup.exe" MD5: 2CCA969570717A0AF4F2531EB69CC7C9)
    • dxwebsetup.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe" MD5: 2CBD6AD183914A0C554F0739069E77D7)
      • dxwsetup.exe (PID: 7400 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe MD5: AC3A5F7BE8CD13A863B50AB5FE00B71C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
neshtaNeshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
dxwebsetup.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
    dxwebsetup.exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
    • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
    • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
      C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
      • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
      • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
      C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
        C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeMALWARE_Win_NeshtaDetects NeshtaditekSHen
        • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
        • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
        C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
          Click to see the 299 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2266925011.0000000000409000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_NeshtaYara detected NeshtaJoe Security
            Process Memory Space: dxwebsetup.exe PID: 7340JoeSecurity_NeshtaYara detected NeshtaJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.dxwebsetup.exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security
                0.0.dxwebsetup.exe.400000.0.unpackMALWARE_Win_NeshtaDetects NeshtaditekSHen
                • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
                • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Classes Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\dxwebsetup.exe, ProcessId: 7340, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe, ProcessId: 7380, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: dxwebsetup.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Neshta.A
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Neshta.A
                Multi AV Scanner detection for dropped file
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeReversingLabs: Detection: 97%
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeReversingLabs: Detection: 94%
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeReversingLabs: Detection: 100%
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEReversingLabs: Detection: 100%
                Multi AV Scanner detection for submitted file
                Source: dxwebsetup.exeReversingLabs: Detection: 100%
                Machine Learning detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: dxwebsetup.exeJoe Sandbox ML: detected
                Source: dxwebsetup.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                Source: Binary string: wextract.pdb source: dxwebsetup.exe
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
                Source: Binary string: wextract.pdbU source: dxwebsetup.exe
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
                Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: dsetup32.pdb source: SETB559.tmp.2.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.**\ source: dxwebsetup.exe, 00000000.00000003.2266544719.0000000000763000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
                Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                Source: Binary string: dxwsetup.pdb source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685431955.0000000000DA1000.00000020.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr

                Spreading

                barindex
                Yara detected Neshta
                Source: Yara matchFile source: dxwebsetup.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.dxwebsetup.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2266925011.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: dxwebsetup.exe PID: 7340, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: z:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: x:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: v:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: t:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: r:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: p:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: n:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: l:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: j:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: h:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: f:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: b:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: y:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: w:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: u:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: s:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: q:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: o:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: m:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: k:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: i:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: g:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: e:Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: c:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: a:Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01001C7F lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_01001C7F
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior
                Source: integrator.exe.0.drString found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: dxwsetup.exe, 00000002.00000003.1882308835.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.mQcHp
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: AdobeARMHelper.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: armsvc.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685431955.0000000000DA1000.00000020.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1EWISV70/NP01_InstallerBing
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewcscz70/SettingsPrivacy&http://g.msn.com/1ewcscz70/InstallerMU%Optionale
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewcscz70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewdede70/SettingsPrivacy&http://g.msn.com/1ewdede70/InstallerMU#DirectX
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewdede70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewenus70/SettingsPrivacy&http://g.msn.com/1ewenus70/InstallerMUPA
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewenus70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1eweses70/SettingsPrivacy&http://g.msn.com/1eweses70/InstallerMU$DirectX
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1eweses70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewfrfr70/SettingsPrivacy&http://g.msn.com/1ewfrfr70/InstallerMU&Componenti
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewfrfr70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewitit70/SettingsPrivacy&http://g.msn.com/1ewitit70/InstallerMU
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewitit70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewjajp70/SettingsPrivacy&http://g.msn.com/1ewjajp70/InstallerMU
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewjajp70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewkokr70/SettingsPrivacy&http://g.msn.com/1ewkokr70/InstallerMU(Optionele
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewkokr70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewnlnl70/SettingsPrivacy&http://g.msn.com/1ewnlnl70/InstallerMU0Opcjonalne
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewnlnl70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewplpl70/SettingsPrivacy&http://g.msn.com/1ewplpl70/InstallerMU5Componentes
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewplpl70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewptbr70/SettingsPrivacy&http://g.msn.com/1ewptbr70/InstallerMU-
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewptbr70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewruru70/SettingsPrivacy&http://g.msn.com/1ewruru70/InstallerMU&Valfria
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewruru70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewsvse70/SettingsPrivacy&http://g.msn.com/1ewsvse70/InstallerMU
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewsvse70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewzhcn70/SettingsPrivacy&http://g.msn.com/1ewzhcn70/InstallerMU8Componentes
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewzhcn70/SettingsTermUse
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewzhtw70/SettingsPrivacy&http://g.msn.com/1ewzhtw70/InstallerMU#Voliteln
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://g.msn.com/1ewzhtw70/SettingsTermUse
                Source: dxwebsetup.exe, 00000000.00000002.2266851229.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: dxwsetup.exe.1.drString found in binary or memory: http://www.BetaPlace.com
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://www.BetaPlace.com.?
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://www.BetaPlace.comEContinuare
                Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/
                Source: Aut2exe.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
                Source: AutoIt3_x64.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: dxwsetup.exe.1.drString found in binary or memory: http://www.betaplace.com
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1687152257.0000000001195000.00000004.00000020.00020000.00000000.sdmp, SETB559.tmp.2.drString found in binary or memory: http://www.betaplace.com.
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drString found in binary or memory: http://www.betaplace.com.DInstalacn
                Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr, ssvagent.exe.0.dr, AdobeARMHelper.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
                Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
                Source: dxwsetup.exe, 00000002.00000003.1849282161.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1882308835.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1849380489.00000000011F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: integrator.exe.0.drString found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
                Source: integrator.exe.0.drString found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: integrator.exe.0.drBinary or memory string: RegisterRawInputDevicesmemstr_3ae378ca-a

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Writes many files with high entropy
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab entropy: 7.99909224767Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Apr2007_d3dx9_33_x86[1].cab entropy: 7.99928426182Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E5944.tmp\Apr2007_d3dx9_33_x86.cab entropy: 7.99928426182Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab entropy: 7.99928426182Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Apr2007_d3dx10_33_x86[1].cab entropy: 7.99896802841Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E6D78.tmp\Apr2007_d3dx10_33_x86.cab entropy: 7.99896802841Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x86.cab entropy: 7.99896802841Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Jun2007_d3dx9_34_x86[1].cab entropy: 7.99906642826Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E7DC4.tmp\Jun2007_d3dx9_34_x86.cab entropy: 7.99906642826Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x86.cab entropy: 7.99906642826Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dxupdate[1].cab entropy: 7.99005571784Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6CE1B7.tmp\dxupdate.cab entropy: 7.99005571784Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dxupdate.cab entropy: 7.99005571784Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Dec2006_d3dx10_00_x86[1].cab entropy: 7.99660427625Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D8402.tmp\Dec2006_d3dx10_00_x86.cab entropy: 7.99660427625Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab entropy: 7.99660427625Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Dec2006_d3dx10_00_x64[1].cab entropy: 7.99694629492Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D9066.tmp\Dec2006_d3dx10_00_x64.cab entropy: 7.99694629492Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x64.cab entropy: 7.99694629492Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Feb2005_d3dx9_24_x86[1].cab entropy: 7.99897272471Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DB61E.tmp\Feb2005_d3dx9_24_x86.cab entropy: 7.99897272471Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab entropy: 7.99897272471Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Apr2005_d3dx9_25_x86[1].cab entropy: 7.99907513517Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DC755.tmp\Apr2005_d3dx9_25_x86.cab entropy: 7.99907513517Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab entropy: 7.99907513517Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Jun2005_d3dx9_26_x86[1].cab entropy: 7.99904021782Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DD908.tmp\Jun2005_d3dx9_26_x86.cab entropy: 7.99904021782Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab entropy: 7.99904021782Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Aug2005_d3dx9_27_x86[1].cab entropy: 7.99913898215Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DEAAC.tmp\Aug2005_d3dx9_27_x86.cab entropy: 7.99913898215Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x86.cab entropy: 7.99913898215Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Dec2005_d3dx9_28_x86[1].cab entropy: 7.99912186515Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DFBE2.tmp\Dec2005_d3dx9_28_x86.cab entropy: 7.99912186515Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab entropy: 7.99912186515Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Feb2006_d3dx9_29_x86[1].cab entropy: 7.99922866964Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E0D57.tmp\Feb2006_d3dx9_29_x86.cab entropy: 7.99922866964Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x86.cab entropy: 7.99922866964Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Apr2006_d3dx9_30_x86[1].cab entropy: 7.99905051808Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E1F77.tmp\Apr2006_d3dx9_30_x86.cab entropy: 7.99905051808Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab entropy: 7.99905051808Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OCT2006_d3dx9_31_x86[1].cab entropy: 7.99908172452Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E31D6.tmp\Oct2006_d3dx9_31_x86.cab entropy: 7.99908172452Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x86.cab entropy: 7.99908172452Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\DEC2006_d3dx9_32_x86[1].cab entropy: 7.99909224767Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E44E1.tmp\Dec2006_d3dx9_32_x86.cab entropy: 7.99909224767Jump to dropped file

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: dxwebsetup.exe, type: SAMPLEMatched rule: Detects Neshta Author: ditekSHen
                Source: 0.0.dxwebsetup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_0100263F ExitWindowsEx,1_2_0100263F
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_010018B5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,1_2_010018B5
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Windows\svchost.comJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\Logs\DirectX.logJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directxJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetupJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB539.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB539.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB559.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB559.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\filelist.datJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6CE1B7.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6CE1B7.tmp\dxupdate.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D535D.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D535D.tmp\Apr2006_xinput_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xinput_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D5FF0.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D5FF0.tmp\Apr2006_xinput_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xinput_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D6B69.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D6B69.tmp\Aug2006_xinput_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xinput_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D7666.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D7666.tmp\Aug2006_xinput_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xinput_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D8402.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D8402.tmp\Dec2006_d3dx10_00_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx10_00_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D9066.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D9066.tmp\Dec2006_d3dx10_00_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx10_00_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D9E22.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6D9E22.tmp\Apr2007_xinput_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_xinput_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DA92E.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DA92E.tmp\Apr2007_xinput_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_xinput_x64.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DB61E.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DB61E.tmp\Feb2005_d3dx9_24_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2005_d3dx9_24_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DC755.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DC755.tmp\Apr2005_d3dx9_25_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2005_d3dx9_25_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DD908.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DD908.tmp\Jun2005_d3dx9_26_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2005_d3dx9_26_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DEAAC.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DEAAC.tmp\Aug2005_d3dx9_27_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2005_d3dx9_27_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DFBE2.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6DFBE2.tmp\Dec2005_d3dx9_28_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2005_d3dx9_28_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E0D57.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E0D57.tmp\Feb2006_d3dx9_29_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2006_d3dx9_29_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E1F77.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E1F77.tmp\Apr2006_d3dx9_30_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_d3dx9_30_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E31D6.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E31D6.tmp\Oct2006_d3dx9_31_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Oct2006_d3dx9_31_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E44E1.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E44E1.tmp\Dec2006_d3dx9_32_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx9_32_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E5944.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E5944.tmp\Apr2007_d3dx9_33_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx9_33_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E6D78.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E6D78.tmp\Apr2007_d3dx10_33_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx10_33_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E7DC4.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E7DC4.tmp\Jun2007_d3dx9_34_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx9_34_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E94C6.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS6E94C6.tmp\Jun2007_d3dx10_34_x86.cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile deleted: C:\Windows\SysWOW64\directx\websetup\SETB539.tmpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01007E021_2_01007E02
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_0100791E1_2_0100791E
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_0100878E1_2_0100878E
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_010080E21_2_010080E2
                Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
                Source: dxwebsetup.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 224531 bytes, 5 files, at 0x2c "dsetup.dll" "dsetup32.dll", ID 5930, number 1, 69 datablocks, 0x1503 compression
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exeh$ vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exe` vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exed! vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exel% vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exep( vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dllh$ vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dll` vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dlld! vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dllp' vs dxwebsetup.exe
                Source: dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dllx, vs dxwebsetup.exe
                Source: dxwebsetup.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: dxwebsetup.exe, type: SAMPLEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: 0.0.dxwebsetup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                Source: MpCmdRun.exe0.0.drBinary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
                Source: classification engineClassification label: mal60.rans.spre.evad.winEXE@5/232@0/0
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01003F0D lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA,1_2_01003F0D
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_010018B5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,1_2_010018B5
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01005E67 GetDiskFreeSpaceA,SetCurrentDirectoryA,MulDiv,1_2_01005E67
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01004C18 CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,#17,1_2_01004C18
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dxupdate[1].cabJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DSETUP32 DLL Mutex
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DXWSETUP
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DXUPDATE DLL Mutex
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DSETUP DLL Mutex
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: integrator.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: integrator.exe.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: integrator.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: integrator.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: dxwebsetup.exeReversingLabs: Detection: 100%
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile read: C:\Users\user\Desktop\dxwebsetup.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\dxwebsetup.exe "C:\Users\user\Desktop\dxwebsetup.exe"
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe "C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe"
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe "C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeSection loaded: advpack.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: advpack.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: devrtl.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: spinf.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: drvstore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: spfileq.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: inseng.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ieadvpack.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow found: window name: SysTabControl32Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
                Source: Binary string: wextract.pdb source: dxwebsetup.exe
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe0.0.dr
                Source: Binary string: wextract.pdbU source: dxwebsetup.exe
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.0.dr
                Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: dsetup32.pdb source: SETB559.tmp.2.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.0.dr
                Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.**\ source: dxwebsetup.exe, 00000000.00000003.2266544719.0000000000763000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
                Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
                Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
                Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe0.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
                Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
                Source: Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
                Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
                Source: Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.0.dr
                Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
                Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.0.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr
                Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
                Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
                Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
                Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
                Source: Binary string: dxwsetup.pdb source: dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685431955.0000000000DA1000.00000020.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
                Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_0100198B LocalFree,RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,1_2_0100198B

                Persistence and Installation Behavior

                barindex
                Yara detected Neshta
                Source: Yara matchFile source: dxwebsetup.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.dxwebsetup.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2266925011.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: dxwebsetup.exe PID: 7340, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                Drops PE files with a suspicious file extension
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Windows\svchost.comJump to dropped file
                Drops executable to a common third party application directory
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Windows\svchost.comJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB559.tmpJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB539.tmpJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dllJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB539.tmpJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\Windows\svchost.comJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETB559.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_010022FF LocalFree,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcpyA,lstrcpyA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,1_2_010022FF

                Boot Survival

                barindex
                Yara detected Neshta
                Source: Yara matchFile source: dxwebsetup.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.dxwebsetup.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2266925011.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: dxwebsetup.exe PID: 7340, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
                Creates an undocumented autostart registry key
                Source: C:\Users\user\Desktop\dxwebsetup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Windows\svchost.comJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\SETB559.tmpJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\SETB539.tmpJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dllJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_1-3745
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-3053
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01001C7F lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_01001C7F
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01004B1A lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA,1_2_01004B1A
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\Jump to behavior
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Jump to behavior
                Source: dxwsetup.exe, 00000002.00000003.1882308835.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1849282161.0000000001207000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1882308835.0000000001207000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1849282161.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1849282161.00000000011C2000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1882308835.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeAPI call chain: ExitProcess graph end nodegraph_1-2859
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_0100198B LocalFree,RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,1_2_0100198B

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
                Source: C:\Users\user\Desktop\dxwebsetup.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exeJump to dropped file
                Source: C:\Users\user\Desktop\dxwebsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe "C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_0100168B GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,1_2_0100168B
                Source: AutoIt3_x64.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exeCode function: 1_2_01005D22 GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,1_2_01005D22
                Source: dxwebsetup.exe, 00000000.00000003.2266544719.0000000000751000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\WINDOW~1\Platform\418230~1.200\MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Neshta
                Source: Yara matchFile source: dxwebsetup.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.dxwebsetup.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2266925011.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: dxwebsetup.exe PID: 7340, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
                Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Replication Through Removable Media                		2
                Native API                		11
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		221
                Masquerading                		11
                Input Capture                		1
                Query Registry                		1
                Taint Shared Content                		11
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		12
                Process Injection                		1
                Disable or Modify Tools                		LSASS Memory111
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		12
                Process Injection                		NTDS11
                Peripheral Device Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets3
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                File Deletion                		Cached Domain Credentials4
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1574539 Sample: dxwebsetup.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 60 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 5 other signatures 2->46 7 dxwebsetup.exe 20 2->7         started        process3 file4 18 C:\Windows\svchost.com, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 7->20 dropped 22 C:\ProgramData\...\VC_redist.x64.exe, PE32 7->22 dropped 24 150 other files (149 malicious) 7->24 dropped 48 Creates an undocumented autostart registry key 7->48 50 Drops PE files with a suspicious file extension 7->50 52 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 7->52 54 2 other signatures 7->54 11 dxwebsetup.exe 1 7 7->11         started        signatures5 process6 file7 26 C:\Users\user\AppData\Local\...\dxwsetup.exe, PE32 11->26 dropped 28 C:\Users\user\AppData\Local\...\dsetup32.dll, PE32 11->28 dropped 30 C:\Users\user\AppData\Local\...\dsetup.dll, PE32 11->30 dropped 14 dxwsetup.exe 132 11->14         started        process8 file9 32 C:\Windows\...\Jun2007_d3dx9_34_x86.cab, Microsoft 14->32 dropped 34 C:\Windows\...\Apr2007_d3dx10_33_x86.cab, Microsoft 14->34 dropped 36 C:\Windows\...\Apr2007_d3dx9_33_x86.cab, Microsoft 14->36 dropped 38 47 other files (42 malicious) 14->38 dropped 56 Writes many files with high entropy 14->56 signatures10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                dxwebsetup.exe100%ReversingLabsWin32.Virus.Neshta
                dxwebsetup.exe100%AviraW32/Neshta.A
                dxwebsetup.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%AviraW32/Neshta.A
                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Neshta.A
                C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                C:\Program Files (x86)\AutoIt3\Au3Check.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Au3Info.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe97%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\AutoIt3\Uninstall.exe95%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\java.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe100%ReversingLabsWin32.Virus.Neshta
                C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE100%ReversingLabsWin32.Virus.Neshta

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.betaplace.com.0%Avira URL Cloudsafe
                http://www.betaplace.com0%Avira URL Cloudsafe
                http://www.BetaPlace.comEContinuare0%Avira URL Cloudsafe
                http://crl.microsoft.mQcHp0%Avira URL Cloudsafe
                http://www.BetaPlace.com.?0%Avira URL Cloudsafe
                http://www.betaplace.com.DInstalacn0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/JAutoIt3_x64.exe.0.drfalse
                  		high
                  http://g.msn.com/1ewenus70/SettingsPrivacy&http://g.msn.com/1ewenus70/InstallerMUPAdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                    		high
                    http://g.msn.com/1ewzhcn70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                      		high
                      http://g.msn.com/1ewzhtw70/SettingsPrivacy&http://g.msn.com/1ewzhtw70/InstallerMU#Volitelndxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                        		high
                        http://g.msn.com/1eweses70/SettingsPrivacy&http://g.msn.com/1eweses70/InstallerMU$DirectXdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                          		high
                          http://g.msn.com/1ewruru70/SettingsPrivacy&http://g.msn.com/1ewruru70/InstallerMU&Valfriadxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                            		high
                            http://g.msn.com/1ewdede70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                              		high
                              http://g.msn.com/1EWISV70/NP01_InstallerBingdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685431955.0000000000DA1000.00000020.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                		high
                                http://g.msn.com/1ewenus70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                  		high
                                  http://nsis.sf.net/NSIS_ErrorErrordxwebsetup.exe, 00000000.00000002.2266851229.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.0.drfalse
                                    		high
                                    http://www.autoitscript.com/autoit3/Aut2exe.exe.0.drfalse
                                      		high
                                      http://g.msn.com/1ewnlnl70/SettingsPrivacy&http://g.msn.com/1ewnlnl70/InstallerMU0Opcjonalnedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                        		high
                                        https://www.autoitscript.com/autoit3/Aut2exe.exe.0.dr, AutoIt3_x64.exe.0.drfalse
                                          		high
                                          http://g.msn.com/1eweses70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                            		high
                                            http://g.msn.com/1ewplpl70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                              		high
                                              http://g.msn.com/1ewptbr70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                		high
                                                http://g.msn.com/1ewsvse70/SettingsPrivacy&http://g.msn.com/1ewsvse70/InstallerMUdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                  		high
                                                  http://g.msn.com/1ewsvse70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                    		high
                                                    http://www.BetaPlace.com.?dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://g.msn.com/1ewfrfr70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                      		high
                                                      http://g.msn.com/1ewitit70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                        		high
                                                        http://g.msn.com/1ewitit70/SettingsPrivacy&http://g.msn.com/1ewitit70/InstallerMUdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                          		high
                                                          http://g.msn.com/1ewzhcn70/SettingsPrivacy&http://g.msn.com/1ewzhcn70/InstallerMU8Componentesdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                            		high
                                                            https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithmsedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                                                              		high
                                                              http://g.msn.com/1ewjajp70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                		high
                                                                http://g.msn.com/1ewruru70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                  		high
                                                                  http://www.betaplace.com.DInstalacndxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://g.msn.com/1ewcscz70/SettingsPrivacy&http://g.msn.com/1ewcscz70/InstallerMU%Optionaledxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                    		high
                                                                    http://g.msn.com/1ewkokr70/SettingsPrivacy&http://g.msn.com/1ewkokr70/InstallerMU(Optioneledxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                      		high
                                                                      http://www.betaplace.com.dxwebsetup.exe, 00000001.00000003.1685063899.0000000002463000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000003.1687152257.0000000001195000.00000004.00000020.00020000.00000000.sdmp, SETB559.tmp.2.drfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://g.msn.com/1ewfrfr70/SettingsPrivacy&http://g.msn.com/1ewfrfr70/InstallerMU&Componentidxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                        		high
                                                                        http://www.betaplace.comdxwsetup.exe.1.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://g.msn.com/1ewnlnl70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                          		high
                                                                          http://g.msn.com/1ewkokr70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                            		high
                                                                            http://crl.microsoft.mQcHpdxwsetup.exe, 00000002.00000003.1882308835.00000000011ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://g.msn.com/1ewjajp70/SettingsPrivacy&http://g.msn.com/1ewjajp70/InstallerMUdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                              		high
                                                                              http://www.BetaPlace.comEContinuaredxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://g.msn.com/1ewzhtw70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                                		high
                                                                                http://g.msn.com/1ewplpl70/SettingsPrivacy&http://g.msn.com/1ewplpl70/InstallerMU5Componentesdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                                  		high
                                                                                  http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporteintegrator.exe.0.drfalse
                                                                                    		high
                                                                                    http://www.autoitscript.com/autoit3/8Aut2exe.exe.0.drfalse
                                                                                      		high
                                                                                      http://g.msn.com/1ewdede70/SettingsPrivacy&http://g.msn.com/1ewdede70/InstallerMU#DirectXdxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                                        		high
                                                                                        http://g.msn.com/1ewcscz70/SettingsTermUsedxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                                          		high
                                                                                          http://g.msn.com/1ewptbr70/SettingsPrivacy&http://g.msn.com/1ewptbr70/InstallerMU-dxwebsetup.exe, 00000001.00000003.1685063899.00000000025F7000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000002.00000000.1685481665.0000000000DC4000.00000002.00000001.01000000.00000006.sdmp, dxwsetup.exe.1.drfalse
                                                                                            		high
                                                                                            http://www.BetaPlace.comdxwsetup.exe.1.drfalse
                                                                                              		unknown
                                                                                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffmsedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.drfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                No contacted IP infos

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1574539
                                                                                                Start date and time:2024-12-13 12:05:16 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 6m 47s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:7
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:dxwebsetup.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal60.rans.spre.evad.winEXE@5/232@0/0
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 26
                                                                                                • Number of non-executed functions: 40
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 184.30.24.206, 52.149.20.212, 13.107.246.63
                                                                                                • Excluded domains from analysis (whitelisted): dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, ctldl.windowsupdate.com, download.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Report size getting too big, too many NtReadFile calls found.
                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                • VT rate limit hit for: dxwebsetup.exe

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                No simulations

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                No context

                                                                                                Domains

                                                                                                No context

                                                                                                ASNs

                                                                                                No context

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                C:\Program Files (x86)\AutoIt3\Au3Check.exefile.exeGet hashmaliciousNeshtaBrowse
                                                                                                  idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                                                                    idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                                                                      exe009.exeGet hashmaliciousNeshtaBrowse
                                                                                                        #U63d0#U53d6Proxy.exeGet hashmaliciousGh0stCringe, Neshta, RunningRATBrowse
                                                                                                          #U4ee3#U7406.exeGet hashmaliciousGh0stCringe, Neshta, RunningRATBrowse
                                                                                                            #U63d0#U53d6Proxy (1).exeGet hashmaliciousGh0stCringe, Neshta, RunningRATBrowse
                                                                                                              Ovtc3T3fD8.exeGet hashmaliciousINC Ransomware, NeshtaBrowse
                                                                                                                a.htaGet hashmaliciousDarkComet, DarkTortilla, NeshtaBrowse
                                                                                                                  win.exeGet hashmaliciousLynx, NeshtaBrowse

                                                                                                                    Created / dropped Files

                                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):275560
                                                                                                                    Entropy (8bit):6.2970746701197715
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CqP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:k9q4VQjVsxyItKQNhigibKCM
                                                                                                                    MD5:C5611345B2807155BF89ECA90379AB14
                                                                                                                    SHA1:03A0F7BD2A50895DF6A9311DB3E5C58B574E1BA3
                                                                                                                    SHA-256:6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
                                                                                                                    SHA-512:18C164973DE987AD9ED1CFCB2AE5557238692B5C50E0F8B8DCECF0B11B2DADBA6C0B5990C532AE8DB578F04BD1CAB3086C78493866C8B989A41DD6251693CA98
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Joe Sandbox View:
                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                    • Filename: idl57nk7gk.exe, Detection: malicious, Browse
                                                                                                                    • Filename: idl57nk7gk.exe, Detection: malicious, Browse
                                                                                                                    • Filename: exe009.exe, Detection: malicious, Browse
                                                                                                                    • Filename: #U63d0#U53d6Proxy.exe, Detection: malicious, Browse
                                                                                                                    • Filename: #U4ee3#U7406.exe, Detection: malicious, Browse
                                                                                                                    • Filename: #U63d0#U53d6Proxy (1).exe, Detection: malicious, Browse
                                                                                                                    • Filename: Ovtc3T3fD8.exe, Detection: malicious, Browse
                                                                                                                    • Filename: a.hta, Detection: malicious, Browse
                                                                                                                    • Filename: win.exe, Detection: malicious, Browse
                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):217704
                                                                                                                    Entropy (8bit):6.606010943993646
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CFxFVaK4T6fWSlXe0lJQafeyrR0kr/yh5DEU/Pk13TfwqiTP0McBUNnUxTtM:k9P2K4TSFo5Y683TdiQMcGNUl4N
                                                                                                                    MD5:D103610D5A97A461DE47D79EBC364E23
                                                                                                                    SHA1:B7AC0C939E39117C2FA939D47322A8B9FAF5AD0D
                                                                                                                    SHA-256:6CF772752F25B150052F17600F5D08876E87FCAF774CE834A896688B1836BFD7
                                                                                                                    SHA-512:97A467B62C96BF51CC5904B1EF1CB0D416364B2C835A326BFE7F5357823B07F5541C8DF5AD2195583ED108B90E5EDF820E2C3CAD42CFAA5FB67BF8CC1B9026E2
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):237160
                                                                                                                    Entropy (8bit):6.441042873341931
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CuyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:k9tl3wdYtcH9b5Y651zU77Ea
                                                                                                                    MD5:3256A5B6BEBFC57A3CC7C74801B06B57
                                                                                                                    SHA1:7AEFDEDF3B79F68884A780082FC12AF565FE80DA
                                                                                                                    SHA-256:A2791E10861628C1AC263A540A6D575275F9E3E22A31BB62AB1320EAAED0C982
                                                                                                                    SHA-512:111928B9435B7F6721919E58C3248E985C1FA76EB2E9C18559374847C6B8F54499BE6FDA36724F568384A32F1E4D91EC6F0A51ABECFE585740CE1916E5205B09
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1675872
                                                                                                                    Entropy (8bit):7.455008835300499
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:LC51xB6B9YNgqe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+l:sK0eqkSR7Xgo4TiRPnLWvJY
                                                                                                                    MD5:3E25798A6593021C594E9B0F5E4D1CC0
                                                                                                                    SHA1:0F412F338A8323C62D21606629B121DDC5A11C2F
                                                                                                                    SHA-256:4ED44421F087BC78474EE5512BC85FDF8602D651C144CC97449C332E19B07C10
                                                                                                                    SHA-512:ABAF3628ADB6C48F606DFE67EB777EB3C2B5D3E635996E6E673E3183ACC766A5E0341F1FB79436268DCF0FFF6889F997A77344CC39CC65D06248ADE8A9F43991
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1841760
                                                                                                                    Entropy (8bit):7.348031538890329
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:5EeK2NocwiN/jc41p3qp11JsqbhOUe1xTVIlz7X9zOo4PjnikEpx/nLWvJ+i:rfYP1JsEDkSR7Xgo4TiRPnLWvJD
                                                                                                                    MD5:A80324ADD872CA0150B9A23F0FE412D0
                                                                                                                    SHA1:D8B4074235B24DB9B9238FE7985C4D0A909297E1
                                                                                                                    SHA-256:6BB5BB976CDDCA2A12E007B6B65E675990ABE3819906069DD6DB5867C0AFD943
                                                                                                                    SHA-512:BC1AE9D3976F210F161EE1B8E43698C9B717E216B3E35F6E15C7D38FE5D82DEFB843104B0FBEF56842E7B10CF50DFE2206F7E5C2117AFF0D99AB7B4EE7708915
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):346624
                                                                                                                    Entropy (8bit):7.904139028422803
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9ypXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:V9zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                                                                                                                    MD5:4D2A6099D369E478E6B97ECA38DF66FF
                                                                                                                    SHA1:F8A2EFB513BC22A550E1DAADB7765D3691795D05
                                                                                                                    SHA-256:E8657C5096C1D6059D7862D842C93EE9D7C16331EFBEC02C99BECA1ACEF0E4D7
                                                                                                                    SHA-512:7BC01CBF7A591AAC71439A126940D1374B6BB49A3109651EB9525026EAB22AD70558FFB8723838C33830467D1B7DBE72E76BA84925BFECD405E10B83FFDF8A45
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):165976
                                                                                                                    Entropy (8bit):6.142151879298232
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C54kvQ4gXIRSG+7IJqC3CJyoDjpBnjkP0XGx2SYg+b/Q+y1s3:k96nGZLknnj1X62SYdb4I
                                                                                                                    MD5:DC83EC579923AE57218540FC07BF2040
                                                                                                                    SHA1:E66D11E9A1E1C5FAD6A6D7B3F4ABDEB1A446A873
                                                                                                                    SHA-256:13E946747F9CD00EC7347780C1D0887C22EE43B8677337B32B0C9CA8070E09B5
                                                                                                                    SHA-512:3990D01D0B492961B1F15A15BA12E0213A5C5B72D5B2809B2A58BFF6A2AB2C37058540D8C9F8E5524FA6EBBE72A0BEB1317AA07D06E8D326DCC234EF4F82CC13
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1113176
                                                                                                                    Entropy (8bit):6.4474669878621365
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:wTC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBg:w+6AqSPyC+NltpScpzbtvpJoMQSq/jrL
                                                                                                                    MD5:17047620C59D9FE748AA05010D507AC9
                                                                                                                    SHA1:5B0D5B70529A435FF5BC75376B472393485C9871
                                                                                                                    SHA-256:C539E191A88228427976838CDBEC85CCDBD82540544615055E8F91BE803568D5
                                                                                                                    SHA-512:21EE706E62D205C09602EDAC232878743F46EEDDF76CD6625926F7C64E89AB27883497A1785D31D8D354E0F20C05C39F39566F6505450B9DB47D057FD7E5BAA1
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2414080
                                                                                                                    Entropy (8bit):6.729178086017267
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:3EGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL8:U4OEtwiICvYMpfc
                                                                                                                    MD5:249BBE06632E2A230917599D7E07C3B0
                                                                                                                    SHA1:E61C25BBEBA924006CA9DCED18549C72856FC205
                                                                                                                    SHA-256:A232299F45362340795849140E955B1FE202928E21FF5BB016A03471C80A2FA3
                                                                                                                    SHA-512:537050319C5BC05A3DF9A5629CAD25FC2CD4A28078CF6932C0434F5FF135653300D90030D1F097607FD7257130D70A91B7235AAD82A07199891C25E8EE5DD8B1
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\AutoIt3\Uninstall.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):113233
                                                                                                                    Entropy (8bit):6.788395365702366
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CWCrNGEtajbefY/TU9fE9PEtuGCrK:k9WCrAEt+cYa6YCrK
                                                                                                                    MD5:BA9FF8A299799820F7252C401EA47ECB
                                                                                                                    SHA1:D8123BDB9E57F1364E304209F149360880F26C3F
                                                                                                                    SHA-256:6938E7E71C8AB309A57D7C7C2B764F888AD6A9B8807200E573CA6B7183B11FF6
                                                                                                                    SHA-512:A62D6818EFB2FAAE9012377319277B7E8F31FD32326EFE1011D1D874006B3C6020DC3F4DE429B9DD4F4B137E2954A0469DEF997692BA72DF21AFC0F6B505C54B
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):409608
                                                                                                                    Entropy (8bit):6.462760862163708
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9hvqF1Ged2RYbguEuFuTkdj+zRGa7JkjrXyPyMMWvpBVOaqahUqjAGT:LbgvuFuQdj+zRTJkX8yMhB3jhBAi
                                                                                                                    MD5:1641D233388AEAE9D77CFC976D5427FD
                                                                                                                    SHA1:C33533FCDC02E6255A1863102038C961E82BFD63
                                                                                                                    SHA-256:D996D5C70C926BD6265607C6536C2B575427F11046E5FCA5AC32768E2AE81EF6
                                                                                                                    SHA-512:A959BC2A3F6A96EC44EE1F58A0E5C6D791158D4935DE8357091A273F2120993438B4883A9C919824F7C6D91462F7B97C7BAA6B3AF4829B63204A5135D4895CDD
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):214512
                                                                                                                    Entropy (8bit):6.4940889932550885
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CxGnUI/9FXK4+PoSZSb5qURwubvvnzdl1CkTlxAenDl3SoxceC76JNKjzDI5:k9xGUcsvZZvUmubv7hTHA8l3yROJyDI5
                                                                                                                    MD5:BB00882A877F34EF5C0FB4FEEFE0C351
                                                                                                                    SHA1:79B64FE2910FF50820B0C83BD52857ADBAEE5AC2
                                                                                                                    SHA-256:45E860894975F6F06D453668E5A4BC99A9C9F20E1D10B29C889280C03FBD6174
                                                                                                                    SHA-512:C7EBBA30720AE9482D889C27A7434328D098A66CC08BFD6A4F96B92C7799FB6E3784BD63BA00E5C03F168D45B164DAB8953042AAF1D9450452C217A9C724AAB9
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):568400
                                                                                                                    Entropy (8bit):6.67410873638024
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:pyvTCXdXikLj2jR7trg6Qi3vYsKTU00vq:pyyLj8trn3wsq0vq
                                                                                                                    MD5:4742CA122FBE7E689F0AB4DCE9507986
                                                                                                                    SHA1:5DF6FDFA6E97A57A4F957EEB4520BA378F850B16
                                                                                                                    SHA-256:D91AA424DAFC703F0DD4173FDFAF017F8203D42F78E2219C21714E81F740991B
                                                                                                                    SHA-512:0643D24C897A268C2537F0EA885AB7C1263E1648AEE3350521C04695ABAABC2908C5A1F262C17A6918C30608D40D1B61A5EE9A0BB027BDFF9D8D6FA7AFA7996F
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1252432
                                                                                                                    Entropy (8bit):6.763931251276611
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:R0n7Ubxk/uRvJqLGJLQ4a56duA/85RkV4l7/ZeoMOp:S4iwwGJra0uAUfkVy7/ZX
                                                                                                                    MD5:B248EF0A955B4F85B13A4F2039C4F757
                                                                                                                    SHA1:B48E6437A4D0998F47606660AE97BAD147D2E873
                                                                                                                    SHA-256:E46F55F9E2C74FD3E46A67DA5CB29EB2458ABCF8134D2E447AE91F408B5CD3DD
                                                                                                                    SHA-512:EE58707EF36F8E0499CD45C985A91390241064F07CFB1F74B2F5AF1270631C5DB34A9F517F89C45EADF9D8914301C24A80359C22589934C98716E472AC21AB50
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):790096
                                                                                                                    Entropy (8bit):6.746361102520175
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:/MvcR0D0B6PyxoxIlZwM+R6R4uFjs1Z7FMN0TzJqccvbXkN58AuimIh:TR0gB6axoCfyR6RLQRF/TzJqe58BimIh
                                                                                                                    MD5:CC11EF3CDA871E739075E19C7E011FFB
                                                                                                                    SHA1:C0B20B62646FB9C3C3AAA61BA6D806AAE86FC93B
                                                                                                                    SHA-256:5F4334AE0F8BB573E6179BABD9C7DF94C0FA33A081390FEE7C04DDBEF1CE5BC4
                                                                                                                    SHA-512:4DF027A3FF53C549AE181C43BDA619460A373E96564B448C74EEFA5ECD820A39B51C763FA5FDCCED1939CF900E51826E5D6087272E91DD95629E2C7615B268E0
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):562776
                                                                                                                    Entropy (8bit):6.434910305077969
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9H0dzerObMhDGJ9UM3sunrXj9BMHmD1tYFLqY/W5R02qO7VKCy7KCzDSEBPj:peqbWqB3sunrT9+aYFLq3ny7JSEBPj
                                                                                                                    MD5:AAFEB56FD7F7B3864CE0172C11BFFC87
                                                                                                                    SHA1:8628FEF6AA9346B4CA3E0534632AC831DA737C15
                                                                                                                    SHA-256:8620ED2307EE8B35B5109D765F8BFBF8FDC2CF5D451E52706F9C5C2A13248609
                                                                                                                    SHA-512:16BD91F2F348D6FB6B35AD47225B9CF80AD0EC5D0BEB0AEEF7D84D9CE164DCE23DBAE529CCCEC7CD6577E115935D93913DCF6446C92499C96BA11E986271E5FE
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):127512
                                                                                                                    Entropy (8bit):6.339948095606413
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CqPo10JOSdnvEhEyr1hg9uCRFRzsxeZ:k9qg1MOc81hmRFJs0Z
                                                                                                                    MD5:1307001D8EECE24439EE9F2E353163CA
                                                                                                                    SHA1:0D5EC348BFB5B53CF8A0AEE1FD325BA0BAC476B2
                                                                                                                    SHA-256:D5842746263ED287CEFF18A1C03D784AEB007D7BF63D6548C324B21FE7B6F3D5
                                                                                                                    SHA-512:5A23D430C6117CC2467E2FBA4935829EED4752A6F10F2AEE81C66B239567BC3A3F2822D3A039AE450CF5CC89F27FED2E1EFCC8260D5A650AD3570671D65B247A
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):299136
                                                                                                                    Entropy (8bit):6.791456127636419
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
                                                                                                                    MD5:7663DA5345AED4E2CE3AE00F1569BAD3
                                                                                                                    SHA1:10BF6A77F04B10292030C2456066EB519A4F50A0
                                                                                                                    SHA-256:14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
                                                                                                                    SHA-512:1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):299136
                                                                                                                    Entropy (8bit):6.793867878392893
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
                                                                                                                    MD5:BB0E7591812BC27C3D6D3DA565AF925B
                                                                                                                    SHA1:BCF62126B5381B32D7C614EFDFA30CF7F385463D
                                                                                                                    SHA-256:F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
                                                                                                                    SHA-512:EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):437888
                                                                                                                    Entropy (8bit):6.42684511221715
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
                                                                                                                    MD5:2607BC5BE23EF6AFA96E1B243164745B
                                                                                                                    SHA1:50B602076CB054022A35790FDCF0512CA1D9B68D
                                                                                                                    SHA-256:EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
                                                                                                                    SHA-512:59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):343328
                                                                                                                    Entropy (8bit):6.646237652723173
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9zkTpB8HHvBjruphfgesnAhAOQp2EwckjQx+m8zhPLlZp3:OklinJruphfg26p2Ewix+m8Nln3
                                                                                                                    MD5:E08B11A49D68A60193D50788A23FEEC1
                                                                                                                    SHA1:5348D03F4BE33DE456F7E319C1F0F0DD2B281881
                                                                                                                    SHA-256:AD46D94722B50EED787512D44634295F8EAC6AB5851F75CC14B40DB095D18244
                                                                                                                    SHA-512:F397CA818F0F9902DC4111D240C6CE0E29B75477B4571D89BE9F4BEC2144AFE6E1BECC6058E3701B18C0090BF2FA15C8153173C024203655A3D757572E7E6DF5
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):443680
                                                                                                                    Entropy (8bit):6.399332197842204
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:r3gaHC2zUM2WJoROZVXk8hbodzbaw8x0Cx+wnx:rx5k8hb0Haw+x5x
                                                                                                                    MD5:BFEF6D485809D5E865C0CE57F5C30761
                                                                                                                    SHA1:67C6C40D604D094508A7A54B2C1B984D6B284B16
                                                                                                                    SHA-256:AF62AE439BF04032F161BE6720D989A4CF6D79F74916849D06F1118B77303B70
                                                                                                                    SHA-512:7F1715A1CAC7CFD1AC321F70DB92E1255DE06E6B98BD8D05F84219C729714DFAFA2C15B12CA55F5A3F7AE93FD53B74927D29F4627F27BCA7E65BC3D925A61912
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):203552
                                                                                                                    Entropy (8bit):6.1365331355493
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C8aKavT/DvbEvK9aobNI2B+Nl4jz+b0atWH1TmFtotpcat8iKdlVST31OK8I:k98aK2h9H/B+rEtiPC
                                                                                                                    MD5:3F7B572F1D8E16AEB92DD112EA5DDCBD
                                                                                                                    SHA1:FE399BE4D0126B73A2F1793B205D75F52923913F
                                                                                                                    SHA-256:617E36E5B66F2D8C2CB7534E883744EF115F2F1EC8B8210FAD308E21338A78E6
                                                                                                                    SHA-512:B5E7D7601A159DEE555A0E98D0D7D0A1BD2EAB68931C8520AC8965B2C05FFFB66D0320EA79713645A4991017A1D753E68F01267311B1C35AD86BE9731D3102E6
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):149792
                                                                                                                    Entropy (8bit):6.511104209826025
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CV4vzT+PjZpsB+2h+EOXkMxJ7Rfp8K172YPrp:k9npsB+09zMH7cCxPd
                                                                                                                    MD5:931BA0AB474211B6F6F46DF9D2685396
                                                                                                                    SHA1:46B754C10E0CE63693C1E0C243A180E980CCE688
                                                                                                                    SHA-256:37AC3DD2183C224D3E32A772FBA419CB1B63E591C5DF6FA69A15989DA9B2C582
                                                                                                                    SHA-512:2E9913BEAECC96FC9BB5BA270B819B7D3FDA82BE9AFF739C294D74A3C0ED7D706A7584D872221B864C3297CAB8C9300FE4DED15A40DA0F687D8E1DB1D60A18FA
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):227104
                                                                                                                    Entropy (8bit):6.237873657819261
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9AWt9h8QlLISZWVRohcq7dvni3F8QrBA/:Hy9hdFIdRoGUxi35rBU
                                                                                                                    MD5:19AFE8347886BC20E0AE3FF3168E4A33
                                                                                                                    SHA1:C75BF52D95EFB4C1A07F0D55D7A25B765B366087
                                                                                                                    SHA-256:58D82570BEE9757A3615789DF93384BC28C77D4F0E60796C0A845265FDB0BADA
                                                                                                                    SHA-512:6FE092C3AEB098BC26AF41E64EAD35381C7E49BEECB1847A1DF7DBDBE2449E0826D888B49F099E28C3A752013BA9E7D0DDF256A8B3A57F3A60248A467CB2DACF
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):264480
                                                                                                                    Entropy (8bit):6.6429855049099995
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9YwCtJmRqyFmB6AOKmiMGwIAfx+iQ+FfFyLgG1da6edo:1w6JmRI6Bitwpx+iQafFykG1da6edo
                                                                                                                    MD5:9E4A1877CD2731B9DFCE6E0FCD7B5037
                                                                                                                    SHA1:45E966F9EF775DD94339782C3374597AA7BC17D0
                                                                                                                    SHA-256:224C2EE088EB5EA5D06DA228AB575A704FCF2328B3EB60613983236B13B5CD70
                                                                                                                    SHA-512:7A7A6185F7590B1C5BEB2D16DA1FF14BFF15E6EE5BF185562B1588E32F112765BAF20D84892C85299DCD2C1F7127950D78EB3D10EDE6C45727D1D737F022F8BF
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):149792
                                                                                                                    Entropy (8bit):6.511488043303241
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CZ4qR8vSZksB+2hdqecER5AhC48S1m2YPrZ:k9HksB+0YlEXAe6QPt
                                                                                                                    MD5:1F18312D69028EEB0E96580CBD36232A
                                                                                                                    SHA1:E90EB0E84B9D3693EEECAC1979E736802D7AA181
                                                                                                                    SHA-256:DD6FC425C8F737BA5054624F638AB7B4ECCCFE3A6A14C1DDF11FDE34B928557F
                                                                                                                    SHA-512:487A3C9E58C51210EAC60866105E1E3A6C1F1B9BE39BB958EFDC635D2D7BB7F382E7AC3500CF40B2B83DA16986B1B8982E79E51C452901AB9848AE80666A1B26
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):299136
                                                                                                                    Entropy (8bit):6.791456127636419
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9/0LYbH0QQchx73BeFStIhEWDoZvynCMj+TwW:G0EbH0j4x7R6SvyCMqn
                                                                                                                    MD5:7663DA5345AED4E2CE3AE00F1569BAD3
                                                                                                                    SHA1:10BF6A77F04B10292030C2456066EB519A4F50A0
                                                                                                                    SHA-256:14093EE670E445270AD20D7451E89F37B7E8335C5EC73460A0154232852BA3C6
                                                                                                                    SHA-512:1F8E1BEFA7E2462CA5C0DEB8756DF7B8FFD71D82F09FA0B93EF9CA2D32CACB21688713F5AFA8053B9F83463E9253D428818AA9334202ACB147A608827E4027F1
                                                                                                                    Malicious:true
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):135808
                                                                                                                    Entropy (8bit):6.396186166703023
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC/rmKmGyeVK7qjh3rmKPNbS7cZPxyqPEoCW/ids8nBs+s8nBs8m:sr85C/q4yutjZqMNbSgxbFrj8m
                                                                                                                    MD5:2DE190CF047A78DBCAB6E2216701D2BC
                                                                                                                    SHA1:9B490C017D00BD20562225FC684D426F44EE3C76
                                                                                                                    SHA-256:266452E14A03BE6D5B3CB049E5BBEA4C4787B4C18289FBAA212DFD8B1227B3C1
                                                                                                                    SHA-512:E1D62E8CFC1F441ED08ABDE8CD996EDE7636E48E67E0B1787A9CD0865C8885C1D56E736803BB20773EFD98768ADDCDB79C1489912F5D01E5BFAB231394D552FB
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):299136
                                                                                                                    Entropy (8bit):6.793867878392893
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9/lXCs7zYA9xiNFiVg7s/uDoeBvhI7W6w9:GlXCs/YAh/elvhI7Wd
                                                                                                                    MD5:BB0E7591812BC27C3D6D3DA565AF925B
                                                                                                                    SHA1:BCF62126B5381B32D7C614EFDFA30CF7F385463D
                                                                                                                    SHA-256:F251861114A4932B3AE9FDC95524EED50D2BD6DBE1E498C48FAE4BD095D4BD7F
                                                                                                                    SHA-512:EA133EB067DC32BE2EE47D1BC50CE77FA87DA2379CA5991EDB837EAED7BCE9BDAAA179A7997220E0D8520926F846D998948B92607DA330128D74B1E000E8E1A5
                                                                                                                    Malicious:true
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):437888
                                                                                                                    Entropy (8bit):6.42684511221715
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:GGNKdHVnfiMB7yIL+5IyoiYv5jPaeTmJWIvDxT9ULX8PCM:9KiBLZ05jNTmJWExixM
                                                                                                                    MD5:2607BC5BE23EF6AFA96E1B243164745B
                                                                                                                    SHA1:50B602076CB054022A35790FDCF0512CA1D9B68D
                                                                                                                    SHA-256:EE438CBF24A8CC6303A4930BD3D84EA306C350A92384F3705364058BECAB050A
                                                                                                                    SHA-512:59C7C4CF7B43726B774A4BE770B5B02573EDBE035C3DEAC909EC3230A1A05A2E2D6814F08F9D81F9E86433748082D1A04B914C7444585D90D511C348C8367D33
                                                                                                                    Malicious:true
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):163456
                                                                                                                    Entropy (8bit):6.282119597857022
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CQ446dewltB2mNd/HOrveW1dexk834fRZ5Nyc:k9Q446d7T/H4X
                                                                                                                    MD5:6CAFDAA62D8747DE46D3034200B28419
                                                                                                                    SHA1:939138E4EE0DE785F062DBDF928465EEB2653510
                                                                                                                    SHA-256:F8C97B577C19232F795F72E2C81D343E7E4CC1A219350419A7FBE781C1FD82B4
                                                                                                                    SHA-512:8A390C6A4FB272AC4ADC80018E548AD656504901D580BD6FCDBF9DC6181435FD36AD46B396421F8957E38CE6D981324DA93BA5217FFCF78AD1AE7F2C8BC868E4
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):127104
                                                                                                                    Entropy (8bit):6.0679650494656965
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC3s8nBs5s8nBskEsz2zy77hPxIAbBsnzA3QDkrDW8Kq5ns8nBsb:sr85CaUkEsqzy7pxI8BszFJqkb
                                                                                                                    MD5:80063F8042BCD9F08243437E883EE0B7
                                                                                                                    SHA1:B28DFAAF22CD52264358AFCEFC9272B65DA021BB
                                                                                                                    SHA-256:77D52E65380CDF4E98EBBF36F578A5A1406F4BF9D53C434FFDE323AD833158C5
                                                                                                                    SHA-512:BD4FC5327D74C0D9FC1A75DC9781AE5F3C147A83E4A22FD7FDBAC370E1210C781A51018D798BC5F39C9A9804E43F56649E548C562D59BB4371ED473113B952F0
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):223360
                                                                                                                    Entropy (8bit):6.089485930964728
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CIySSyyXC2BZC5vHa2L8jv+UII6qS2AroAxYN35gwxcPXtxdTsVcCXFzlZBD:k9oSyMZOy406qS2AroAxnw6f9JCXN1
                                                                                                                    MD5:8AC992B3CEE15917902FCF4E1BB88AD1
                                                                                                                    SHA1:278D893D5B43C8210F04986205F42D7B842B49CA
                                                                                                                    SHA-256:2A5F8A9115B28D6E242EC13E0C9B577FC55A4B23AB7605CC6F4BCB7645A7A905
                                                                                                                    SHA-512:4ED4B2E050D864F66BEFAA8D587972B5219064D5EE989F36FDB410865D30467EF60D6A1B14D53FF6F6E408644059E473134E74BD8B4AE841D1D74F2642649381
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):203264
                                                                                                                    Entropy (8bit):6.630784933207718
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85Ckwl0hzyfN7T34oshWGrAUdaz2w9Lf0M/RHym:k9ZiFIf34hcUsz225/
                                                                                                                    MD5:FD99F4BAC9DE9CEA9AEBE10339376F46
                                                                                                                    SHA1:657C4D31907420906F6B76E7202DBC8D1ED642C7
                                                                                                                    SHA-256:D40F5C5B2B8267AC486BF5E68ED065502630CD8D5C38C84773A3CD8341DE3479
                                                                                                                    SHA-512:360A69F494DD27CAB49FC0FBC0A3507593D97D65D41C7D9E7489A89385D1E6ED42F9E4109A3585425F19AC6DD3A19A281CFCB4CCBCB9BBDFD4C914404487A9B5
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):209912
                                                                                                                    Entropy (8bit):6.339745236465328
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
                                                                                                                    MD5:57C91EFB667D78BE5744B415C921B0D5
                                                                                                                    SHA1:875B5401BB112BE99BD150C7F74E5193A2189885
                                                                                                                    SHA-256:2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
                                                                                                                    SHA-512:A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):209912
                                                                                                                    Entropy (8bit):6.339745236465328
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C6fSoD7sDZ7/E2jijQvZ2ha5ZxXHyz7weLSMqpmmtj:k96fSoD7q/fji2SUKz7VHwmmtj
                                                                                                                    MD5:57C91EFB667D78BE5744B415C921B0D5
                                                                                                                    SHA1:875B5401BB112BE99BD150C7F74E5193A2189885
                                                                                                                    SHA-256:2ADC50C04426A03D30F96FD5E11F16167DCE5AE4E3202FF5F6A21649DF965401
                                                                                                                    SHA-512:A4958FDA3A3C70A61585A7D0D6DBA9BAFACA06FCB3D242924DA41D3CB57A604B8351DA663BCBACDAF57EB833265C511B77148B9FA12B60468540EB7E0B3EE897
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):264144
                                                                                                                    Entropy (8bit):5.863490790187712
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CQPEGT3EB2e1aWGNU6ITL85x0HRerzJ0YF6OYLy0PPDq29BA+7891:k9QPEC0QjWGNU6ITL1H0zvjkBA+7891
                                                                                                                    MD5:1FD92ADE57DEF19C2D5BF4A14AF53373
                                                                                                                    SHA1:88335A048A05FCE5F5F23411D07AAA53DE05FEBE
                                                                                                                    SHA-256:7BF6EB7F7150A749DE8581C55BA2E0EB2317B17AA39E39466C22F8E537892070
                                                                                                                    SHA-512:1035D82569254BE103EC1A2BAE83F02072A17D7C67DC2BB62F1AADEBD06E3A85FE3B352CED35EC166DB4DA7A06489AB839312CACA2806C544B0D064FD1A8BC6F
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):430680
                                                                                                                    Entropy (8bit):6.627953214122613
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9Bmmt0fSoD7ZAOhPiURg/4KAaxZTTlvIfaUcuI4hWxBP9SGO0zyqEL:Dmt0LDdOUO42ZdocuI4kxBgGONqEL
                                                                                                                    MD5:387E91F4FB98718AE0D80D3FEEC3CBFE
                                                                                                                    SHA1:2A4DEB9782DDE1E319ACB824F32A19F60CCB71AB
                                                                                                                    SHA-256:2AF36D2872119856CBA456CD9BB23623CB05E8957D74EEADBCD5DED57E17F5E5
                                                                                                                    SHA-512:1C6029F902DB9F190985B64AE4BA18CB3E770A2DED56511A32C15EBA86198E26B1C8F3BEB399249AAAA9854C72EBF2C50446182F616345004F2FAAD062FDF8BB
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4473576
                                                                                                                    Entropy (8bit):6.569965325360163
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
                                                                                                                    MD5:809D03153D2FCC1C9E1EE574DDF7CD2E
                                                                                                                    SHA1:CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
                                                                                                                    SHA-256:C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
                                                                                                                    SHA-512:094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4316096
                                                                                                                    Entropy (8bit):3.9258169272505024
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:98304:nPNLniBaEJhRELqS/rhwov59SRZ5Vb9sybbsK+0rnsQ:PNLniBPJhRELqS/rhb59SRZ5Vb9sybb9
                                                                                                                    MD5:D303F362090140A192699993B9B481CC
                                                                                                                    SHA1:EA2783C188FBB317661F1FC3A0CB4492BB8EC80B
                                                                                                                    SHA-256:DA0ACD313E47ED22E9D7EB3E3E540853B8EA43172CA0CDCAC4E0447868B2B16D
                                                                                                                    SHA-512:12932A51ACDB0D184CA0AD6B7B1B9B72C8EF698B19B5747BD45DB6EAEB792B942089D62F5AB43106BA840E50D562092FF0056D3A2BAA97E353B2AA64C433242D
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):94600
                                                                                                                    Entropy (8bit):6.442216424962596
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCgELjOzHKd1XI/etzCJQx0cxnIO/IOmOe:sr85CgE/OTKXI/etG8ICILJ
                                                                                                                    MD5:3F61817FF96973951F7964C30D7B3E0C
                                                                                                                    SHA1:206328C89E5552AAFF1C232D4285EF70BB305CED
                                                                                                                    SHA-256:0F2597EFBF9783DB37DE336D0F7C2F2906E09173873EA105C79EAE1B56E8F95D
                                                                                                                    SHA-512:C2394D49EF23ABCC1C96DDF60111D2272920698D962F769B3CBB7D77493438201E5B1FB7B196ECE9B709A7DC2E03B26FBCB74699CDE4B1B6AA56C869F287A47B
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):101496
                                                                                                                    Entropy (8bit):6.2502810194516245
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC2vpz3ktxGvpzvy5ZWGalHFmMTK0KRTS8bOzc:sr85CwToATzvmN0KRm8bOzc
                                                                                                                    MD5:FA4CEDA48FE9CEA7B37D06498BFCAD93
                                                                                                                    SHA1:C85C170D39C0BEEA2203B0BEA30C19AABD4E960D
                                                                                                                    SHA-256:BFD637624C2C9B5ACDC470E589795C7720710782B618830E70D4C08F2498D64F
                                                                                                                    SHA-512:B95C63A1DDA19FFD988DA77C38E04BAF600C61C32FD231981B6577B351A5D8DACAD0A6923ECBB05692BE06BCCFC365A7AC3AEFC957E25D56C7A5B81CBEA4E208
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):455760
                                                                                                                    Entropy (8bit):5.934487072040942
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9fwACThwS0vn9IdRsLGEJTdPA6lDfZNAGVx:KwACThwSSn2dRANtlF3j
                                                                                                                    MD5:EE7FE56AA5473C4CAAF6542F9C89E3B5
                                                                                                                    SHA1:F94831FB534FA38C6142CE1A73883A5F181D47CE
                                                                                                                    SHA-256:AA77B4D2A82911CFCC76EEB2184FD513F8E8DABB39B90019E7F051172CA128E2
                                                                                                                    SHA-512:EE7A769F162F3E4A55A8653F51D601DBEA53533EDBE6F52A96077234E6367FA835EDC9F2DF76F56715EFAEA618D4A77C64F7875725BEF5AC9F5D0E1F799DFC37
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):225704
                                                                                                                    Entropy (8bit):6.251097918893843
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CHLqB8edYkIrv6TXRw9xwqazULDjkAJZo0RAjUIqXfkRC:k9rjilq8OPwRzso6AQ5yC
                                                                                                                    MD5:D2E8B30C6DEBFCF6CF8EA10E95D2B52B
                                                                                                                    SHA1:E907D9A5B3AC316E5DCB4143A8B9466A548CD247
                                                                                                                    SHA-256:2EB9FDCC1BCD91C9734390A0F9543B6DEA8A934F71D14D304D0DFEBD9ABE1608
                                                                                                                    SHA-512:811C739AEED909E5F977E3C69FBBB6DD57FD9A0C5D644129C41D298279C369F9CF8482230DCF7762AC6B38958CC78255B1B2A9261ED0C897E9CF85244F056A67
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):84928
                                                                                                                    Entropy (8bit):6.496286535630211
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC367wZClMML07MiapFmPRHyzMwzobtM+zf:sr85C367wZClMMQ7MiawHyzMwsL
                                                                                                                    MD5:577ECDB909EA638F824698FC9662A65A
                                                                                                                    SHA1:EF5B3EF16FD6E4FCE04774B001C229B091B64242
                                                                                                                    SHA-256:917362177EC459D22BC88ABB9EA65E385B50A664A9D314AEBDE4AEE3D4ADDD69
                                                                                                                    SHA-512:2D30E0328E250B90731269650174145A7E0993B76D43A90BAF93E05DDE59B7930199755648C90BE80BB11AD7ECE5555C1F54991E1146A62D1985958E6533A854
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):83816
                                                                                                                    Entropy (8bit):6.5486905453129385
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC00s7wZClMML072apFmPcnGzLHyxz5pOEtmwxz5E:sr85C0t7wZClMMQ72ahnGzextQyxtE
                                                                                                                    MD5:0A60BCB1B4624AEFC401299CF4AC158E
                                                                                                                    SHA1:B213E9E2C230E850B70EEE7670A9961DE0DD3B92
                                                                                                                    SHA-256:377C6042F55C5245E950DF6C58C8E541F34C68B32BB0EACB04EBDBD4D4890ADB
                                                                                                                    SHA-512:B6F2C7F1CF562988BC0B4F45D3E36062C08A640F0CC99A3CE05DA121CB107716193FBE3B9B6012B77712FC8832D3EE19B9889018815F414C1FF0DB1EE5EFA898
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):233832
                                                                                                                    Entropy (8bit):6.444055281477179
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CUW32GhNvMQ/58sl2U2Gszlz4SNBZCgMWku:k9t2GhN0lsdspzPgg1
                                                                                                                    MD5:C541C4556C5B21907107E916D65C5212
                                                                                                                    SHA1:E70DE78F3C4FD8A9364FD54A8283523572F07F60
                                                                                                                    SHA-256:99669ABB3F0C6A61BD44D379FFBC5712D2AB44E63D1071E1B699E46DAF279358
                                                                                                                    SHA-512:73761E8DBB28A0A83BA33236CC43609CB11B64716A3CC0EE1394D1C05ED9BD71791566666EBE8B159D13FE3A1B90FB473B865AADAFA69DD3E4513824F1959793
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):502632
                                                                                                                    Entropy (8bit):6.71908645689974
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k90WDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:kMxCvm7JK6JAB/6N30xpI
                                                                                                                    MD5:266F86A29B1E6B8B760527C50DA9D660
                                                                                                                    SHA1:2C054027DC591063B47873D42D973B38B3BDE3F2
                                                                                                                    SHA-256:F30F2704E1BD0F7B173E9DE79D3BA9FA3CB1B494C8BF20FB4768B5D5EE6317CA
                                                                                                                    SHA-512:1672AEA98C6142E995BD018CCC8FC7836A05E6A5062C7B615D7C5D04E3E80EC4AC37DAF999296C2F095C4FD2A8FB38766DE09BACDB574266DF0257E697522D78
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):352704
                                                                                                                    Entropy (8bit):6.38536686774314
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9+EshacHeGXduZtZ9zHVcI3uv7FgR3FTzWQ/ZZyp1:ysHHrtuZtPvh3FuQ/jyp1
                                                                                                                    MD5:51D8F20B8D5103A7A909B107B6A3B7E4
                                                                                                                    SHA1:FB4B5534EB81A82E70652870FC68DCB8EF8C9A6E
                                                                                                                    SHA-256:BBC6913BAC290E98B15A7F65E9CDAC0607BCE18A32CD3DCD1D7EAD307F0B51E5
                                                                                                                    SHA-512:77A398F43351031F2B6EAACE03F787E49DE72A1C937A24A2847BACFBA8A1FE76B2B031524530E5E5B2648B6B0FA87B53104A92B1A216963F2D233E0D74D03D16
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4395184
                                                                                                                    Entropy (8bit):5.937082520516123
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:98304:mXuo5RMru45b5dZlAj0sqW7YDKMzVwgBWMTwLe7G:oR345NRAgsr7QH6h93
                                                                                                                    MD5:F57075B760A0D881010E15505F0C483C
                                                                                                                    SHA1:0ABC231159F339F651595E385EC7B466E259470C
                                                                                                                    SHA-256:3D0EEB0CB3BFBCCB167AE0D1AD90B8EFE17C9B88D491AD5D14A0EFAB223D6E21
                                                                                                                    SHA-512:64D97EF9B435579D883DD5C08967737D868C6A6B6347E37E248C5DDFB47FA726B712DCABC179EA62E0A936692355766FC06BB4C1DA3087B81092942940068161
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):603928
                                                                                                                    Entropy (8bit):6.530305704021743
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:bzKRgqBDxoiPCLXHLuk/Wg4Reh2mbeF+IGboJdx:/KgMxoiPoXruPi/++IvJdx
                                                                                                                    MD5:8F1CAC64758ABE414CC4B882EE8519B8
                                                                                                                    SHA1:7018BE9C3FCF4FB4F8138869F9CD40AAB0C9B1A4
                                                                                                                    SHA-256:110E1BBB7A4F7A42D2099D8A76F068DDE01D63C28D841AAF06D3EA872F261716
                                                                                                                    SHA-512:19F81CA57D67C8D8B784817E88C10E7768906F019950914B391DF69C2C537380296D1D4B92F7070ED25582E9EB7C015E797D3131D77A70CCFF690CDD39CFE4EC
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):507024
                                                                                                                    Entropy (8bit):6.145143458075982
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k95yrmBq0RYSv3A5DhW15yChMFt2XTNJWLgCWzzYhPRt+:NrmBjYuALWJMn2XTmL7hPH+
                                                                                                                    MD5:F6C667D2590E5294F3272D9576BC3051
                                                                                                                    SHA1:13D893A1521C8BA8D1FCBE11EE0FD16F2E0194F9
                                                                                                                    SHA-256:03966A5548958182569400B6098219CDDB1EC6C5BCCFB5391A36F66E9F517FC6
                                                                                                                    SHA-512:E2FE50A7EE86D8B05CCE91C9F0CA07A24C41631A317F38AB380C996475BD8B9CB05BD7B9D49968AE87442399EE7312C69169447B3D527B539F0C8C1920D986CD
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):251560
                                                                                                                    Entropy (8bit):6.621260401843092
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9BomAAOwPcPIqk4Vsvt0uews+qZP9zOPBxGiryKI:4sAETlVsKzZPixGBKI
                                                                                                                    MD5:3DF5147DBAC00F92DDEE6D22533EB194
                                                                                                                    SHA1:F7ABB04F99361465F9FA9193E1ED06B49381C688
                                                                                                                    SHA-256:A5BD7911E7F7FC76E27F5BFBF2B4AAAAD9FFE0FD304B65D87783409629EE8B25
                                                                                                                    SHA-512:84ADC24DBDCBE9EB9A5BD77BBC0F1BC1E59E4C32496F4A435D85ADD042F7FEFFB0FD21D459D62F0BCFF7655CB3262F7BAA491F6947B5F4ADCC650A5B10FCE3E8
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):751720
                                                                                                                    Entropy (8bit):6.631735781680161
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:DdI8PdgELg6eaBlnjlZcTerWv+xdeFhvCs9TukINOW:Da8PWELTBlZ+erw+xdeFUsUkEh
                                                                                                                    MD5:8A6DCA4D7B31FB7626B5FB7430241040
                                                                                                                    SHA1:258B527B5F6B30411C8727107B29AB9300163817
                                                                                                                    SHA-256:6DFF05FB541A8D3B7847AB3197422E582AA021963A9C4BF63C44100180CF22F5
                                                                                                                    SHA-512:2A9714FE31814C0ABE13F59ED77A8EACD0CAF2BF9566FE9B9B0240A942EE5BF5425A5E523F2C51DDBE8BA977675753074901C211A42D899F7AF9F47890280693
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):161968
                                                                                                                    Entropy (8bit):6.528134300921485
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C9NDS5lS1jITI1FeBT77NDS5lS3j+Wzy6oUSA7hZ:k99NDS5lSxFeBTfNDS5lS7zUrsZ
                                                                                                                    MD5:9A962710D6C3F23726E18BFDCF7D5BEE
                                                                                                                    SHA1:01AE9DB82D4B7E365E30B4A2A930B74FB8C0C5DC
                                                                                                                    SHA-256:17D163C4C9AA325EA07FB5E5EFCFC3A308D30D71C7A19BF663350F978EB6418C
                                                                                                                    SHA-512:0D51336AF8246C7B6EC30F506206198A7873106E07995A69A51D059FA5F83BC0BE6E6744A0D0306DBAA811DF623239FB472880E7C87AE83CC9BFCE70E7C2960B
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):159560
                                                                                                                    Entropy (8bit):6.577583568198119
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CIklWPsom9TiWWWWWWWQM+FtWAzhIwaeENinkf8xw3xUFv2tGPrtPmF:k9ab5zPaNQnBxw34Oita
                                                                                                                    MD5:04CD44B46689C390B61090CC9AF0DFC5
                                                                                                                    SHA1:DC21D958A5D799B45AC721528216E981AD9FE73E
                                                                                                                    SHA-256:19E2D4135729DEEB6086A7B6E50CC9CC238DC19F199BE40CFF80A7280A9D7A8C
                                                                                                                    SHA-512:7D91066D2D02853B9C71C1D691D1315E0CBDC1111AEA83A4A45CB40AAB26A53311386579BA93AF557C9074D4D69E0D265B13C41A384C23BC254911591C0C8B5E
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, Author: ditekSHen
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2233240
                                                                                                                    Entropy (8bit):6.2971498741833525
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:LDZgOA74U4o//sbtwvZTqFDk9sg71SmY90gh/G7QJoma+9duNGeVG29H:vqHVhTr5UmY90sGE5dIDG29H
                                                                                                                    MD5:B30942151231700F5D6432BA1B1A0C0E
                                                                                                                    SHA1:670E354D40154284F518603B702DC0B7EE94DF82
                                                                                                                    SHA-256:F8677E5F13CEF8B175C10B333927AFF942E46A9F0C73BE91E9BA8A424B878ABD
                                                                                                                    SHA-512:8652C36DF9B5A8B245E3F0A4AECEC55E46B55D18020A11AA0BFC0BFDB532870AE06CECFDBC15000B287E171177570A4EFEE44E2F2EF9B228221C93074A65DB37
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):214432
                                                                                                                    Entropy (8bit):5.994507792871334
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CIVFptXofXXXXXXuh9gLzltw6Q1hqOJHrtTh:k9YtXofXXXXXXASLzb9uhqK
                                                                                                                    MD5:74D1B233AC72ECF698C6A7C899B119BE
                                                                                                                    SHA1:EEF35AD9326A5A3E3E9F517DAF69D57D0B700DD3
                                                                                                                    SHA-256:A74DA825D78F461489E405F90CCCE848699A5548DA0D921864486DC95F18BAF6
                                                                                                                    SHA-512:FA9D2E78E79A108AEFCFAE48D040EAF500B72B77C3F62404565D257642FC848405FEC7364A8F1F98EEF00B5725C25A77B5C4B37B3CB60A0DC3909A2FE3C5D6C0
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):620840
                                                                                                                    Entropy (8bit):6.585082275251885
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:ioBdI/BUQtsfBCegl2eccL1q/xRyye7BfcwqEhDe:ioM/BB0Bml2m1q/xRPCcwFC
                                                                                                                    MD5:91F300014FBA9310BBDBE0CFDEC9A819
                                                                                                                    SHA1:8091C24B7EFF0215CAF7424ED956322E0E9B4476
                                                                                                                    SHA-256:450D510099056DD9E931D0094D6963A07544E91B3D84A29CA05223C35273A22E
                                                                                                                    SHA-512:B39BD37C0DD05D81647E4C42F0E43CEC41DA0291DAC6F7E10670FD524635086B153025F4E4450ED1D51DF6F9C238DC7BAB3DDCDBE68822AEEF9B79827EE1F0F6
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1568248
                                                                                                                    Entropy (8bit):5.675955532170124
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:+wF+k53zCG2tIuQ6DtJQSZDhLOhkZzV5i9w/lmd+jrcUiACW:bFXG6uQ6D9L2uV50AlmsjYUiAB
                                                                                                                    MD5:59BBEC68CF2ABBE0AA71761A90902F8E
                                                                                                                    SHA1:CA4DE80AC4640A32C495FCE0237F46D45565745C
                                                                                                                    SHA-256:2289860922074D80B8F52D6014A3002061616342E0CA952A6A6608E83434F8C4
                                                                                                                    SHA-512:4CED0681CC7B5F9F40E4F7496F692A55C71C0DB1E2DBC93C08D8415DF9914F01FA8E45AA9FD276305DF824B7C3742E39BAE005CBB4A851B9E264E5129216B43E
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):634800
                                                                                                                    Entropy (8bit):6.709073721775351
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:jf/4sOdw+RfEB6tuAlnWhGZco6ijmn5jFTSt7yCPUkazi7JThVoSZeR6aQTJ:7/4Vdw+Ra6V6g2kazidN6SoEVF
                                                                                                                    MD5:93B1C57F0B5C441FF47190254B01C47D
                                                                                                                    SHA1:8DDFB09946D30CFC78B8D9C4DA9AB19FD0EAE045
                                                                                                                    SHA-256:846FDD3E11DAE5A991888539674DFB6649A1960E724CF72E2D8E37A23C357609
                                                                                                                    SHA-512:5B15EBBCBD69C6BE2CCA96D6C0635FFADD5312BB8EE7FFC6A655D191F5EE25EEEA20EA95D92EF45B47D5AC54BB3216C74D0D4DAC3DB1C5A18B0230F285D5B588
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):748192
                                                                                                                    Entropy (8bit):6.713281323235293
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:KKxLM1deLycUTc1kZi7zb1QRHhhj7WGvF5PYcdTFtZ3G97aSDGGHrbTwqFwydBf6:KyY14evTc1kZi7zb1KHL8vbTlwOBC
                                                                                                                    MD5:D995BB9A7D45C056184104F03848D134
                                                                                                                    SHA1:794094754972689F4ADF9F876F60440FA74FBD2B
                                                                                                                    SHA-256:CD263241B90D11DB8E0A0EE42D47AB1F7517675F53C2B8D92C61471746BE2276
                                                                                                                    SHA-512:89C4B7AF03DF6B2FE3BBF56D476497E9102B0ADD24552A78D164DDAEE453AA1760D12EB4ABA0501A58BD5F00B00DA36CA0BEDD542B271DC08ECFFF9395495643
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1917048
                                                                                                                    Entropy (8bit):3.840447707777205
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9GBeXsm81c57ZXFzY5Ucyw4TapP25xxlq4cUcMeTOMzwMwZ:DKs78A5UcyOPexxPcUcMeyvZ
                                                                                                                    MD5:87330F5547731E2D56AD623ECDA91B68
                                                                                                                    SHA1:273DC318E8812B3BC6457B0EBEE15F9A7F1D0C5E
                                                                                                                    SHA-256:268E93C44BE7EFF8D80A2B57427FCA2C98E9B08B3E865FFD3C943497AF6408FB
                                                                                                                    SHA-512:DF4DBF95080AA5378E2E0BC5BAD584C6C63ED6464BB855F84AB315B00B9CE08948BE4C69D7442C2BB96969E69596964510D2FECE737CAE39833628183550D19E
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4099520
                                                                                                                    Entropy (8bit):3.72186927452059
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:zyKs7cvZIFpCYVIUN2mGsb8HtkLaHLH04cLbUBRjLmP29DyZbT9oc/m06aCzE6hE:zyKsY+dy0ZScIBqBT11S0
                                                                                                                    MD5:25E8600B1421194802B2569899E75383
                                                                                                                    SHA1:01EFD3FABD4EDF0733F46D91FB9109523E943C15
                                                                                                                    SHA-256:50280C7E926F959E876BA1BB0611F6C0BAB04EDCEB300D936A887FD3CC9EDE1B
                                                                                                                    SHA-512:DD49E97D675CADA18BA0EC91B4B0A6DF16A86D17344099E3265D3FAA8C576106DADE231C2829FC1D758EECC24343C6AF345CABEF16E91B3854BDA3824AD61541
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):452120
                                                                                                                    Entropy (8bit):6.067280009012926
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9xvhCpFviM0OKAOVf3m+2fCz29fx8/eAeTu:GEpFVKj3mFn9q
                                                                                                                    MD5:7EDAA2971D821AB859302C57099296BF
                                                                                                                    SHA1:3D7F419C517B8C3F3B881E7B248D2C4F7723664D
                                                                                                                    SHA-256:CDB80830E3601071C86E0725AE58C9EDCE109BA793910F8C994526EC4E98F275
                                                                                                                    SHA-512:4EB61A55475E6E87542748AE5C4CCC5B07C4840BF95A84342F09FE21C193B3C4040C27237EEFA4EA469180D24D44B591B1F2833441E456F4E2671A45B9D24121
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):116664
                                                                                                                    Entropy (8bit):6.595026282405323
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C/uGaz7jFQ68ICP5q0WISDr34W+wst:k9/RazrA5q0WISDrZS
                                                                                                                    MD5:42085E45C7B5872D0E034915481A8111
                                                                                                                    SHA1:291E458BAD0A8EE5E491301224197ED1B4E00899
                                                                                                                    SHA-256:E8180D00A2F330E6EF33CEFC29896F0F77FF21C1FF23A637A003D97FA9DB62D4
                                                                                                                    SHA-512:0AFD24F81C375210CC5A379FCFFE82B0A50B709A149AE1FB92E4470BF9F1AAF1500BF128C4F4766071C54AE32E89A15A0FB002D64D715601BD7E010E25E1441D
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):167392
                                                                                                                    Entropy (8bit):6.553431728074077
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C6WKZbTKeR3Tzp+8IxR8jYYrjHaVLIPSL1CgNX:k96WK11Rp+8II5SLUgp
                                                                                                                    MD5:48284F62E79703C80F768CE0ECE7143D
                                                                                                                    SHA1:70DED4ABEB18FEC56583A1F049F4D39507F983B4
                                                                                                                    SHA-256:1BFDD1474D84B058F2C6F19216FB31DC42DA4E42FEF61923814B304276CC08F7
                                                                                                                    SHA-512:A9DD19BA1321A56C4FE3B9CF83E2AFE51D4C915B4F7078EA90F8C3415F64C9F0C3A52DC614AF785045036710D6D819E270B5887F6B198DCDFF9953B8289EAC72
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):670928
                                                                                                                    Entropy (8bit):6.025784704076014
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:ewbRB+ZRhFfGNpzX5PtiPWRnTLtx5eq4/RnYRoS2Ds+2EYR1XLlShtg7ksyST2Rz:ewbT+ZR3fGrzX5PtiPWRnTLtx5eq4/R9
                                                                                                                    MD5:7C0014593C4D645EC8F351AB5F1AB01D
                                                                                                                    SHA1:967B743450942FF50B9E75281B40B215478D85F0
                                                                                                                    SHA-256:638614E2B6B2A4E1EB168BF56825B004EF1F247C6E8F27D103BD1D05F18BB0E6
                                                                                                                    SHA-512:E826164FA068FE3709D1D385CBDA3CA3CA5E6A28A50151CFBB214F3C19783D967F67567E40B390E4905655D8340FCC577A63C97293E0110A1E5F3F6651AEB7FC
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):115920
                                                                                                                    Entropy (8bit):6.223528340566431
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC5w9K75Rp1Ukkz2zct/rzdaBotnMuvWM6TUaE:sr85C5w9K1Fiz2ir+o5vWM6TUaE
                                                                                                                    MD5:499B11002EBE7BD06FB04458174FF873
                                                                                                                    SHA1:AF90D819CBB316CC4CD9DB1D1E1876129BF6EABD
                                                                                                                    SHA-256:D59CFF7BC9B1DE8E82D900CDC3A6E2969A14E454FECF6FD068B51CDF1FD6125A
                                                                                                                    SHA-512:3392C369F2E777155C76E35D1A9309870C87033FBFF32DBA4CCE3AF8525EC49E397C3655016C34B00BC8A7913E0E73151C2C00A0138C639D15CBDC9A16F0478D
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):137776
                                                                                                                    Entropy (8bit):6.532718929417626
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCfLS+I1HtQdiHN4zbyezltnzGd1XuDxhkrTJwNZ5wmW1aHbfC:sr85CsMi+zWeXdswvqiHm
                                                                                                                    MD5:0113D4FE73CAEE2B078E5C5B22E0A55A
                                                                                                                    SHA1:DF82348BA214A6969E368DD516BE07AACADC3144
                                                                                                                    SHA-256:1415C64134FA9678BD5CBB27D189C8CC84BEE485E7CD1454FC2180FEABF8864F
                                                                                                                    SHA-512:B0DE44B4E1B6B33C7479C54F02EF6663CF3C2F88CD736423438B46B4E199B5FD51C3E99239BB8B16D6888C613A8CE43D124CB9DAB8ADB561100792452FEDEEF5
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1206680
                                                                                                                    Entropy (8bit):4.883403224196095
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:E61ZFViRpx5tuwZl4asd/arEISgX0IkEMhTy:E61jViRTfVINdCr6gX0hEl
                                                                                                                    MD5:C3E399A5C28495C77505132DA8625D40
                                                                                                                    SHA1:7F1BC44F6A53E73B222CA0FEC685D4273BD4DFC9
                                                                                                                    SHA-256:DBA08F8269955771CC3598E1168843F954B0CBCAB7A74BEF8905F56C111F2C55
                                                                                                                    SHA-512:72C810017137B35B956E26BB0730F1E4EFC0CFDE9BDD5266FCB993CE69635CDA50EB9B3223CCFC2C340D336BAD4F78205D60A7625E37A72A2796C0A5537DEA5C
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):400336
                                                                                                                    Entropy (8bit):6.662296849527125
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:81rOCPapfd5bhooUBuFiExw/LXa20Dj6EzfJ:ArfIbbhooUBu3wzXa/Dj64
                                                                                                                    MD5:5087CFC731A5F640730910C5104B27FE
                                                                                                                    SHA1:3B723898F092788548173BB2DD0C55A85D1D7C92
                                                                                                                    SHA-256:CACE1F97FC187C817C1FAE597C47782279115799F495462F9BA1EBF1C97001A3
                                                                                                                    SHA-512:A3FBBB913B2D3827B9191C394D2A0EB76FA71A8C870BAF05BB68A04FFAB76BA0F4500D13B5024FF27E39BA671CEEC9B5BA1715D04BD2961ECE04BC4FE6D8E222
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1662344
                                                                                                                    Entropy (8bit):4.282519659984365
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CdK2OKsuWoZEsVK2OKsuWoZEckAQckAIDpAPfKrss1yyKrss1yAZDvYbNDz8:k9DztkAzkAZqrEdrEAZUCwFjNNYEzcL
                                                                                                                    MD5:7A621A47B55EB778A1DC58DA026F13FA
                                                                                                                    SHA1:179FC259659B020F4495DBDB9349A78EEA8D172B
                                                                                                                    SHA-256:9591264BFC2E13FB5BC8277DDB0FA59F3CB6F9941BE54B340689CB2D3028BDE2
                                                                                                                    SHA-512:0964AF4B382A17CE52F817906914D990AD4B2584CCAF7B8887BE7058C4AFE3255741344DE6FC6AD0744717106986E7723F1C9F5CBD7A13A32C552AC70AD25E56
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3531712
                                                                                                                    Entropy (8bit):3.7844153091218713
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k95gSRJQYKV++VYwjatvsDVpDsehRAKzYM:SQYZTWbDj5
                                                                                                                    MD5:9144CA1B12B7793E8F18045B281D81C2
                                                                                                                    SHA1:843A088B9482492885E81B8A5DB7DF5A7A99313F
                                                                                                                    SHA-256:0C4894C91F6FC680FB1A761CF708032C6E792E806F47ABF0C0AD5B674188CB7B
                                                                                                                    SHA-512:A609FC1D8A13D6BC46B80E975DC68930D28447852C5F53DE30A471CC989B6CB5C9CBE35A745518B482B283E32A65D6C1E5F41B02B49790E35F91DF1D8D0B3019
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):83880
                                                                                                                    Entropy (8bit):6.556805464011577
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCEKfEBr3fHT4nAzHGkYJ+ziw6+zb:sr85CEPh3IAzHGEJn
                                                                                                                    MD5:71B80598872DD0D2851C781764A85A22
                                                                                                                    SHA1:B6CA4DBD84F0F4E26E641FD8039285AF43AEF337
                                                                                                                    SHA-256:8295A24E5CFAB75404E37EA3986F43B62512E269934814EC08A10B36BE6C0B85
                                                                                                                    SHA-512:259C91998EE162BCE784798266D60BB5C97A368E62E42A6791FE2F396399D73496ABEE3699453F4C04CFC968E3421F68981A14CA767BEF2E341FE9E950F97CFE
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4319112
                                                                                                                    Entropy (8bit):3.8167825827469506
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9xUh82lTMY/C3uuQyMyquNlBXYJ7M444IB:kkyIgG47B
                                                                                                                    MD5:A660A24C48B0673B94A8410325C43C5C
                                                                                                                    SHA1:E601D5482D7386BA4731F659A39447D076A4DDB6
                                                                                                                    SHA-256:4E5802F6C0D19AE853A12439906714659D4FC2D2C5D72462D905077794E3F3AC
                                                                                                                    SHA-512:51DDAB96D9703744D4EE204A064767B2783FE2ED82082CF63149FCFCB983BCA444C9A42554F72D67BE026859C1C476FAB700849C5D0D16E204A213F36756A436
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):785448
                                                                                                                    Entropy (8bit):3.9404929226943075
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9dWSXeSC+hBMdNRneNMToeGYeneqjpGtBlmF:iLevUEcLe9l2
                                                                                                                    MD5:03818EEB657D70002E0746E88B0AD5E0
                                                                                                                    SHA1:5B16DC83561232312883A5E49EA8917B1EE45718
                                                                                                                    SHA-256:00D746A158A3868BEB2F20D8F66789675BB981242A10DA5D1679B83F3F7BAC9C
                                                                                                                    SHA-512:CD71721A34385D604352492D7A148F6C3AC144FB6B72D225A4F2ACDD4B309B703ED0036B429AEB31FE63B731773AD6A8FE77BFD620BA9537036BDEB90BF8313C
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1081280
                                                                                                                    Entropy (8bit):3.7785410128751282
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C4yTUawK12P04ti0o5gmQNJDJnJG20FxPlJPJSS12Zzwww6G:k94s4wqmQN59wtSS2zwmG
                                                                                                                    MD5:35D2A4B29F56EDDF4C5EE9AA5B79CC61
                                                                                                                    SHA1:BC00C9FC4FAE06D0EC90A9F15915345E7025F153
                                                                                                                    SHA-256:BC8A2062F6B156A773EBFA34125DC8673F960DD057C579D2C74181901C6AA644
                                                                                                                    SHA-512:3CE8168A6EDCBD4A4AB4135EE7BBDF2923A62E4ADECFF19E183B2C54E5903318C5CB956AE28A76F04B63C7A3DD3E464C4AE90AF2D08F1FF5F53F525532B927DB
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1722808
                                                                                                                    Entropy (8bit):6.4873312334955235
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:Fuoh1EWXRkd+h9y6NsRZ9MtL4kD5G5LVuhqITJemL9SQM3:FuohO2km9PNsRZ9MtL4ktG5LV93
                                                                                                                    MD5:F8441CD2F8B20FD75340EDDA57BDB891
                                                                                                                    SHA1:E194B384448281D8821C7F78FA2083616B7D7339
                                                                                                                    SHA-256:1F73799D4D76692CC95E6083B10990BACBB90BC016AF0D84A3B9DD5C7F03FAE5
                                                                                                                    SHA-512:B1825AD19B960FAECDD8AF9675F29999363A3858A26E6FE610E03FBB4E84D62FC68BBBFCCAF7CE51C161B1DA011298CC4EEC43E57F35D24701AD249CC6678F81
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):307784
                                                                                                                    Entropy (8bit):6.544986970069708
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9Q+OpwoajoJ/cLr6eNI0A2kg79zge/ceeE1+v:zDWhS5g72veeU+v
                                                                                                                    MD5:279AEE74740799844410CC17E9D7DD88
                                                                                                                    SHA1:B2CD4BDD168C44DD877F12020E236681423F667F
                                                                                                                    SHA-256:7FD117BC2E9167ACEB2A2E767F868C300645AE6A81F497B307FB8A5D3CF82DDF
                                                                                                                    SHA-512:0447B166C1F28B9EFB7820349CE7277749B7155E98D7195DBB9509DD0FD0C1793E7A1C9B28C18F8618C1C23F9D7AF46704A313BE9FE4AF01886F9576BBF40EA8
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):97920
                                                                                                                    Entropy (8bit):6.445251735006175
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCWzKAtCz72I/Q/RPTO5piDDFwzS:sr85CWuFvgy5piDD6zS
                                                                                                                    MD5:BC9B4C47C903C054F90FFAF5AE807D5A
                                                                                                                    SHA1:5E293D1A9AD5148B5DF0E4B3294C001A01AD81A4
                                                                                                                    SHA-256:A26CA014A17928D1EDF1C1560B4B3E53F856C2AEF88C293EE78F6CDAB15FEF91
                                                                                                                    SHA-512:7AA4B8756668DBCE4C5232EF7334DD7867E9F5107941E0F65BAE3FBCBC510275E69983372F03BF8A939DC4B4008F41470736D720E25969C5D913A5EDA9D40496
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1994448
                                                                                                                    Entropy (8bit):6.549997020090568
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:3l8U9+tiqfG7C+5I6ZOX0Bh4MdDHc/EBRXXZUABfmcQ:3l8+++7hOXODHc/EdQ
                                                                                                                    MD5:4BE8C1392D391FEAA6FB26CFA69BDFC9
                                                                                                                    SHA1:FA3209AD786AB39EF8A4EF173E9C7291A9BCEB18
                                                                                                                    SHA-256:2F182A705D4FED647B1BEC5729151DDC040EC3778825C212158B070F7BF06975
                                                                                                                    SHA-512:1D77C2398EDA378C14EF19511C0A490BDCE2437DDF2E28BC9A85E1ED04991DD5FAA178C6C9E6019165C74DF4E8BCCEBDA6973D40067C019911B019AA3BC26677
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):275872
                                                                                                                    Entropy (8bit):4.23571320386301
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCt6gJJRaCAd1uhNRu7z3zHt4s+zbCtbCc0xXNmi9RHYOqEWpVO/:sr85Ct6gxe7z3OzY+9jTYbE+la
                                                                                                                    MD5:CB1984EACAD27ABC9F009A4AD963A49A
                                                                                                                    SHA1:5C6C4EC164A7C41332B605C6D9817030A473BB48
                                                                                                                    SHA-256:DC15534405AA721E4B8F70A910B991ABB4F4F9A5A823A985110D56BAC974B881
                                                                                                                    SHA-512:9806C1F7B4436442159BFD3D1D74308850072A343C059C3749BD5FA4DDFEAC9DAB3ED61E5A35A5E1CC717C3CDF2735B93FA1C99D5A27E1ACD276326D17E5ED06
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):751520
                                                                                                                    Entropy (8bit):6.5238755488474665
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:PccV8BFJ0kz4uP9V6wY2M48aVNfffNfYRweSat8UVNfffNfRtAUUn4lDW7f5sBzl:POFJbl/6r2M48aVNfffNfWVNfffNfDw+
                                                                                                                    MD5:B3C7E94C586500725E1F446C6A930D91
                                                                                                                    SHA1:54719B158873B1E2402767498F31256321D856BD
                                                                                                                    SHA-256:1A5CEC0A13524316A7D6646039EBA275C22F22CA164F30B4F50316220F299441
                                                                                                                    SHA-512:089FE8377087A4EF69D89B75BE8E3442D5C20930C27E7E7FD24E455C96397FE8B7186E3DFF7F1B1FE71853A0C367EB392B6B59B1DCD726C1BEC7937D2BFE4E07
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):182712
                                                                                                                    Entropy (8bit):6.326834639732507
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CRDbGpEPwVH+lMCNy0GEVVS1ikLrDdevXqHai8MBEL4:k9RXSSwVgvfkhvzHcWEM
                                                                                                                    MD5:9103C2F76BDB6251CE480EE775266524
                                                                                                                    SHA1:0F0C95B1A253D32BB23A99A72F5A77D91387A6B1
                                                                                                                    SHA-256:D51F101246783235E88373EF28189EE54C97F41E46341BE0AF0D4DC455016E3A
                                                                                                                    SHA-512:8F9598DF6E31EC58FDEEDF42E9A60C42ECC3A278E546614AA36177995DB61F3E2A3887564A2707AB4669082AE3CB2FAB5765D251F7970572C232BB1650216FCA
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):5174360
                                                                                                                    Entropy (8bit):7.263311718032684
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:b/xFnOvtaWIDn0apLKkLJU9nU2foKhA4vSWidGHp+NDGQUzbpDOfjxAkrQKl+RPp:NtLK3BDhtvS0Hpe4zbpaAKQkroGIz
                                                                                                                    MD5:1A968E122913ED79596A9EAA5E7BE7B3
                                                                                                                    SHA1:96978DB6766A4827206397BA4E8D75A3E3353E7D
                                                                                                                    SHA-256:C43AD12F1E78AE1817854FB54903030A89A2023E76D3A2CD6C6275B3AB1C21B0
                                                                                                                    SHA-512:56217DD430159D591109231B2F657484BA7B5BC7DF832668A82A4DB8D6A925183633CA9E68C46E85EF759B617343A13D1CED3D8D91A082A87FFCDBB6E795F54F
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):139712
                                                                                                                    Entropy (8bit):6.527583416477957
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C4U5adWAKmzUccnzkVBgEuKjj0WWtPPoI:k9/+EjzCg+j6P3
                                                                                                                    MD5:EE3F4F49708A511BA220F4C073C8E933
                                                                                                                    SHA1:727CE23C7427FD900FDBBF06715F9764F4F24848
                                                                                                                    SHA-256:9A7F835403920D85B948447C007988E1C1271D86F87293AA1D1C9DCE4EAD3DDA
                                                                                                                    SHA-512:8BE2A84BA4F7845369ED052DC4E71CEED8E3B9C075D66BBF7FD1E1A5935CB50EA08F63AEC2B2EA8CA35DEB001F71EF2AF71C2E185D37A75FDEEB2050C79D7F74
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):380368
                                                                                                                    Entropy (8bit):6.677799145653771
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9XzgSb/029S2P/7nzGxFrRN0r0ivCZci1FXiO8DaS4wwE0CBlFJmcx:bw/2q/roN7ivCZci1FC74wdBlFYU
                                                                                                                    MD5:3B22BCCC611D93FD2228E3098C8909A2
                                                                                                                    SHA1:46C93B6587FDD25B710E6C0D0ABC426132DEBAA0
                                                                                                                    SHA-256:FC06A5FADD20D729E99EBF82D696F982352147C7A96C7D55D5FF1F7CF1DA9575
                                                                                                                    SHA-512:D98A167BC857DF9B7DD4FF2150AF495DAE0290A033C868E3AE00BB01CA7C68EC5D37C75D18BF88B87564CF9E38252360F0914E90AFB64A34929A579C691CB9DE
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1269696
                                                                                                                    Entropy (8bit):3.750731544998065
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9Rvk8/0NhFYAddenZhUhTNnLUrh+9nTGLljX4wuSzVF:y4wXF
                                                                                                                    MD5:9344D6088F4232059CC71D89680C627A
                                                                                                                    SHA1:B6D50543A01F017F333CB69897FFD6B39DD0430E
                                                                                                                    SHA-256:4C9373C646419B656C368FACB9BF903A3BE6C167B7B20DC6BB0D710AEC498FBA
                                                                                                                    SHA-512:5B4229DFA9B17BB50F8A3AC1BDFF09395A5B1C0A25CD7B1953297CEEDE312C6DA34295DE61A62DEE6BEDAC1D130F745DC6704E77C8366D954ED72A0914B27CA4
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):266648
                                                                                                                    Entropy (8bit):4.190895884532524
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCgRaCAd1uhNRuiazvhzpwtWhz7I3EWwwrwYx6RPWdn6ysl4DU1:sr85CiezzvhF1h3wEWwwbx6ksl4D
                                                                                                                    MD5:CB076D561CC084FC380019159755CBFE
                                                                                                                    SHA1:911BB4A2E39DDE9197ECC4678367212B1AA253FF
                                                                                                                    SHA-256:F9042977D236AF4627461B5F538823FDAD2ADDEF84EF202E0B75ED409D48E3C2
                                                                                                                    SHA-512:68736CFD5E6488DFB24D65173726EB819DA40AEC1FF7EC6CF4F39A15CFD3AEEAC1672364AE50BE5A417A10A6C50E4546F1947BF323C3FB184802F903455434D6
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):715760
                                                                                                                    Entropy (8bit):6.523751448498997
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:Y4tuuLntIMDXw5vde5EFf1Pmbd3lSz3dfp1Swf5M0blmFKuJOJZM30j3:3tFDKMg4iX3djfy0blmFlme303
                                                                                                                    MD5:0E537E151DF5C171C213A1F44DC5F0BE
                                                                                                                    SHA1:E8EE7F0D91D69DE3FFDB1E91E1DDB404813B39C1
                                                                                                                    SHA-256:CF49D45B6A84D77F5E9A722FE7182CEF9325A355D885BEEB4D1DF3D88C1CE212
                                                                                                                    SHA-512:4968DF9F4DEA49214638C86D73A03EBF4BB93E3242022B933B20E47B22AE65F77F57667B701A32A2779D63667CFE718ECB67B55E317402B140210757439FA4A3
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):619944
                                                                                                                    Entropy (8bit):6.639567335107148
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:ZM/Of/Bboj+clWnIKgrP6TFPLNWuX4Pemn3oi8ky9Q8WSe/aSqizuO1qukdQAPnQ:i8JgryFPLNWuX40RulAPn1OcnGVNfffl
                                                                                                                    MD5:7B39C44B384E1A5940D5A5E30C8D3E91
                                                                                                                    SHA1:26B7AA2EFF58E1D4124AC8C70766A15470FF8BE0
                                                                                                                    SHA-256:EE9FA9DF2D9125438C869924D9ADF3FB141F0D4C4F05C84D1833669E15FAED31
                                                                                                                    SHA-512:2E8D640CE261BCFDA809A0E896662C3AA5F5792AED0938C75D0EC4B5CB20BCF6895876E44228AD7B448D908EA4544EEA88F7F4B8D379B43B8BE53F849A948054
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):150416
                                                                                                                    Entropy (8bit):6.5018296889200915
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CCQPtLW7twRxI5mc5TNN3AsdVgNwihwT3RqEM6ZOfHXb42:k9CQMzhdV0nh4Hof7
                                                                                                                    MD5:3FE6C68EDBC948A6D2775DD2EA56088C
                                                                                                                    SHA1:2C03FCE97D064B53F98EE100E5627418514BBBF7
                                                                                                                    SHA-256:5681B2A8F44A21E3E1D63B8A99100A453F90EE1E3773240923164922F481B633
                                                                                                                    SHA-512:2BFAECFF86EEA49F3B79215CAAFE401FCB65D74B4A0757AA79E439A7AD90C52E1E43285B438368676D5A08E20B37C349AFFD362F7CDFE7205CFF63E445345819
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):264576
                                                                                                                    Entropy (8bit):6.643046809005812
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9y872jsLuLnPo2TTHswP2TGz3FUCHySYI:b+2jsLuT3MfTGW5I
                                                                                                                    MD5:F85301DABBF0103EF7202407D2DA6489
                                                                                                                    SHA1:6BE78DB8650184DF98A1B968177E75BB782063BF
                                                                                                                    SHA-256:8098FAFAF941BD5678FB8B72F560E1AE06EE593C2432163A56FBC60D8FA43495
                                                                                                                    SHA-512:E5656464BC5030232CA6E0EC58BFB5F2116C6E464CEB1CABDAC941826876ABF3F108B18FF5785779C7B75D153E01857CF37B49D88E2180CE515B02E344583863
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):108448
                                                                                                                    Entropy (8bit):6.051786357762204
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCMweqz1lezmtJwzojsKyyJFGgHZ//rHzb:sr85CwqzXe0wSyyJFD//Hb
                                                                                                                    MD5:C4E2228168447160D7F54331ACE1BAAA
                                                                                                                    SHA1:7878BAE3585B8F37E389DEF0A2830D0C72121CF3
                                                                                                                    SHA-256:99173D535320C612AE308D5AD58FDA6F6B8EE5AD261F1E038421D2FC53767AA2
                                                                                                                    SHA-512:ACB3DCA4F6AA6DCA468BA4A42BFA3003F7A4BB0AB18A2C2F99A493C5765FAB5067FB3865C0C02AD6960439AEE89FB2C166BCC90B6A77FC9CE21DC8C1F4B0037A
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):662600
                                                                                                                    Entropy (8bit):6.001086966772804
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:Vpo/FEVciSJJtH4PoR6moWEBfQLxZPhEx7xgtV2hv4tkYUK2tlIqR7lmNK/IKrtK:QFEWi4JtH4PoRfoFIxZPk0NKbB0R
                                                                                                                    MD5:A21FA1DB62F89FAA23E737BD8B609F8C
                                                                                                                    SHA1:62E374C2F71DCD922D6058D735C944A66076FBAD
                                                                                                                    SHA-256:AC414AF78ED3914B1E6EB7E4598F400CA7631BC3AA4C8088B0DF5617AD04967D
                                                                                                                    SHA-512:7485D968298DC04AF7A2297DF77C83EE5A25BEB0AC14932445063EF075FB2CA565AA67E5CE0E4376BFEA7DD31B1B53E66A061E8B8C535887BCA998086132DF94
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):260560
                                                                                                                    Entropy (8bit):5.4470915703839395
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CH4ZAh7ULoQdHBjw8Q2pFj4+W1ISYpksZmRohnonRBfTjzJEthEWV:k9HPfQdhMuj4VM8imPjGthEWV
                                                                                                                    MD5:034F80923F37E7A9899DEA48FBADE531
                                                                                                                    SHA1:40E144C96F7DBB162F02833B01A7F416D65D4403
                                                                                                                    SHA-256:521D052B5B7EBEA5EFF613B52FF7ED2659B4D2A521D6A19A6A146C3CE35118B3
                                                                                                                    SHA-512:2275624F5C92C4B4C606D5CEEBF69F072CC1B7ABA2DAFE8AA7FB672F3B81A8BEDD339EDFFB41192C51CB0F48CB9EE76E090D7A43DE9ADA19D0B8BF2D099C7059
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4316200
                                                                                                                    Entropy (8bit):3.920672560845374
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:98304:/YN3nsBQ5ghvEyqf/whWovz9hRJ5RbisrbdsPO9jXsw:QN3nsBcghvEyqf/whxz9hRJ5Rbisrbdr
                                                                                                                    MD5:47939C01C26C95ADA390474944E9F9A6
                                                                                                                    SHA1:9CFD7A3DEF7081BB3C54584E2515C30C7C04AD76
                                                                                                                    SHA-256:9B0869B5057FF84777E81C2D0E0A1E97AB5ABDDD7D80C8D4C94B1C83A53485FC
                                                                                                                    SHA-512:0F342D003CAC4046AD71858225DACF6A42AADBB4F28F0F022C1F6C5D37D37355341B9F6DF8941AC310324CF853AA141195BFFFC4A1C9935558FDBE387BC25E26
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):124056
                                                                                                                    Entropy (8bit):5.727061682781764
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
                                                                                                                    MD5:9A2455DBF03A4E060F7BCCA43DD3D64E
                                                                                                                    SHA1:D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
                                                                                                                    SHA-256:0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
                                                                                                                    SHA-512:DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):358336
                                                                                                                    Entropy (8bit):4.514937306069578
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9eyUkKOEEIK128d2VKjw0EYsfZJnPmTuJjac2a51lHpLszc/kzY56Y:5x/B/kib
                                                                                                                    MD5:C3A4840C5D7823C978C55DA5DA54DF16
                                                                                                                    SHA1:BF3045BA5D19667D7B3CF1E9CDF52C7CD7CF1101
                                                                                                                    SHA-256:9EC2D985D3ABDCD53FEAFD25DCA72990C37718FBAA59BC4879B941561870B369
                                                                                                                    SHA-512:4E76AFB30D33518576E53057C04B8321BF3F209EAB57389C548D3C67DDF968831DAFC74264DD573D9331D74CBB31FE2B09F6149E7786A4CEFC6ABFFAB42F7084
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):763032
                                                                                                                    Entropy (8bit):4.116647791553155
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CSwRnjnzhCiXXXXXX1AzZwAazTwdOLxN1IHO:k9SwRnj7XXXXXXSzuz8OZ
                                                                                                                    MD5:5F6E2215C14D1B014007317077502103
                                                                                                                    SHA1:B60E82B3994D4612280E92F8A904EFE995209D61
                                                                                                                    SHA-256:0F15CBFD62C0BEE02B273A9205A780C7440B70E99391E8155D05930DAAE487E5
                                                                                                                    SHA-512:5E77C8AD2B79A4C5F153B90316CB22D1C09E5E5B5F7DD888EF931B1C2CAAE396B1D09A3874A173ABACF19705979C54FFEB77411E580F91258CF1D9A5B3F8D6AF
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):895120
                                                                                                                    Entropy (8bit):2.966305885964938
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C+fCEq7tOxIfMFzCEpAm/4rx7z1arf+9:k97z8w
                                                                                                                    MD5:379B19683AE0BA12E72D1E6CA8CB1612
                                                                                                                    SHA1:4B48C8899121137D5637838E9610608245975078
                                                                                                                    SHA-256:3C6082AC7C3AB5EF4F0A7DF17497760B96C77BDDCC8A753881006E74C39044E6
                                                                                                                    SHA-512:CC8F80347BA3E0BF5EB5E4B90E28FFE23FF1F5B18FA1E0AE9DAEB27CBAC51E52053C9173332C2688FFCAAF2CC84EBBBAD31386F6F6BF7DFE2668EFB7D1F2E9E8
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082008
                                                                                                                    Entropy (8bit):3.7745537489281356
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                                                    MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                                                    SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                                                    SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                                                    SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):105440
                                                                                                                    Entropy (8bit):6.087841458302814
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJrrZ1jL9zxwKeL9zgt5tjTh7D9:JxqjQ+P04wsmJCIjhzxwKehzgt5t1D
                                                                                                                    MD5:22753C1C6A88FFB01068FF391B0C3926
                                                                                                                    SHA1:FBC83E06E31A9EE5A827D90481BEFC36EBF085F7
                                                                                                                    SHA-256:E727CB8EF6D54A511C18E4FC92AA94841AAFDC284942398D35D1B091CB97D8B1
                                                                                                                    SHA-512:CAB6DB0DD9EA2260979130415158FFAA22B6DA8E281138D2CB1F569F09384A3E5A5C3935B8B8DC76935F82D9CEA7172904A35ED23678CDD670152E065F20D64D
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):537536
                                                                                                                    Entropy (8bit):4.968722692341351
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C9PMMRMMMmMMMvMMMwMMMNMMMWMMM3MMsewVOOMzMMvMMOMMMJMM2MMQM6ku:k9EwVR6V7byjUWAZyVVdz8eEdGo
                                                                                                                    MD5:A72A576B968347739046BEEF59A3B97A
                                                                                                                    SHA1:545247805365655FF64D1A70F672A43D2B4E682E
                                                                                                                    SHA-256:A1313CE60D736ADFE281422421401E327979DDD34945A4194C66E9235DAA884C
                                                                                                                    SHA-512:9850A6A6B5310C2437964C199FBDD860CA202A7C78766A0F710B29FEED4541CF09307B9AEB74BD7455CDD7A1D7B990C78285B7A79C699B9BF65FC4426649927E
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1271952
                                                                                                                    Entropy (8bit):4.084096712356835
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C93ppPpNpDpspp/pCp0pmppdpspppRppMpLp0ppppbpQp2pphpSpXpQppapG:k9eKQSNdhnSzv
                                                                                                                    MD5:892E75C95404B2DD9A4753F53B530F5E
                                                                                                                    SHA1:6B9A7C5827A767520B61E3192BC3951466CACB35
                                                                                                                    SHA-256:8EE17679C7E631E0A80CE70778CB3A7BBD044E5C57BDC65526973B421EED3AFA
                                                                                                                    SHA-512:E7509867E5D3AE99368882A008921086A38F8B890058DCE61EF4C95CE20B7F9B5B1E88F4F038BC792F70888349B27E978F559DE287D7E89C979777086FA1D286
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4099760
                                                                                                                    Entropy (8bit):3.7180860871313963
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:uBKs7fvZIFpCYVIVN2mGsb8HtVLaHw3j4cLbUBRjLFP29DyZbT9gb/m06aCzE6h9:uBKszX0FjOeblHiled/k
                                                                                                                    MD5:C192144B8943B415548AF24878815096
                                                                                                                    SHA1:4DADFF2BCB636AE059DFD73067DC938EEF5CC725
                                                                                                                    SHA-256:45AF4FF535E765EB6973B13C76A80D6A9F4FA4D0B3660FB5D5831718DAC21C38
                                                                                                                    SHA-512:C50A756D3288E1F779E118892C21C3908503D6D10FB8DDFAAB4F34C5D13A71DCE97933B6977B3AB83E344B0741305532BBBB5C9AF1B6B7F6CB1E1526F51330FA
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1273488
                                                                                                                    Entropy (8bit):4.319301892791611
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC4qYvbZthqyEATS583ONoTqzaezuC8zFtxzzqO9uF:sr85Cf6bZt+ATS583ONo4aezJ8ZfqiA
                                                                                                                    MD5:025B19077CDB23D9DC885FEBF629CDC5
                                                                                                                    SHA1:B7930EDF5AF2089834CFA6DC190AF5EDAE20831D
                                                                                                                    SHA-256:78CFA64C50350F824AA2C627FB54D8F06E444810669198074A06CC5AE743D62F
                                                                                                                    SHA-512:C1134FFEE3CE07CB19BD9AFED8986C98588A27EFDB6E8BE72B1571FFF7B18F4014BACE244074FE2846921EDBEAB308058FE93DFE7E17CCB46C225035E4513F68
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):124056
                                                                                                                    Entropy (8bit):5.727061682781764
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCMwu7mzj9zNtP9zNps8Q:sr85CMLmzj9P95psb
                                                                                                                    MD5:9A2455DBF03A4E060F7BCCA43DD3D64E
                                                                                                                    SHA1:D4FEB7DEF1FEB03CB7E86EB57D43BD69E8596EAE
                                                                                                                    SHA-256:0102394DCA78E8B630B3C9613E0C9C620944218FDA84E1E129415E6F972495C3
                                                                                                                    SHA-512:DEE619AC553F0DE06058BD118164D4A8E4B93A7F20D4B098E5D5AF9338CBD12F5CE94F054B92FDF435BE87596FD154904968FA96970887993418A3B41EAEAFD5
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2970664
                                                                                                                    Entropy (8bit):3.8530507327775085
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C4Nd0qVmvzC1SvXKo3NzbsZ6DdIAZcbEcofUnpfRII8Lp9qgN3WJp0Rf5NGu:k9I/V/CfDhNG5sMXjjzmEPoL
                                                                                                                    MD5:AB3E9B8C0565CB076490949DF074D582
                                                                                                                    SHA1:F5BEC2D8CCF13A10D82C27B9A14289A009DDDDEB
                                                                                                                    SHA-256:1C4DA1D108B71EE639AB846128E5F08D6E5EFA4D5BE02C2862597BD4BDD96DE7
                                                                                                                    SHA-512:532493C141AC8E3B5FFD99E0F13AE8A26E4838AFE7B282A02C62B1BD2B7083DD04EE1E39B8A2BFC559DBB7B8CFB6D64D146BB20593A0FAC64E41DB5D81EE7287
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3531712
                                                                                                                    Entropy (8bit):3.78009314420001
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9msSR7PYKzz38YwZItvsDu7DbDhRAUzHW:ZPYmLWSDBy
                                                                                                                    MD5:3AF0E40A55AEE11DC01E0F1943041494
                                                                                                                    SHA1:ED8F0489550B78892E6FDF80784CF5D672AB3F2A
                                                                                                                    SHA-256:8A8212E9F7615A590E3BD2AF07E650FEA60CAC875388F57F7AD1CBADD65A11E9
                                                                                                                    SHA-512:54741EB3ACEADE514E1E305A9D4937C59266DFC20F108F9A87C56EF283519A8CC6DAAE1953706A20860F390520C48C0BB5A4482C751E335B45A0E5858967D765
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4319272
                                                                                                                    Entropy (8bit):3.8126753798312922
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9GmRfvlTZY/C3ul0ywb/uXMo+YJ7M41zXLWIB:z+6M+595B
                                                                                                                    MD5:A914483FA2C2F86E415633657D33D59D
                                                                                                                    SHA1:E687C9ADB19340050BB434F1A309290C72D0DBD1
                                                                                                                    SHA-256:42B15769C1B7B74FFD9022A9E377783EE59F1F75688E1345D1A09DBADBD3102C
                                                                                                                    SHA-512:1784002A4E99F5DC77C4DEE11FB25E413A2840F4FBA5C001F40BADE7A8DBD172B363BF6EBF66883FA2A3FC0B03E3ACDD5FC485EF7DD3DA4493CDF93D8C2EA4DE
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082008
                                                                                                                    Entropy (8bit):3.7745537489281356
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                                                    MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                                                    SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                                                    SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                                                    SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082008
                                                                                                                    Entropy (8bit):3.7745537489281356
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                                                    MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                                                    SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                                                    SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                                                    SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082008
                                                                                                                    Entropy (8bit):3.7745537489281356
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                                                    MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                                                    SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                                                    SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                                                    SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082008
                                                                                                                    Entropy (8bit):3.7745537489281356
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85Cko4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSfzZ9Ar9oN:k9V243xmQm59UtUSfz3
                                                                                                                    MD5:3257CDD51A6A354CEE4BA01A54D63EAE
                                                                                                                    SHA1:5C1A13555616FC7AD988E3A5A847D9173FB70513
                                                                                                                    SHA-256:80701AF68D14CA8ADBEA6729B8B714B916A9A7654B76748D6E43466C7665249F
                                                                                                                    SHA-512:CFBF67F80E74DE05D945B8BCA0894047D96F23C4F9BB31EBD0AD77BF7CE2F20036C8A2F8CC3281680BD0FB71EF24ECA4FA5E795CC930234B59D4598E15BBC3B9
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):582184
                                                                                                                    Entropy (8bit):6.400758373600043
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9KLWET8DS698nGX2OduCwUJWh/JmmS3DAjqnkrzFoEh+vMKC239YUFgBdQ/:DLxT8DhyiLduCe/lSpn6zOvYUFg4/
                                                                                                                    MD5:C0386A35F92FB82637471B03FCA1F0CA
                                                                                                                    SHA1:08E07F04682C582336D3531610A20DCD38CD43B9
                                                                                                                    SHA-256:77AD987963ACDD9D867BDD33F3778088B9AC461334BC4A1E49A4982D325E702F
                                                                                                                    SHA-512:E6449FB51F16A1674365D4CE644DC0148199524E9D9DACDE0FB17B26C0C4652C924BB6CAF284AF125958632B9BCB111069EB6FC9EE1A26D83B15F67EE8DA365B
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3837992
                                                                                                                    Entropy (8bit):6.4449937551945595
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:tB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EK:5HzorVmr2FkRpdJYolA
                                                                                                                    MD5:D7932DE11B8AD54A41413381EAC41AC2
                                                                                                                    SHA1:8B383BA02414803CFD515A8384434AD5CBB70231
                                                                                                                    SHA-256:DC1F4FD1F3F718C6965F038472EDD640437CBE0BD2B77E21945073AF404CB90B
                                                                                                                    SHA-512:48C561E17BD75181D3ADEDB41F1172BB95163E3DC5792DA212C218F80878D45D3C49BEEFE44E76BCECA77EC644A83A16C59316CC2178A976D91347D389B3741D
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):161832
                                                                                                                    Entropy (8bit):6.154443017106145
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CX2VSd2ga8KActASiZAkXS1xU5M3XgcoT0cs4qIm6Y6:k9mVSktVjv3Xg5T0FIY6
                                                                                                                    MD5:6A0721A64003242C799CF2DD85B0713D
                                                                                                                    SHA1:AC7451D1A042B9980D506B43237C5C8A3D218989
                                                                                                                    SHA-256:88EB264B7A72C62D8FC399469E7E573BEE906C8939513F3A869656E5B667BBBD
                                                                                                                    SHA-512:B3F3E9DB4126A6479E6CB455FE8BCE1F8BB108270C2BA9C422E17932E901A65CDFED66DAF2A11C082BC924EC9EA51484418F4F09990848B91912BD3E1EB63AD7
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1827880
                                                                                                                    Entropy (8bit):6.540770888228441
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:bhDdVrQwm5ztlU0A7fMAHmpmZ3QXE/0/lVaLpmasGvP0:bhDdVrQ95RW0Y9HyWQXE/09Val0GE
                                                                                                                    MD5:624A5B15DE2385F6CA42DDCE0E24D109
                                                                                                                    SHA1:13FE13198A9BFA24774EEA44759471B31EA439E7
                                                                                                                    SHA-256:A7DF6A45B54B30014DB94309F3BBA50A1EA8EFB8EAD01682BAA6826E533418C5
                                                                                                                    SHA-512:CE244B2DAF739BFDC491C28129CA6504966CAEFEA0BBE16871522089A825133F2C1609D51266058A62D767F3624C514421F09D50DAC5A11CE26B5C8B804A641A
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1297448
                                                                                                                    Entropy (8bit):6.514786717345656
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:bdoA0Eh2XptoQZRuefMYR6RrAJU9CsxmMocSipEylqFfouDMA+nkSddSDBDIq:b70E0ZCQZMip6Rrt9RoctGfmdd0
                                                                                                                    MD5:C9FE3D4AA1438A059AAE69A5D8FA4269
                                                                                                                    SHA1:288D3F38B4A6797E15187C00A24D0AAD1B5BAF60
                                                                                                                    SHA-256:913E86233F11A6A269DA1A324D43C9FF737A9AE0DE1D9DE59D0AD961137B9F2A
                                                                                                                    SHA-512:0775ECDC44DB15BD92B103F75410BCB4079D7165C6FACB7CD0DBA091DB94E4A6648A85563FE24E33D862E16CBA73993461533D4CE196078FAF6AA9030D39C288
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4251688
                                                                                                                    Entropy (8bit):6.5065813007912885
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:EehFLvTQDpB5oSOmlBl
                                                                                                                    MD5:23A855DD7FA34F616F73B392E464E216
                                                                                                                    SHA1:EFD849CB22D1D33B16D6FECD54C318B0A6E222EA
                                                                                                                    SHA-256:E198D71BC75B0E61DD2F61080062B4E41ACDFC7F7FF148CB11839DE3E0523A27
                                                                                                                    SHA-512:8B4AF629B2022F10FF2D3FD4D4C73F9B23CE085B08B70FB29044D03F0FBC498BADF4D62854378FB0A0E6A2DBE2848D0B83550C3F6C3C08CF05C50C81B04B6A5C
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1319976
                                                                                                                    Entropy (8bit):6.504627467158373
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:giD2VmA1YXQHwlklb8boUuWPg2gX
                                                                                                                    MD5:ADDCC10DC80D3B994800C6B44EC0B5E6
                                                                                                                    SHA1:C52E9B1C03747A2B4F350E6CC288851DE64AC113
                                                                                                                    SHA-256:03B114F2F97AD84613CAA8E5F964D4C8BDA56DAC8EA9C680A1DFBC43449EA14F
                                                                                                                    SHA-512:74E250EA454D878ABF1F9CA3E7AEC66600A5FC785555FDF708E22103D51E939072A0B28FA7AAFD847D370DC03781F723B216117361389A3F87F3F93874D26AA1
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2327080
                                                                                                                    Entropy (8bit):6.531478857250512
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:+fD3zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPHkkkkkkkBoIeAz:+fD3zO9ZhBGlopzM3HRNr00z
                                                                                                                    MD5:DB94AD04A7559F74A92620CB04373946
                                                                                                                    SHA1:826B3FCF77456D83544CC451561FC9DE5978DAEF
                                                                                                                    SHA-256:8FC9FD66947D8CB6D1BA902B3174924A872176273E4B9545CC05F2486A0AED73
                                                                                                                    SHA-512:E5705F611A87C57C2172055A947CE5BBA675605319525FC2678D317625826A9893D1149911640796BAF0305A94FC76BDB79C8F31D7782CF113A8904B3AD41100
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3790800
                                                                                                                    Entropy (8bit):6.537921104997593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:OTaRe7mkn5KLvD5qGVC008Jpb4tgLUgGEsLABD5wTQh07yrLMLl9YPhe:hI72LvkrCpbxJRoIMx
                                                                                                                    MD5:5750A055DF2980C145707A60B2CDE7EF
                                                                                                                    SHA1:26774B8B7BA30DB32A6AF0A6C7FCCCE981823474
                                                                                                                    SHA-256:A954923EC03888AD38B22F135037F62F520988C5A5A87676882A2B972CEB54EA
                                                                                                                    SHA-512:229FD22736C66BA9D5836F2D2A747D4B761184BA134C818D91B443E255CDDA32CAFA4419CD19AD49915CE20206D865F4B7F9E0B388C20298857B5BCA5CC4217B
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1535528
                                                                                                                    Entropy (8bit):6.517840298614509
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:q406WoyJHeFOqDRA7uKk+TjnkgiMnQq+UI7MBImQWkv7yfOYIXbwohMA+nkXZnHC:rW9Jml9mmijZiMnF+ZxmQWcbLw8Vi
                                                                                                                    MD5:366FA8E2786C71AA81D106EF9FA15233
                                                                                                                    SHA1:B626BA440B5EB37132849B697AF040A7E462E0B9
                                                                                                                    SHA-256:1B87E233A5CAEA65CD8D8EBC91AB48A42F18FC9991041599C202EA85995EF24E
                                                                                                                    SHA-512:D596450A8A03F6894982DAC3861C4E34339521F70DEB5073343F19565DA47A168025DFA3C1B7178677C9116A22F6A499D1277F28D1E6B829743D949D9592A848
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1273384
                                                                                                                    Entropy (8bit):6.516053672496002
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:CwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                                                                    MD5:64A7111DE17E26E2B89E10AE82FED662
                                                                                                                    SHA1:911E048F0336C9BBA3DA35E48BEDBBF04B4035A9
                                                                                                                    SHA-256:3C470FD7B87FCEC230016076A57F77324766326295D90138E4A780EFF0DD36B9
                                                                                                                    SHA-512:65A8D9276DD61A9666323D4A73950D854422B43BFD4D43F83AEB1895DD3338869216A53930B10B753347B6C8DD6338FCEEB3336E41730DCE74CCC01FA7616C5B
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4251688
                                                                                                                    Entropy (8bit):6.5065813007912885
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:vpawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BT:EehFLvTQDpB5oSOmlBl
                                                                                                                    MD5:23A855DD7FA34F616F73B392E464E216
                                                                                                                    SHA1:EFD849CB22D1D33B16D6FECD54C318B0A6E222EA
                                                                                                                    SHA-256:E198D71BC75B0E61DD2F61080062B4E41ACDFC7F7FF148CB11839DE3E0523A27
                                                                                                                    SHA-512:8B4AF629B2022F10FF2D3FD4D4C73F9B23CE085B08B70FB29044D03F0FBC498BADF4D62854378FB0A0E6A2DBE2848D0B83550C3F6C3C08CF05C50C81B04B6A5C
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1319976
                                                                                                                    Entropy (8bit):6.504627467158373
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:gyeb4D2VLtrQA1Yim7XGLZxHwlqxlThfkY8bo0cITiLEpPoVfMA+nkthF2g0oz5:giD2VmA1YXQHwlklb8boUuWPg2gX
                                                                                                                    MD5:ADDCC10DC80D3B994800C6B44EC0B5E6
                                                                                                                    SHA1:C52E9B1C03747A2B4F350E6CC288851DE64AC113
                                                                                                                    SHA-256:03B114F2F97AD84613CAA8E5F964D4C8BDA56DAC8EA9C680A1DFBC43449EA14F
                                                                                                                    SHA-512:74E250EA454D878ABF1F9CA3E7AEC66600A5FC785555FDF708E22103D51E939072A0B28FA7AAFD847D370DC03781F723B216117361389A3F87F3F93874D26AA1
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1273384
                                                                                                                    Entropy (8bit):6.516053672496002
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:C5eN+kL3gVeYt/uakJMtleRO40BbdJrPVJAzAlPY6mYzJuomPMA+nkVogIkd9:CwNHwoYhua6MtERO4qbBJTY6mY1uIgp
                                                                                                                    MD5:64A7111DE17E26E2B89E10AE82FED662
                                                                                                                    SHA1:911E048F0336C9BBA3DA35E48BEDBBF04B4035A9
                                                                                                                    SHA-256:3C470FD7B87FCEC230016076A57F77324766326295D90138E4A780EFF0DD36B9
                                                                                                                    SHA-512:65A8D9276DD61A9666323D4A73950D854422B43BFD4D43F83AEB1895DD3338869216A53930B10B753347B6C8DD6338FCEEB3336E41730DCE74CCC01FA7616C5B
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):225232
                                                                                                                    Entropy (8bit):5.921842033117269
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CPcxiNNpCPPQPg2cluc/Xswbz8cz3quKoNX1gd:k9PcwVz4B8c37KoNX1q
                                                                                                                    MD5:C0877D9CC17715787EC3329EB0FAD7C1
                                                                                                                    SHA1:E51DA518D764E4982471BE235E096A8D11217A56
                                                                                                                    SHA-256:17C75E1739499E52B56470EED4C924379065703E8C665E449882E02856F96205
                                                                                                                    SHA-512:EE748102A0C002B25989E073585DD7A611A64E85CB0C57CBD6592733A038BC8EEDBCB8F917BBBED02D7759C5621F5B6B03A587B317FD13A4014CF113C4FC4C57
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):247760
                                                                                                                    Entropy (8bit):5.770986149607887
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CKW4l/DReos0gXf+EvC6C36eCWdMuoB+ISzBqUGxNtvKAbFP3cSEt0phcxAe:k9wl/DRfkTC3dM7B+mCivAT
                                                                                                                    MD5:86242784CC98EBA7A0B0A1833901F76A
                                                                                                                    SHA1:19178197143972E718023C5EA70F631971A4BC2D
                                                                                                                    SHA-256:AB99BD10F6FB73856BAF95E9D4AC0434DF660B74388E53206955B9B512F3350D
                                                                                                                    SHA-512:2AFEB5CAF7728E2EBD04D3BF42AD55AAC759CAA453FFDF6BAF0D8E7095782F90E165E3009ED619A7E8A3E62638C12D8C67016092972E193215DF9A3422ECB589
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):142288
                                                                                                                    Entropy (8bit):6.426113960826444
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85Cy684ePKoTB+IvoAewtxUff8aohGme+YDfYz8FrR7:k9yrTB+AleYIkifYUF
                                                                                                                    MD5:9AD6CF45A4476B8A6AFC310D5E410235
                                                                                                                    SHA1:07A614202F584361E48471CB3DBDB3FCD24E47FF
                                                                                                                    SHA-256:1655811CC8A1E4BC12127B20600F93AB3DE3CC467CED76ED99C04C83FF15763C
                                                                                                                    SHA-512:2737F8675AC768EDEA72CDF6F42579F1FC1ADE43122AFEE8971801ECB2F2E93DD10815DA419328D3BE26FEC7C633F881027BFF088877FF9F80BE96D5C106AABE
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):259024
                                                                                                                    Entropy (8bit):6.0902993716555995
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C5XEV0tle+5IbvBCMmNginHy8lZoY46Mu/rLogrlKq9YXI35EvMl:k95UVwleMITTmNv1ohWsqYI354I
                                                                                                                    MD5:628F406DFCBB08B84171E530D77B3C9E
                                                                                                                    SHA1:0A22B2ECAB9EAD7F1D399773BD1BB1FC359EB708
                                                                                                                    SHA-256:482D936CBBF75D3C6248BFCE1B6E5546AB79DE4D4A715490F62CF8674517AF64
                                                                                                                    SHA-512:B9A97C76AA2A38273835DEC7C0A9E91C668038C5BC422BD92654C259865680F92B841115C92529A1AFC50E70CC358FDEB2981C8AE43852C6EE090A3AFF92AA6D
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):305120
                                                                                                                    Entropy (8bit):6.414707301174103
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k98FKucTm3RhMfoSG5dCd7hjAOe9UmXY2Gh++CgBlPMoX:XKucTm3RhMfoSBjA9U2Yxh+Zgb7X
                                                                                                                    MD5:9938BDFE29D3CFAC8D713DFD743243B8
                                                                                                                    SHA1:68CC77B8F114F34BE1A4A263D7F8736E857BBD12
                                                                                                                    SHA-256:9204357B6EB1CB6459E2B0B67FC95E3A80D90781E0C7F97D7294FB6563B20CF1
                                                                                                                    SHA-512:4F0C37C0BC405B483D11A80C5A23C1094ACB9E9CA48DDACC662E989AA21E301940018C08B5A861B482A06AFF2EA8AC9AAD0C8ABAB7E15628348764E779D306E4
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):142288
                                                                                                                    Entropy (8bit):6.426793148875817
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CtaivqozB+IvcZ4wrZU+l/8xoAm2+YDfYz8GrR/:k9FzB+Aw4CZNr2fYLl
                                                                                                                    MD5:2AFBE95A5B1815B2E957E569D2CEF5C4
                                                                                                                    SHA1:BD94E512E4EBBFA8D7BA255E66015DB721CA4801
                                                                                                                    SHA-256:B5385EBBA1FA3E8E1288780A37ADCFE065EC02C764BC539F60CF0BBC2949BAE6
                                                                                                                    SHA-512:0BD007F304E27149CC134004BC51ABD86AD3A701F72DDCD0A121399A73FFAC72061A6B027477DDCD29464C7F50232F7197DF5BA5A8432F051D40FAC225512951
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1640416
                                                                                                                    Entropy (8bit):7.912831259553018
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:1wy53G70SeiN9YqxCCg83udcWXDYajPF2410wuRpGfFki94qSe/wsNfzUG:6y53w24gQu3TPZ2psFkiSqwozX
                                                                                                                    MD5:DCC61986BC0A26675681559C484E15FB
                                                                                                                    SHA1:6F413F9D4A2B64A6F9DCA21B9310EBFF186D6E16
                                                                                                                    SHA-256:A341E8D1C1BA0A82635135A5A24089C3EA484066B02E28B1CAFCEB1628BF53EB
                                                                                                                    SHA-512:2C93519CBBE6B0AFAE36A696EDC6C33A25808D562A286BA278DB0418440BA4DE7B27823F13114581D3F2C830BB3261D634622CDB4053EA28EBD4BCFF3216CFAE
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):144866
                                                                                                                    Entropy (8bit):6.240317481153233
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CORD5b0qZ7y4jem7y6tkNRCywDw1DiJkuKUY:k9UD5lZ7y4j9KT4DteUY
                                                                                                                    MD5:6A1BE74AD1EE28433BF1549DFA813DC9
                                                                                                                    SHA1:A4BBC87890CA7463AEC75B963291A69B65390653
                                                                                                                    SHA-256:BC21B225F668AE2C3B8439ADB91969D39F711E9D57B557AD79FAD8FD8AEB2085
                                                                                                                    SHA-512:8A0033D4D5B82856CE0826B9DD90B792BF9E9641463DAC1DAE83ED6E3F18F384AB6CC5E0998615A8DCE5BD6CD360E17BCE85C1FF8AA45B08A95383D89D228B0B
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):280480
                                                                                                                    Entropy (8bit):6.386490869107258
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9wPr2vXzrEbslNp/JNsJKQl0GkRAqVNf0O3:/DQXRVTZu0GP+ZR
                                                                                                                    MD5:F7B6F7CA5E4D9AD2DD9B1887D57CFF86
                                                                                                                    SHA1:2E0494EF5F5603FCBB0F12F593F3F401930C2FDF
                                                                                                                    SHA-256:26EB1DC3EBA8950CF5D8663EE94CA6105BE1227DD239B81FF571B4372D49D320
                                                                                                                    SHA-512:181262E06BE2C01A7BDFCD4DEA634D71FD39D795339FA6A3FB327FE7E75BBB12C0B5AFC1E8811DDACA14654268D0D26E828BE1AE475B05503626684AF7190009
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4473576
                                                                                                                    Entropy (8bit):6.569965325360163
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:98304:pkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pLOq:pkkCqaE68eV+0y8E6L1
                                                                                                                    MD5:809D03153D2FCC1C9E1EE574DDF7CD2E
                                                                                                                    SHA1:CF1FC95A34AFC5A2FB39504D973BC8380A04BAC1
                                                                                                                    SHA-256:C2A715F1396DCDAA9360FB09B89992EE8619362062DFBD6C90CFF751C5272032
                                                                                                                    SHA-512:094FE1BC30027336DFE6A32520DB39D8D27AD1A69716E7E00D6B66D44CFB4EAADBD8D48B6D80BC0D00C60EF0E3483437C82D2185BD704137CB544B11063820DA
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):501656
                                                                                                                    Entropy (8bit):6.318829677338838
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:yLH18t6x1hjaNHBlfBVDZS82JninSFVlDW:yLOwxyNHBVEHRiSFVlDW
                                                                                                                    MD5:9FB296CF47C4D3E0FEF4974685EBE922
                                                                                                                    SHA1:201293BEEB98FB83D118323C4803590E8C88E060
                                                                                                                    SHA-256:5E21FE2FE640F209EB75B696C3334E577D2035436206C88C1F2E676CF560B75F
                                                                                                                    SHA-512:CA9999251A1905BCA32D46857BD1213D37F2D33689E4D818FC006B88B84AA49AD9DB07B0C4D33361EFC0BFC697F705AEAF90D762C6CFAB3C9A9644BA73D750E3
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1637776
                                                                                                                    Entropy (8bit):6.316717941409346
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:P7Z1jyzcKSmKsvwMZJ1XBsn/gu2bRC6dulyyn2WdXM6cWlLIJ:zZ1tKTwMZJ1XBsn/UC6dugWA
                                                                                                                    MD5:987399D498F6C2C7196A60504DCBA1F6
                                                                                                                    SHA1:7A48D6492B9BB936EABAA4C979BD25F87AB3F9B7
                                                                                                                    SHA-256:9F924F7B9B84FBB73E29C707D1C1D61AC00A3AB295BF1BA9754E2189D6E4BC24
                                                                                                                    SHA-512:DE1F5790664A48EE5001541BAE7727431467A65B54EFB43412B1EB474DF6477110E98B8DA1168478B0CED1FA8DDBF69FE7BA209F69FDF9BB58F964A514B12E36
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):224632
                                                                                                                    Entropy (8bit):5.625757771676373
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CBFtCsHjgU7HOg6KTe/+EypudsD22QnSUEhydebz41:k9Ttx0SA+EySaQKeUz41
                                                                                                                    MD5:0FD839CB7D94AF1C672BA149E6C580A8
                                                                                                                    SHA1:12CB0350EC3AEFBC189A117621DBFDCE5DBB6E86
                                                                                                                    SHA-256:E033F780C0F8E58FD81724A1B5B02CCFFF788553B2F5308E4EB46DB37E30F9F4
                                                                                                                    SHA-512:F54057339522E8B1C30550BCCB56B420894FEF6B51F53709A88105362AD09F5A83FC1478BF8D7CD7A0B48D56BE5DCEB8597B71B989743133B2954DEA0E364A41
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):431336
                                                                                                                    Entropy (8bit):5.904107554819713
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:k9GzBRUKCBTwZVr2miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVV+:/zBRnCBOrsBOBf
                                                                                                                    MD5:641CC24F3AFB9E381161F17600323269
                                                                                                                    SHA1:0A390D9A57B534A9A1C0CC441D9CBD9998608140
                                                                                                                    SHA-256:8B5A689B0DB4EFE44C0601A89E97BA126F1E4EA943621B8EE444ED85EEA50CAA
                                                                                                                    SHA-512:67BDB822FE0F484E60B7FA0944A4123D68C1F8B94E70D51F5F336C312F409CF7098EEB828D1A7A13138C7833A3689A7D226D909B1AAA3800EF491D88C39CBB03
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):175160
                                                                                                                    Entropy (8bit):5.997921392487593
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85CE/VpSIcnsHKTe8LnZCA5OfkQAm95kQOJeqx6u:k9EtkIpdA5OfzDUeqx6u
                                                                                                                    MD5:707EB4DC866F98B2701F57899DC19D51
                                                                                                                    SHA1:59F9AA5CCB0EE3276F74C23ADD327342EF5B10AE
                                                                                                                    SHA-256:F7DE47E26A16EB2459CD7FDC979BD30D0B50089D39433399EDA465023A0BD0BD
                                                                                                                    SHA-512:C95D902254391B0D3ABD3A07930701E173808413E1F32BA1084F04EB5678EBC87ACAC2EA4BB6B26FE0550D78525EA3F54683FB9567A995B1318B5D9340E514FD
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3162480
                                                                                                                    Entropy (8bit):6.46880916383348
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:znW4jqFRZega3xejvY7GQOx4K1fm15FKqO7t78Ity6fod76lmlW8U:ys3OBj4UmOH
                                                                                                                    MD5:EAB4618E120B951B8FADB9965EF352D7
                                                                                                                    SHA1:C706F3479276CE840541862BBBD2C1530362BA03
                                                                                                                    SHA-256:7D252BE50728CA3389124956E16D41F0AD14BB8C6F08D768F8A6555E25EA0F47
                                                                                                                    SHA-512:8F69D95D0D39C8566F3EB1D456AE98285D36852278F474CAC382BF37FCB70714B4747F1984874A16B4850678C93C5170CF37E3A19E2EB89FC5881F00B9E527F2
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1309408
                                                                                                                    Entropy (8bit):6.496342895106016
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:5+sGOL9NLM3r4Viwj6KLqGua43loEeUFmwv:54AA4eGua43lgUFrv
                                                                                                                    MD5:B39DF380C20D63215708AA6263BE495F
                                                                                                                    SHA1:4CE3BE7169E222E787A3E8238D53C32324981894
                                                                                                                    SHA-256:36728B9A21D2A5927D9B4F5C02C0F5899DFB80ABD01F371342510DBBACFE2BCA
                                                                                                                    SHA-512:42B087413B27B741EB2470A6C7F64571542B20AA43C5B29A43C290A3E83960DAEA82974F6C187DA70655B175D5FFBA3FF04608CF54F8832DB7ED2DA715DCACD6
                                                                                                                    Malicious:true
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):922944
                                                                                                                    Entropy (8bit):6.462019359288523
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:V9/Bro8OEYbhEdbsrg4Sxz2/Sl92ncG15fQ224i5pQ+poPCcqyt4:L/BrnYuqFcL3pQ+pDX
                                                                                                                    MD5:A4A4D70FB8EFBD8702F5F5CA3F2225B7
                                                                                                                    SHA1:3AB16972E6ECEE5162F4264AAB2B78AE5A6D9AFA
                                                                                                                    SHA-256:C8D5E992C3F31B60874957E81FC5C419F569CBC8FC3EF57F84F42F7E742C9EEF
                                                                                                                    SHA-512:92E72BCB8526AA833D6A8E5E77994C15ADABC50F8742C5075532FE281DD4F309827584868F0F19E659E90B4EAEB520F80EAB3116A14D6546DCC85973A638CEA8
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):692064
                                                                                                                    Entropy (8bit):7.195091714831986
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12288:kskY7gjcjhVIEhqgM7bWvcsi6aVUfIy+U40vy3W/ceKSHMsiFyY6XNmnMwJ:ksZgjS1hqgSC/izkfFjymk4HM5yJwMK
                                                                                                                    MD5:2BBCB1E61E3B17B7F89D97FA21A3881D
                                                                                                                    SHA1:C90D9A55FFB5BD4FC7318B542DDE1F72A2341334
                                                                                                                    SHA-256:A2606AED76695606C291929D55A32A5CE51A9981A1471E24A2F33FCC5B97037F
                                                                                                                    SHA-512:657172F611FD934DA6DC59544043EF046948DC6052CFDA142008CB342E7264FC0701D7160B3D2774DA63B4354E9B967480FF0007A30DF9D83088842222C0A8B3
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\APR2007_xinput_x64[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):100025
                                                                                                                    Entropy (8bit):7.988437274786544
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                                                    MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                                                    SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                                                    SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                                                    SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Aug2005_d3dx9_27_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1080852
                                                                                                                    Entropy (8bit):7.999138982152864
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                                                    MD5:3E91448A7481A78318DCE123790EE31A
                                                                                                                    SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                                                    SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                                                    SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Aug2006_xinput_x64[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):90350
                                                                                                                    Entropy (8bit):7.985841057262195
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                                                    MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                                                    SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                                                    SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                                                    SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Jun2007_d3dx9_34_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1610494
                                                                                                                    Entropy (8bit):7.999066428256981
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                                                    MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                                                    SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                                                    SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                                                    SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OCT2006_d3dx9_31_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1130449
                                                                                                                    Entropy (8bit):7.9990817245216945
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                                                    MD5:F778928C9EB950EF493857F76A5811AD
                                                                                                                    SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                                                    SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                                                    SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dxupdate[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):100360
                                                                                                                    Entropy (8bit):7.9900557178400815
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                                                    MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                                                    SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                                                    SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                                                    SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Apr2005_d3dx9_25_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082170
                                                                                                                    Entropy (8bit):7.999075135168916
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                                                    MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                                                    SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                                                    SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                                                    SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Apr2006_xinput_x64[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):90309
                                                                                                                    Entropy (8bit):7.986243949537019
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                                                    MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                                                    SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                                                    SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                                                    SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Apr2007_d3dx9_33_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1609247
                                                                                                                    Entropy (8bit):7.999284261824255
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                                                    MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                                                    SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                                                    SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                                                    SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Dec2006_d3dx10_00_x64[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):216015
                                                                                                                    Entropy (8bit):7.996946294916653
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                                                    MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                                                    SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                                                    SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                                                    SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Feb2006_d3dx9_29_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1087928
                                                                                                                    Entropy (8bit):7.99922866964108
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                                                    MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                                                    SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                                                    SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                                                    SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\APR2007_xinput_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):56510
                                                                                                                    Entropy (8bit):7.973777529821975
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                                                    MD5:B362EC93463D8B6381A864D35D38C512
                                                                                                                    SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                                                    SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                                                    SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Apr2006_d3dx9_30_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1118429
                                                                                                                    Entropy (8bit):7.999050518080374
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                                                    MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                                                    SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                                                    SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                                                    SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Apr2007_d3dx10_33_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):699073
                                                                                                                    Entropy (8bit):7.998968028413629
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                                                    MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                                                    SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                                                    SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                                                    SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Aug2006_xinput_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):49266
                                                                                                                    Entropy (8bit):7.9632460736333766
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                                                    MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                                                    SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                                                    SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                                                    SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Jun2005_d3dx9_26_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1068133
                                                                                                                    Entropy (8bit):7.999040217820951
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                                                    MD5:029359EBCA4BA5945282E0C021B26102
                                                                                                                    SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                                                    SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                                                    SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Apr2006_xinput_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):49218
                                                                                                                    Entropy (8bit):7.962835058038329
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                                                    MD5:E207FB904E641246F3F7234DB74121FC
                                                                                                                    SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                                                    SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                                                    SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\DEC2006_d3dx9_32_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1577608
                                                                                                                    Entropy (8bit):7.999092247669469
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                                                    MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                                                    SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                                                    SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                                                    SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Dec2005_d3dx9_28_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082664
                                                                                                                    Entropy (8bit):7.999121865147412
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                                                    MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                                                    SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                                                    SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                                                    SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Dec2006_d3dx10_00_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):194952
                                                                                                                    Entropy (8bit):7.9966042762544145
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                                                    MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                                                    SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                                                    SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                                                    SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Feb2005_d3dx9_24_x86[1].cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1016433
                                                                                                                    Entropy (8bit):7.998972724711677
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                                                    MD5:7029866BA46EC477449510BEEE74F473
                                                                                                                    SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                                                    SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                                                    SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                                                    C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):295320
                                                                                                                    Entropy (8bit):7.749011498049896
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0
                                                                                                                    MD5:2CBD6AD183914A0C554F0739069E77D7
                                                                                                                    SHA1:7BF35F2AFCA666078DB35CA95130BEB2E3782212
                                                                                                                    SHA-256:2CF71D098C608C56E07F4655855A886C3102553F648DF88458DF616B26FD612F
                                                                                                                    SHA-512:FF1AF2D2A883865F2412DDDCD68006D1907A719FE833319C833F897C93EE750BAC494C0991170DC1CF726B3F0406707DAA361D06568CD610EEB4ED1D9C0FBB10
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......->..i_.i_.i_..|.d_.i_.._..|..h_..|.q_..|.h_.Richi_.........PE..L...!.};............................^Z...............................................J...............................................................^...#...........................................................................................text............................... ..`.data...............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\DXIF511.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Windows setup INFormation
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):57739
                                                                                                                    Entropy (8bit):5.6901788814132646
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:eNIkdgBl0DBU0qwUqB7otN4PTHhy4m1Io/sF6UcmI2rIEoguD0dpY4rI8dgXl0dl:epECjtutVj072Xwt7O49vQzztSZs5KLz
                                                                                                                    MD5:2C4D9E4773084F33092CED15678A2C46
                                                                                                                    SHA1:BAD603D543470157EFFD4876A684B9CFD5075524
                                                                                                                    SHA-256:ED710D035CCAAB0914810BECF2F5DB2816DBA3A351F3666A38A903C80C16997A
                                                                                                                    SHA-512:D2E34CAC195CFEDE8BC64BDC92721C574963FF522618EDA4D7172F664AEB4C8675FD3D4F3658391EE5EAA398BCD2CE5D8F80DEECF51AF176F5C4BB2D2695E04E
                                                                                                                    Malicious:false
                                                                                                                    Preview:[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DirectX_Win9X]..DisplayName=%DirectX_Win9X%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4608,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x.cab",3..URL2="dinput_w9x_81.cab",3..URL3="dplay_w9x.cab",3..URL4="dshow_w9x.cab",3..URL5="dshow_w9x_81.cab",3..URL6="graphics_w9x.cab",3..URL7="graphics_w9x_81.cab",3..URL8="ks_w9x.cab",3..URL9="vb_w9x.cab",3..URL10="bda_w9x.cab",3..URL11="setup_w9x.cab",3..Version="9,29,1974,0"....[DirectX_Win98_ENG]..DisplayName=%DirectX_Win98%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4348,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x_eng.cab",3..URL2="dinput_w9x_81_eng.cab",3..URL3="dplay_w9x_eng.cab",3..URL4="dshow_w9x_eng.cab",3..URL5="dxdiag_w9x_eng.cab",3..URL6="graphics_w9x_eng.cab"

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dll

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):95576
                                                                                                                    Entropy (8bit):6.500059286855779
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:BG8tBKv1HCyODN2wjIqlLmqxY3AMVI4I9okOEvc0/c/sZRYltL26VVE2S+JJqsHM:BptQv1iyODswNLmqxY3AMV71Ev54EAxa
                                                                                                                    MD5:984CAD22FA542A08C5D22941B888D8DC
                                                                                                                    SHA1:3E3522E7F3AF329F2235B0F0850D664D5377B3CD
                                                                                                                    SHA-256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
                                                                                                                    SHA-512:8EF171218B331F0591A4B2A5E68DCBAE98F5891518CE877F1D8D1769C59C0F4DDAE43CC43DA6606975078F889C832F0666484DB9E047782E7A0AE4A2D41F5BEF
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................Z....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1566040
                                                                                                                    Entropy (8bit):6.387345800194587
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:GIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXig:GIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXV
                                                                                                                    MD5:A5412A144F63D639B47FCC1BA68CB029
                                                                                                                    SHA1:81BD5F1C99B22C0266F3F59959DFB4EA023BE47E
                                                                                                                    SHA-256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
                                                                                                                    SHA-512:2679A4CB690E8D709CB5E57B59315D22F69F91EFA6C4EE841943751C882B0C0457FD4A3376AC3832C757C6DFAFFB7D844909C5665B86A95339AF586097EE0405
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ............@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.cif

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Windows setup INFormation
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):66865
                                                                                                                    Entropy (8bit):5.567626982635727
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:Wn+OeDyG6lG9CVGQM6UP8XUUkw8KlNxLkPkjdARflPp0VZRTBM9oZPFASJu71N1F:V
                                                                                                                    MD5:B36D3F105D18E55534AD605CBF061A92
                                                                                                                    SHA1:788EF2DE1DEA6C8FE1D23A2E1007542F7321ED79
                                                                                                                    SHA-256:C6C5E877E92D387E977C135765075B7610DF2500E21C16E106A225216E6442AE
                                                                                                                    SHA-512:35AE00DA025FD578205337A018B35176095A876CD3C3CF67A3E8A8E69CD750A4CCC34CE240F11FAE3418E5E93CAF5082C987F0C63F9D953ED7CB8D9271E03B62
                                                                                                                    Malicious:false
                                                                                                                    Preview:..[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DXUpdate_Feb2005_x86]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=990,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Feb2005_x64]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1220,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x64.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x86]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1055,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Apr2005_d3dx9_25_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x64]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1317

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dll

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):177152
                                                                                                                    Entropy (8bit):6.549767948531931
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:KU6LKKnw8i/9S7BLGKm/nuFV3uNgosUBxr+2y97CqGIpHtWMeJnQRLj+bTHyKaY:Iw8aIMrfuFVeNgosUBxra4rIZsqq
                                                                                                                    MD5:7ED554B08E5B69578F9DE012822C39C9
                                                                                                                    SHA1:036D04513E134786B4758DEF5AFF83D19BF50C6E
                                                                                                                    SHA-256:FB4F297E295C802B1377C6684734B7249D55743DFB7C14807BEF59A1B5DB63A2
                                                                                                                    SHA-512:7AF5F9C4A3AD5C120BCDD681B958808ADA4D885D21AEB4A009A36A674AD3ECE9B51837212A982DB6142A6B5580E5B68D46971B802456701391CE40785AE6EBD9
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M.CM...M...MJ..M...M...M...M...M...M...M..KM...M..zM...M..{M...M..JM...M..MM...MRich...M................PE..L......M...........!.....j...n............................................................@.........................pw..V....j..........8.......................X...p...................................@...............8............................text....h.......j.................. ..`.data....:...........n..............@....rsrc...8...........................@..@.reloc..0&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.inf

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Windows setup INFormation
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):12848
                                                                                                                    Entropy (8bit):5.071095411173453
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:eXTiDxtV0xxmBxbD6Ys7s6xHOJYwYdDxAp8xXZyUxIJM:eXiM
                                                                                                                    MD5:E6A74342F328AFA559D5B0544E113571
                                                                                                                    SHA1:A08B053DFD061391942D359C70F9DD406A968B7D
                                                                                                                    SHA-256:93F5589499EE4EE2812D73C0D8FEACBBCFE8C47B6D98572486BC0EFF3C5906CA
                                                                                                                    SHA-512:1E35E5BDFF1D551DA6C1220A1A228C657A56A70DEDF5BE2D9273FC540F9C9F0BB73469595309EA1FF561BE7480EE92D16F7ACBBD597136F4FC5F9B8B65ECDFAD
                                                                                                                    Malicious:false
                                                                                                                    Preview:..; ---- Common sections ----..[Version]..Signature = "$CHICAGO$"..AdvancedINF = 2.0..Provider = %MSFT%..SetupClass = BASE....[Strings]..MSFT = "Microsoft"....[MDXDLLs]..Microsoft.DirectX.AudioVideoPlayback.dll..Microsoft.DirectX.Diagnostics.dll..Microsoft.DirectX.Direct3D.dll..Microsoft.DirectX.Direct3DX.dll..Microsoft.DirectX.DirectDraw.dll..Microsoft.DirectX.DirectInput.dll..Microsoft.DirectX.DirectPlay.dll..Microsoft.DirectX.DirectSound.dll..Microsoft.DirectX.dll......; ---- Windows 98 ----..[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_d3dx9_24_x86.cab]..NumberOfFiles=4..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..d3dx9_24_w9x.inf....[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_MDX_x86.MSI]..NumberOfFiles=1..Size=1788 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..Dependencies=feb2005_d3dx9_24_x86.cab..Feb2005_MDX_x86.MSI......; ---- Windows ME ----..[4.09.00.0904.00-4.09.00.0904.00_WinME_Feb2005_d3dx9_24_x86.cab]..N

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe
                                                                                                                    File Type:Windows setup INFormation
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):57739
                                                                                                                    Entropy (8bit):5.6901788814132646
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:eNIkdgBl0DBU0qwUqB7otN4PTHhy4m1Io/sF6UcmI2rIEoguD0dpY4rI8dgXl0dl:epECjtutVj072Xwt7O49vQzztSZs5KLz
                                                                                                                    MD5:2C4D9E4773084F33092CED15678A2C46
                                                                                                                    SHA1:BAD603D543470157EFFD4876A684B9CFD5075524
                                                                                                                    SHA-256:ED710D035CCAAB0914810BECF2F5DB2816DBA3A351F3666A38A903C80C16997A
                                                                                                                    SHA-512:D2E34CAC195CFEDE8BC64BDC92721C574963FF522618EDA4D7172F664AEB4C8675FD3D4F3658391EE5EAA398BCD2CE5D8F80DEECF51AF176F5C4BB2D2695E04E
                                                                                                                    Malicious:false
                                                                                                                    Preview:[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DirectX_Win9X]..DisplayName=%DirectX_Win9X%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4608,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x.cab",3..URL2="dinput_w9x_81.cab",3..URL3="dplay_w9x.cab",3..URL4="dshow_w9x.cab",3..URL5="dshow_w9x_81.cab",3..URL6="graphics_w9x.cab",3..URL7="graphics_w9x_81.cab",3..URL8="ks_w9x.cab",3..URL9="vb_w9x.cab",3..URL10="bda_w9x.cab",3..URL11="setup_w9x.cab",3..Version="9,29,1974,0"....[DirectX_Win98_ENG]..DisplayName=%DirectX_Win98%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4348,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x_eng.cab",3..URL2="dinput_w9x_81_eng.cab",3..URL3="dplay_w9x_eng.cab",3..URL4="dshow_w9x_eng.cab",3..URL5="dxdiag_w9x_eng.cab",3..URL6="graphics_w9x_eng.cab"

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):527360
                                                                                                                    Entropy (8bit):6.071483982747115
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:diqLKVd9Aqq3Z/yKxAG2ur4IhUNJ4g3nO9hpRH0gQSpHt+akOC8BTDmsikzWX+us:DFAKJr4IWNJ4MOrpRBQS3kydI+xyS
                                                                                                                    MD5:AC3A5F7BE8CD13A863B50AB5FE00B71C
                                                                                                                    SHA1:EEE417CD92E263B84DD3B5DCC2B4B463FE6E84D9
                                                                                                                    SHA-256:8F5E89298E3DC2E22D47515900C37CCA4EE121C5BA06A6D962D40AD6E1A595DA
                                                                                                                    SHA-512:C8BBE791373DAD681F0AC9F5AB538119BDE685D4F901F5DB085C73163FC2E868972B2DE60E72CCD44F745F1FD88FCDE2E27F32302D8CBD3C1F43E6E657C79FBA
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NQ.2.0ga.0ga.0ga-..a/0ga-..a.0ga-..a.0ga.H.a.0ga.0fa.0gaeF.a.0gaeF.a.0gaeF.a.0gaeF.a.0gaRich.0ga................PE..L......M..................... ...............................................P......._....@...... ..........................|........@..$....................0.......................................U..@............................................text............................... ..`.data....3..........................@....rsrc...$....@......................@..@.reloc.......0... ..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe
                                                                                                                    File Type:Windows setup INFormation
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):477
                                                                                                                    Entropy (8bit):5.237059564403252
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:6:AEAv+BIHfXhPJycXlnMlr4TFagtVFIglFdW8HEwF2T2GHEdqT2azM2GvjokVj2aE:BBIpPJhXlnMYFz2gkDvqtwqa9YS7r
                                                                                                                    MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
                                                                                                                    SHA1:4CCD8E038D73A5361D754C7598ED238FC040D16B
                                                                                                                    SHA-256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
                                                                                                                    SHA-512:5C805D78BAFFF06C36B5DF6286709DDF2D36808280F92E62DC4C285EDD9176195A764D5CF0BB000DA53CA8BBF66DDD61D852E4259E3113F6529E2D7BDBDD6E28
                                                                                                                    Malicious:false
                                                                                                                    Preview:[Version]..Signature="$CHICAGO$"..AdvancedINF=2.0..Provider = %MSFT%....[SourceDisksNames]..1 = %DiskName%,DXWSETUP.EXE,0....[SourceDisksFiles]..dsetup.dll=1..dsetup32.dll=1....[DestinationDirs]..DSetupDLL=11,directx\websetup....[DirectX_WinNT]..CopyFiles=DSetupDLL....[DirectX_Win9X]..CopyFiles=DSetupDLL....[CleanUp]..DelFiles=DSetupDLL....[DSetupDLL]..dsetup.dll,,,32..dsetup32.dll,,,32....[Strings]..MSFT = "Microsoft"..DiskName = "DXWSETUP"....

                                                                                                                    C:\Users\user\AppData\Local\Temp\chrome.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):182272
                                                                                                                    Entropy (8bit):6.784375621590053
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:sr85C/sWLuzeHpl18fCtnRPF9EVnb43jaI5gr/uHqZLWfp2KkvL5kdnQB:k9/9mCtnRPF9cCGr/uH0gkSdQB
                                                                                                                    MD5:73F73E565BCCA28C58B8CD91DC1056AD
                                                                                                                    SHA1:AB7B58E90994D016DFD7937556FDEA6FE13ABA22
                                                                                                                    SHA-256:A0AC3CF26C12A9727FE6986DB32F255CBBCD6E45B063022E79C74DBD3787546C
                                                                                                                    SHA-512:460230C3F943A4626BFF45040B26D0C542140DD7EED6F58FF0D9412125359219DAE252080ACF27A2DAC15AC6C9FE4A32277D185D727841D0B719DF4D3356225E
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: ditekSHen
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Users\user\AppData\Local\Temp\chrome.exe, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                    Category:modified
                                                                                                                    Size (bytes):8
                                                                                                                    Entropy (8bit):3.0
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:Vp:Vp
                                                                                                                    MD5:6518B7CE0A9DEEB32CEE1D2A292A6EF1
                                                                                                                    SHA1:4C17EE3ECE99AA566B074B9A1692E5F123B513BB
                                                                                                                    SHA-256:4A1E57B3E7C89195FA15E7271543D2F0815ABAFFBFF3AF0A28C6BE5068C1DCE0
                                                                                                                    SHA-512:BA6B0DBE3456AEEA8507135FFDCF242ED6AF8B9DAAEE72D52696507C1924E4D9C7B8BE9D48052BAD9D95299B04EF25ADFF7583F88FAD7F61F9B8BB812A1126D5
                                                                                                                    Malicious:false
                                                                                                                    Preview:..B.&A

                                                                                                                    C:\Windows\Logs\DirectX.log

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):44134
                                                                                                                    Entropy (8bit):5.334709577354132
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:192:WlHX066nWHFNWkC3IOpOrO96aOv6BOvnxO76ant6BOCL+OC6aL+6BOkEQOU6aEgl:WrK
                                                                                                                    MD5:FB327EFD993564B507B37C09DE3C8641
                                                                                                                    SHA1:53447608875DB1B2CF9198B02C08AD254E4A6C33
                                                                                                                    SHA-256:E82C4330BC097CE38B2DDA10DA04E1F08FF2EFE7FAEC1F89C8BBE401E17C3BB8
                                                                                                                    SHA-512:57D9116543EB3AFD5D94BC8ED6C49C618FCDBAAB770E447F517E88D79B5514F3F4C968A5C5783127A2A44E28881C5C7A2342D0314F044B5D61364C56B5D9DFF6
                                                                                                                    Malicious:false
                                                                                                                    Preview:12/13/24 06:06:08: DXWSetup: ***** DXWSETUP *****..12/13/24 06:06:08: DXWSetup: WinMain()..12/13/24 06:06:08: DXWSetup: IsIA64(): not IA64...12/13/24 06:06:08: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup.dll..12/13/24 06:06:08: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup.dll..12/13/24 06:06:08: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup32.dll..12/13/24 06:06:08: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup32.dll..12/13/24 06:06:09: DXWSetup: GetDXVersion(): Unable to get RC string from registry...12/13/24 06:06:09: DXWSetup: DirectX Version: 4.09.00.0904.00..12/13/24 06:06:09: DXWSetup: Setup Version: 4.09.00.0904.00..12/13/24 06:06:09: DXWSetup: A newer version of DirectX have been installed already...12/13/24 06:06:18: DXWSetup: CDXWSetup::CDXWSetup()..12/13/24 06:06:18: DXWSetup: CDXWSetup::DownloadDXUpdate()..12/13/24 06:06:18: DXWSetup: On

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082170
                                                                                                                    Entropy (8bit):7.999075135168916
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                                                    MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                                                    SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                                                    SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                                                    SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1118429
                                                                                                                    Entropy (8bit):7.999050518080374
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                                                    MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                                                    SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                                                    SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                                                    SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):90309
                                                                                                                    Entropy (8bit):7.986243949537019
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                                                    MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                                                    SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                                                    SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                                                    SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):49218
                                                                                                                    Entropy (8bit):7.962835058038329
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                                                    MD5:E207FB904E641246F3F7234DB74121FC
                                                                                                                    SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                                                    SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                                                    SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):699073
                                                                                                                    Entropy (8bit):7.998968028413629
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                                                    MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                                                    SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                                                    SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                                                    SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1609247
                                                                                                                    Entropy (8bit):7.999284261824255
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                                                    MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                                                    SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                                                    SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                                                    SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2007_xinput_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):100025
                                                                                                                    Entropy (8bit):7.988437274786544
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                                                    MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                                                    SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                                                    SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                                                    SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Apr2007_xinput_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):56510
                                                                                                                    Entropy (8bit):7.973777529821975
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                                                    MD5:B362EC93463D8B6381A864D35D38C512
                                                                                                                    SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                                                    SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                                                    SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1080852
                                                                                                                    Entropy (8bit):7.999138982152864
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                                                    MD5:3E91448A7481A78318DCE123790EE31A
                                                                                                                    SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                                                    SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                                                    SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Aug2006_xinput_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):90350
                                                                                                                    Entropy (8bit):7.985841057262195
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                                                    MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                                                    SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                                                    SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                                                    SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Aug2006_xinput_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):49266
                                                                                                                    Entropy (8bit):7.9632460736333766
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                                                    MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                                                    SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                                                    SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                                                    SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082664
                                                                                                                    Entropy (8bit):7.999121865147412
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                                                    MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                                                    SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                                                    SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                                                    SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):216015
                                                                                                                    Entropy (8bit):7.996946294916653
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                                                    MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                                                    SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                                                    SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                                                    SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):194952
                                                                                                                    Entropy (8bit):7.9966042762544145
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                                                    MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                                                    SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                                                    SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                                                    SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1577608
                                                                                                                    Entropy (8bit):7.999092247669469
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                                                    MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                                                    SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                                                    SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                                                    SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1016433
                                                                                                                    Entropy (8bit):7.998972724711677
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                                                    MD5:7029866BA46EC477449510BEEE74F473
                                                                                                                    SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                                                    SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                                                    SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1087928
                                                                                                                    Entropy (8bit):7.99922866964108
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                                                    MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                                                    SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                                                    SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                                                    SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1068133
                                                                                                                    Entropy (8bit):7.999040217820951
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                                                    MD5:029359EBCA4BA5945282E0C021B26102
                                                                                                                    SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                                                    SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                                                    SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1610494
                                                                                                                    Entropy (8bit):7.999066428256981
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                                                    MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                                                    SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                                                    SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                                                    SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1130449
                                                                                                                    Entropy (8bit):7.9990817245216945
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                                                    MD5:F778928C9EB950EF493857F76A5811AD
                                                                                                                    SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                                                    SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                                                    SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\SETB539.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):95576
                                                                                                                    Entropy (8bit):6.500059286855779
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:BG8tBKv1HCyODN2wjIqlLmqxY3AMVI4I9okOEvc0/c/sZRYltL26VVE2S+JJqsHM:BptQv1iyODswNLmqxY3AMV71Ev54EAxa
                                                                                                                    MD5:984CAD22FA542A08C5D22941B888D8DC
                                                                                                                    SHA1:3E3522E7F3AF329F2235B0F0850D664D5377B3CD
                                                                                                                    SHA-256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
                                                                                                                    SHA-512:8EF171218B331F0591A4B2A5E68DCBAE98F5891518CE877F1D8D1769C59C0F4DDAE43CC43DA6606975078F889C832F0666484DB9E047782E7A0AE4A2D41F5BEF
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................Z....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\SETB559.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1566040
                                                                                                                    Entropy (8bit):6.387345800194587
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:GIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXig:GIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXV
                                                                                                                    MD5:A5412A144F63D639B47FCC1BA68CB029
                                                                                                                    SHA1:81BD5F1C99B22C0266F3F59959DFB4EA023BE47E
                                                                                                                    SHA-256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
                                                                                                                    SHA-512:2679A4CB690E8D709CB5E57B59315D22F69F91EFA6C4EE841943751C882B0C0457FD4A3376AC3832C757C6DFAFFB7D844909C5665B86A95339AF586097EE0405
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ............@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):95576
                                                                                                                    Entropy (8bit):6.500059286855779
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:BG8tBKv1HCyODN2wjIqlLmqxY3AMVI4I9okOEvc0/c/sZRYltL26VVE2S+JJqsHM:BptQv1iyODswNLmqxY3AMV71Ev54EAxa
                                                                                                                    MD5:984CAD22FA542A08C5D22941B888D8DC
                                                                                                                    SHA1:3E3522E7F3AF329F2235B0F0850D664D5377B3CD
                                                                                                                    SHA-256:57BC22850BB8E0BCC511A9B54CD3DA18EEC61F3088940C07D63B9B74E7FE2308
                                                                                                                    SHA-512:8EF171218B331F0591A4B2A5E68DCBAE98F5891518CE877F1D8D1769C59C0F4DDAE43CC43DA6606975078F889C832F0666484DB9E047782E7A0AE4A2D41F5BEF
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xx...+...+...+..+...+...+F..+.6k+...+.6x+...+.6{+...+...+...+...+...+...+...+...+...+Rich...+................PE..L......M...........!.....*...N.......k.......@.......................................Z....@..........................5..y....*.......p..h............^..X.......H...0................................6..@............................................text...)(.......*.................. ..`.data..../...@......................@....rsrc...h....p.......@..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1566040
                                                                                                                    Entropy (8bit):6.387345800194587
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24576:GIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXig:GIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXV
                                                                                                                    MD5:A5412A144F63D639B47FCC1BA68CB029
                                                                                                                    SHA1:81BD5F1C99B22C0266F3F59959DFB4EA023BE47E
                                                                                                                    SHA-256:8A011DA043A4B81E2B3D41A332E0FF23A65D546BD7636E8BC74885E8746927D6
                                                                                                                    SHA-512:2679A4CB690E8D709CB5E57B59315D22F69F91EFA6C4EE841943751C882B0C0457FD4A3376AC3832C757C6DFAFFB7D844909C5665B86A95339AF586097EE0405
                                                                                                                    Malicious:false
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?...?...?...G6..?...?..U?.......?.......?.......?...I>..?...I...?...I...?...I?..?...I8..?..Rich.?..........................PE..L......M...........!................c........................................ ............@.................................$...........P...............X............................................^..@...............h............................text............................... ..`.data....4..........................@....rsrc...P...........................@..@.reloc..D).......*..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\dxupdate.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):100360
                                                                                                                    Entropy (8bit):7.9900557178400815
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                                                    MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                                                    SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                                                    SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                                                    SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                                                    C:\Windows\SysWOW64\directx\websetup\filelist.dat

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Generic INItialization configuration [DXUpdate]
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3043
                                                                                                                    Entropy (8bit):5.277828510778736
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:1VTtTxC69TFwTqTxTW7TFTqTETFTdTf5TZTOFTsyTJTRTKTHfT8o1Tdai:1ltNC69hwety7h+IZpL51yFYy9NWzfQM
                                                                                                                    MD5:13A5AAD608D219F8642CB691238A0A8E
                                                                                                                    SHA1:13DE21481DFB1E5F40DDE426F5EEC9CC4B4A7471
                                                                                                                    SHA-256:F19333BF7528ED3BA989E5275F57D2B606689AEB748EFDCDCA218753044415FE
                                                                                                                    SHA-512:3D85DC688663ECFFCF98CB4FE5C6F158A76D3EED82727FF0421BB4B715F32589F699BE70CD857B311870312F888CB57A6E7149D9EBD5319FC0A5280BED58B38F
                                                                                                                    Malicious:false
                                                                                                                    Preview:[General]..Version=1..[DXUpdate]..Version=9,29,1974,0..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=100360,dxupdate.cab..[DXUpdate_Apr2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49218,Apr2006_xinput_x86.cab..[DXUpdate_Apr2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90309,Apr2006_xinput_x64.cab..[DXUpdate_Aug2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49266,Aug2006_xinput_x86.cab..[DXUpdate_Aug2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90350,Aug2006_xinput_x64.cab..[DXUpdate_Dec2006_d3dx10_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=194952,Dec2006_d3dx10_00_x86.cab..[DXUpdate_Dec2006_d3dx10_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=216015,Dec2006_d3dx10_00_x64.cab..[DXUpdate

                                                                                                                    C:\Windows\msdownld.tmp\AS6CE1B7.tmp\dxupdate.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):100360
                                                                                                                    Entropy (8bit):7.9900557178400815
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                                                    MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                                                    SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                                                    SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                                                    SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                                                    C:\Windows\msdownld.tmp\AS6D535D.tmp\Apr2006_xinput_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):49218
                                                                                                                    Entropy (8bit):7.962835058038329
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                                                    MD5:E207FB904E641246F3F7234DB74121FC
                                                                                                                    SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                                                    SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                                                    SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                                                    C:\Windows\msdownld.tmp\AS6D5FF0.tmp\Apr2006_xinput_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):90309
                                                                                                                    Entropy (8bit):7.986243949537019
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                                                    MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                                                    SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                                                    SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                                                    SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                                                    C:\Windows\msdownld.tmp\AS6D6B69.tmp\Aug2006_xinput_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):49266
                                                                                                                    Entropy (8bit):7.9632460736333766
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                                                    MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                                                    SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                                                    SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                                                    SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                                                    C:\Windows\msdownld.tmp\AS6D7666.tmp\Aug2006_xinput_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):90350
                                                                                                                    Entropy (8bit):7.985841057262195
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                                                    MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                                                    SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                                                    SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                                                    SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                                                    C:\Windows\msdownld.tmp\AS6D8402.tmp\Dec2006_d3dx10_00_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):194952
                                                                                                                    Entropy (8bit):7.9966042762544145
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                                                    MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                                                    SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                                                    SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                                                    SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                                                    C:\Windows\msdownld.tmp\AS6D9066.tmp\Dec2006_d3dx10_00_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):216015
                                                                                                                    Entropy (8bit):7.996946294916653
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                                                    MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                                                    SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                                                    SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                                                    SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                                                    C:\Windows\msdownld.tmp\AS6D9E22.tmp\Apr2007_xinput_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):56510
                                                                                                                    Entropy (8bit):7.973777529821975
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                                                    MD5:B362EC93463D8B6381A864D35D38C512
                                                                                                                    SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                                                    SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                                                    SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                                                    C:\Windows\msdownld.tmp\AS6DA92E.tmp\Apr2007_xinput_x64.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):100025
                                                                                                                    Entropy (8bit):7.988437274786544
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                                                    MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                                                    SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                                                    SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                                                    SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                                                    Malicious:false
                                                                                                                    Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                                                    C:\Windows\msdownld.tmp\AS6DB61E.tmp\Feb2005_d3dx9_24_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1016433
                                                                                                                    Entropy (8bit):7.998972724711677
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                                                    MD5:7029866BA46EC477449510BEEE74F473
                                                                                                                    SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                                                    SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                                                    SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                                                    C:\Windows\msdownld.tmp\AS6DC755.tmp\Apr2005_d3dx9_25_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082170
                                                                                                                    Entropy (8bit):7.999075135168916
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                                                    MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                                                    SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                                                    SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                                                    SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                                                    C:\Windows\msdownld.tmp\AS6DD908.tmp\Jun2005_d3dx9_26_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1068133
                                                                                                                    Entropy (8bit):7.999040217820951
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                                                    MD5:029359EBCA4BA5945282E0C021B26102
                                                                                                                    SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                                                    SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                                                    SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                                                    C:\Windows\msdownld.tmp\AS6DEAAC.tmp\Aug2005_d3dx9_27_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1080852
                                                                                                                    Entropy (8bit):7.999138982152864
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                                                    MD5:3E91448A7481A78318DCE123790EE31A
                                                                                                                    SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                                                    SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                                                    SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                                                    C:\Windows\msdownld.tmp\AS6DFBE2.tmp\Dec2005_d3dx9_28_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1082664
                                                                                                                    Entropy (8bit):7.999121865147412
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                                                    MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                                                    SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                                                    SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                                                    SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                                                    C:\Windows\msdownld.tmp\AS6E0D57.tmp\Feb2006_d3dx9_29_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1087928
                                                                                                                    Entropy (8bit):7.99922866964108
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                                                    MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                                                    SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                                                    SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                                                    SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                                                    C:\Windows\msdownld.tmp\AS6E1F77.tmp\Apr2006_d3dx9_30_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1118429
                                                                                                                    Entropy (8bit):7.999050518080374
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                                                    MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                                                    SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                                                    SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                                                    SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                                                    C:\Windows\msdownld.tmp\AS6E31D6.tmp\Oct2006_d3dx9_31_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1130449
                                                                                                                    Entropy (8bit):7.9990817245216945
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                                                    MD5:F778928C9EB950EF493857F76A5811AD
                                                                                                                    SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                                                    SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                                                    SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                                                    C:\Windows\msdownld.tmp\AS6E44E1.tmp\Dec2006_d3dx9_32_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1577608
                                                                                                                    Entropy (8bit):7.999092247669469
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                                                    MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                                                    SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                                                    SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                                                    SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                                                    C:\Windows\msdownld.tmp\AS6E5944.tmp\Apr2007_d3dx9_33_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1609247
                                                                                                                    Entropy (8bit):7.999284261824255
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                                                    MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                                                    SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                                                    SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                                                    SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                                                    C:\Windows\msdownld.tmp\AS6E6D78.tmp\Apr2007_d3dx10_33_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):699073
                                                                                                                    Entropy (8bit):7.998968028413629
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                                                    MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                                                    SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                                                    SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                                                    SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                                                    C:\Windows\msdownld.tmp\AS6E7DC4.tmp\Jun2007_d3dx9_34_x86.cab

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1610494
                                                                                                                    Entropy (8bit):7.999066428256981
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                                                    MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                                                    SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                                                    SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                                                    SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                                                    Malicious:true
                                                                                                                    Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                                                    C:\Windows\svchost.com

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):41472
                                                                                                                    Entropy (8bit):6.117634545486585
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ:JxqjQ+P04wsmJC
                                                                                                                    MD5:EAD203CB6AA81E842D32F43FAB32C493
                                                                                                                    SHA1:124B348EB437E838674F5B9DE4E98DA20C17EF60
                                                                                                                    SHA-256:C6845F33531B0405B1F2B248AA2E9C429BB074FD32589FA55D4429CE2DFC96EF
                                                                                                                    SHA-512:A60434CB1ED67867613951CA4A09C8C3B7BA34CA7D03E16399EB96B771D41F96D7EFDCD39F6E35CC1E341F273D3303584C3C981943E3E2D6BC016471F51CFC5D
                                                                                                                    Malicious:true
                                                                                                                    Yara Hits:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Windows\svchost.com, Author: ditekSHen
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Entropy (8bit):7.642008494677344
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 97.38%
                                                                                                                    • Win32 Executable Borland Delphi 6 (262906/60) 2.56%
                                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    File name:dxwebsetup.exe
                                                                                                                    File size:336'792 bytes
                                                                                                                    MD5:2cca969570717a0af4f2531eb69cc7c9
                                                                                                                    SHA1:692243584cca03a41bab00ae6113e6e7a3d14863
                                                                                                                    SHA256:a9971d2f3b8c1611723938a3ea6578c27f31049d3297e607cf0ee6927a4a26c7
                                                                                                                    SHA512:3a2257abdadb2ef34a8171a3c3965b8e6bba955dcda0ca837a635736da0f17795e71ff93d8f4421a51ac9778d10dce1f3c28a62149d05ccf07ae75934fff5670
                                                                                                                    SSDEEP:6144:k9Qc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQxhWK87:BcvgLARDI1KIOzOl
                                                                                                                    TLSH:0164F141AAF4C077D0B51B748DF742935A397D66AC79A32F93A62C8C9CB03807A39717
                                                                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                    File Icon

                                                                                                                    Icon Hash:878fd7f3b9353593

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0x4080e4
                                                                                                                    Entrypoint Section:CODE
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                    DLL Characteristics:
                                                                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:4
                                                                                                                    OS Version Minor:0
                                                                                                                    File Version Major:4
                                                                                                                    File Version Minor:0
                                                                                                                    Subsystem Version Major:4
                                                                                                                    Subsystem Version Minor:0
                                                                                                                    Import Hash:9f4693fc0c511135129493f2161d1e86

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    push ebp
                                                                                                                    mov ebp, esp
                                                                                                                    add esp, FFFFFFE0h
                                                                                                                    xor eax, eax
                                                                                                                    mov dword ptr [ebp-20h], eax
                                                                                                                    mov dword ptr [ebp-18h], eax
                                                                                                                    mov dword ptr [ebp-1Ch], eax
                                                                                                                    mov dword ptr [ebp-14h], eax
                                                                                                                    mov eax, 00408054h
                                                                                                                    call 00007FD03546C6A7h
                                                                                                                    xor eax, eax
                                                                                                                    push ebp
                                                                                                                    push 00408220h
                                                                                                                    push dword ptr fs:[eax]
                                                                                                                    mov dword ptr fs:[eax], esp
                                                                                                                    mov eax, 004091A8h
                                                                                                                    mov ecx, 0000000Bh
                                                                                                                    mov edx, 0000000Bh
                                                                                                                    call 00007FD03546F7F1h
                                                                                                                    mov eax, 004091B4h
                                                                                                                    mov ecx, 00000009h
                                                                                                                    mov edx, 00000009h
                                                                                                                    call 00007FD03546F7DDh
                                                                                                                    mov eax, 004091C0h
                                                                                                                    mov ecx, 00000003h
                                                                                                                    mov edx, 00000003h
                                                                                                                    call 00007FD03546F7C9h
                                                                                                                    mov eax, 004091DCh
                                                                                                                    mov ecx, 00000003h
                                                                                                                    mov edx, 00000003h
                                                                                                                    call 00007FD03546F7B5h
                                                                                                                    mov eax, dword ptr [00409210h]
                                                                                                                    mov ecx, 0000000Bh
                                                                                                                    mov edx, 0000000Bh
                                                                                                                    call 00007FD03546F7A1h
                                                                                                                    call 00007FD03546F7F8h
                                                                                                                    lea edx, dword ptr [ebp-14h]
                                                                                                                    xor eax, eax
                                                                                                                    call 00007FD03546D0E2h
                                                                                                                    mov eax, dword ptr [ebp-14h]
                                                                                                                    call 00007FD03546D676h
                                                                                                                    cmp eax, 0000A200h
                                                                                                                    jle 00007FD035470897h
                                                                                                                    call 00007FD03546FD76h
                                                                                                                    call 00007FD035470589h
                                                                                                                    mov eax, 004091C4h
                                                                                                                    mov ecx, 00000003h
                                                                                                                    mov edx, 00000003h

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    CODE0x10000x722c0x7400ca3464d4f08c9010e7ffa2fe3e890344False0.6173558728448276data6.511672174892103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    DATA0x90000x2180x4007ffc3168a7f3103634abdf3a768ed128False0.3623046875data3.1516983405583385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    BSS0xa0000xa8990x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .idata0x150000x8640xa006e7a45521bfca94f1e506361f70e7261False0.37421875data4.173859768945439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .tls0x160000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rdata0x170000x180x2007e6c0f4f4435abc870eb550d5072bad6False0.05078125data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0x180000x5cc0x60016968c66d220638496d6b095f21de777False0.8483072916666666data6.443093465893509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                    .rsrc0x190000x14000x14002edd9b78d4297a9e5ae60b05cc56cb09False0.18828125data2.764798579979239IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_ICON0x191500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4264RussianRussia0.07340525328330207
                                                                                                                    RT_RCDATA0x1a1f80x10data1.5
                                                                                                                    RT_RCDATA0x1a2080xacdata1.063953488372093
                                                                                                                    RT_GROUP_ICON0x1a2b40x14dataRussianRussia1.1

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                    user32.dllGetKeyboardType, MessageBoxA
                                                                                                                    advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                    oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                                                                    kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                    advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                    kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                                    gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                                                                                                    user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                                                                                                    shell32.dllShellExecuteA, ExtractIconA

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    RussianRussia

                                                                                                                    Network Behavior

                                                                                                                    No network behavior found

                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:06:06:08
                                                                                                                    Start date:13/12/2024
                                                                                                                    Path:C:\Users\user\Desktop\dxwebsetup.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\dxwebsetup.exe"
                                                                                                                    Imagebase:0x400000
                                                                                                                    File size:336'792 bytes
                                                                                                                    MD5 hash:2CCA969570717A0AF4F2531EB69CC7C9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2266925011.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:1
                                                                                                                    Start time:06:06:08
                                                                                                                    Start date:13/12/2024
                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\3582-490\dxwebsetup.exe"
                                                                                                                    Imagebase:0x1000000
                                                                                                                    File size:295'320 bytes
                                                                                                                    MD5 hash:2CBD6AD183914A0C554F0739069E77D7
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:2
                                                                                                                    Start time:06:06:08
                                                                                                                    Start date:13/12/2024
                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                                                    Imagebase:0xda0000
                                                                                                                    File size:527'360 bytes
                                                                                                                    MD5 hash:AC3A5F7BE8CD13A863B50AB5FE00B71C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:false

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:20%
                                                                                                                      Dynamic/Decrypted Code Coverage:79.8%
                                                                                                                      Signature Coverage:22.4%
                                                                                                                      Total number of Nodes:912
                                                                                                                      Total number of Limit Nodes:40
                                                                                                                      execution_graph 2846 1002e03 GlobalAlloc 3754 1002d05 3755 1002d4f SetFilePointer 3754->3755 3756 1002d1d 3754->3756 3755->3756 3758 1002827 3759 1002843 CallWindowProcA 3758->3759 3760 1002833 3758->3760 3761 100283f 3759->3761 3760->3759 3760->3761 3762 1002948 3763 1002964 3762->3763 3764 100294f SendMessageA 3762->3764 3764->3763 3765 100366a lstrcpyA 3766 1005b32 3 API calls 3765->3766 3767 10036a2 CreateFileA 3766->3767 3768 10036d4 WriteFile 3767->3768 3769 10036c5 3767->3769 3770 10036ec CloseHandle 3768->3770 3770->3769 3772 100482b 3773 1004870 SetFileAttributesA 3772->3773 3774 1004834 3772->3774 3776 100487c 3773->3776 3775 1004161 28 API calls 3774->3775 3777 1004859 3775->3777 3777->3773 3777->3776 2845 1002e10 GlobalFree 3778 1003810 SendDlgItemMessageA 3779 1003837 3778->3779 3780 10017b1 3781 10017eb GetDesktopWindow 3780->3781 3784 10017c4 3780->3784 3787 1002969 6 API calls 3781->3787 3783 10017c7 3784->3783 3786 10017dd EndDialog 3784->3786 3785 10017fa LoadStringA SetDlgItemTextA MessageBeep 3785->3783 3786->3783 3788 10029ea SetWindowPos 3787->3788 3788->3785 3790 1005075 3791 1005085 3790->3791 3812 1005137 3790->3812 3793 1005099 3791->3793 3794 100513c GetDesktopWindow 3791->3794 3791->3812 3792 10051f7 EndDialog 3795 10050a3 3792->3795 3797 10050cc 3793->3797 3798 100509c 3793->3798 3796 1002969 7 API calls 3794->3796 3799 1005153 3796->3799 3797->3795 3801 10050d9 ResetEvent 3797->3801 3798->3795 3800 10050aa TerminateThread EndDialog 3798->3800 3802 100519c SetWindowTextA CreateThread 3799->3802 3803 100515d GetDlgItem SendMessageA GetDlgItem SendMessageA 3799->3803 3800->3795 3804 10038cc 24 API calls 3801->3804 3802->3795 3805 10051c5 3802->3805 3803->3802 3806 1005100 3804->3806 3807 10038cc 24 API calls 3805->3807 3808 100511a SetEvent 3806->3808 3809 1005109 SetEvent 3806->3809 3811 10051d5 EndDialog 3807->3811 3810 100288f 4 API calls 3808->3810 3809->3795 3810->3812 3811->3795 3812->3792 3812->3795 3813 1004e56 3814 1004e68 3813->3814 3848 1004ecd EndDialog 3813->3848 3815 1004e73 3814->3815 3816 1005009 GetDesktopWindow 3814->3816 3820 1004f33 GetDlgItemTextA 3815->3820 3821 1004e87 3815->3821 3833 1004e76 3815->3833 3817 1002969 7 API calls 3816->3817 3819 1005019 SetWindowTextA SendDlgItemMessageA 3817->3819 3822 100504a GetDlgItem EnableWindow 3819->3822 3819->3833 3823 1004f55 3820->3823 3851 1004f97 3820->3851 3824 1004f19 EndDialog 3821->3824 3825 1004e8e 3821->3825 3822->3833 3826 100285f lstrlenA 3823->3826 3824->3833 3827 1004e99 LoadStringA 3825->3827 3825->3833 3829 1004f5b 3826->3829 3830 1004ed3 3827->3830 3831 1004eb9 3827->3831 3828 10038cc 24 API calls 3828->3833 3834 1004f63 GetFileAttributesA 3829->3834 3829->3851 3855 10046d4 LoadLibraryA 3830->3855 3835 10038cc 24 API calls 3831->3835 3837 1004f71 3834->3837 3838 1004fa3 3834->3838 3835->3848 3841 10038cc 24 API calls 3837->3841 3840 1005b32 3 API calls 3838->3840 3839 1004eeb SetDlgItemTextA 3839->3833 3843 1004f00 3839->3843 3844 1004fae 3840->3844 3842 1004f82 3841->3842 3842->3833 3845 1004f8b CreateDirectoryA 3842->3845 3846 10038cc 24 API calls 3843->3846 3847 1003e60 37 API calls 3844->3847 3845->3838 3845->3851 3846->3848 3849 1004fb4 3847->3849 3848->3833 3850 1004fc4 3849->3850 3849->3851 3852 1003f0d 40 API calls 3850->3852 3851->3828 3853 1004fe3 3852->3853 3853->3833 3854 1004fe7 EndDialog 3853->3854 3854->3833 3856 10046f7 GetProcAddress 3855->3856 3857 10047ee 3855->3857 3858 1004710 GetProcAddress 3856->3858 3859 10047db FreeLibrary 3856->3859 3861 10038cc 24 API calls 3857->3861 3858->3859 3860 1004723 GetProcAddress 3858->3860 3859->3857 3860->3859 3862 1004736 3860->3862 3863 1004800 3861->3863 3864 1004743 GetTempPathA lstrlenA CharPrevA 3862->3864 3867 1004773 3862->3867 3863->3833 3863->3839 3865 100476a CharPrevA 3864->3865 3864->3867 3865->3867 3866 10047c9 FreeLibrary 3866->3863 3867->3866 3868 10047c3 3867->3868 3869 10047bb lstrcpyA 3867->3869 3868->3866 3869->3868 3870 1003777 3871 100377f 3870->3871 3872 10037b6 GetDesktopWindow 3871->3872 3875 100378c 3871->3875 3873 1002969 7 API calls 3872->3873 3874 10037c8 SetDlgItemTextA SetWindowTextA SetForegroundWindow GetDlgItem 3873->3874 3879 1002803 GetWindowLongA SetWindowLongA 3874->3879 3877 10037a5 EndDialog 3875->3877 3878 10037ae 3875->3878 3877->3878 3879->3878 3880 100383d 3881 10038b9 EndDialog 3880->3881 3882 1003849 3880->3882 3885 1003853 3881->3885 3883 1003882 GetDesktopWindow 3882->3883 3888 1003850 3882->3888 3884 1002969 7 API calls 3883->3884 3886 1003892 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3884->3886 3886->3885 3887 1003874 EndDialog 3887->3885 3888->3885 3888->3887 3889 1002b9d 3890 1002bb4 3889->3890 3891 1002bf8 ReadFile 3889->3891 3892 1002c14 3891->3892 2847 1005a5e GetCommandLineA 2848 1005a73 GetStartupInfoA 2847->2848 2850 1005ab0 GetModuleHandleA 2848->2850 2854 1005a00 2850->2854 2865 1004c18 2854->2865 2857 1005a46 2859 1005a56 ExitProcess 2857->2859 2860 1005a4f CloseHandle 2857->2860 2860->2859 2960 1002a34 FindResourceA SizeofResource 2865->2960 2868 1004d77 2871 10038cc 24 API calls 2868->2871 2869 1004c83 CreateEventA SetEvent 2870 1002a34 6 API calls 2869->2870 2872 1004caa 2870->2872 2898 1004e39 2871->2898 2873 1004cd5 2872->2873 2874 1004d65 2872->2874 2875 1004cbb 2872->2875 2993 10038cc 2873->2993 2965 10030a7 2874->2965 2878 1002a34 6 API calls 2875->2878 2880 1004cd1 2878->2880 2880->2873 2882 1004cf4 CreateMutexA 2880->2882 2881 1004d86 2883 1004d9d FindResourceA 2881->2883 2884 1004d8e 2881->2884 2882->2874 2885 1004d0c GetLastError 2882->2885 2888 1004db1 LoadResource 2883->2888 2889 1004dbe 2883->2889 3018 1001c7f 2884->3018 2885->2874 2887 1004d19 2885->2887 2891 1004d22 2887->2891 2892 1004d34 2887->2892 2888->2889 2893 1004dc6 #17 2889->2893 2894 1004dcc 2889->2894 2890 1004ce5 2890->2898 2895 10038cc 24 API calls 2891->2895 2896 10038cc 24 API calls 2892->2896 2893->2894 2897 1004dd4 2894->2897 2894->2898 2899 1004d32 2895->2899 2900 1004d45 2896->2900 3032 10041cd GetVersionExA 2897->3032 2898->2857 2907 10058fe 2898->2907 2902 1004d4a CloseHandle 2899->2902 2900->2874 2900->2902 2902->2898 2908 1005935 2907->2908 2909 100590a 2907->2909 3174 1003d13 2908->3174 2911 1005928 2909->2911 3154 1003d9a 2909->3154 3302 1004481 2911->3302 2912 100593a 2932 10059e1 2912->2932 3189 1005636 2912->3189 2919 1005968 SetCurrentDirectoryA 2920 1005993 2919->2920 2921 1005977 2919->2921 2922 10059a0 2920->2922 3246 1005209 2920->3246 2924 10038cc 24 API calls 2921->2924 2922->2932 2933 10059bb 2922->2933 3255 1001ef8 2922->3255 2927 1005987 2924->2927 2926 1005964 2926->2919 2926->2932 3321 1003547 GetLastError 2927->3321 2930 100598c 2930->2932 2931 10059dd 2931->2932 2934 10059f6 2931->2934 2937 1002eaf 2932->2937 2933->2931 3264 1005288 2933->3264 3324 1004657 2934->3324 2938 1002ec6 2937->2938 2940 1002f02 2937->2940 2939 1002ef2 LocalFree LocalFree 2938->2939 2943 1002edd SetFileAttributesA DeleteFileA 2938->2943 2939->2938 2939->2940 2942 1002f53 2940->2942 2944 1002f1b lstrcpyA 2940->2944 2941 1002f6a 2941->2857 2950 100263f 2941->2950 2942->2941 3744 1001946 2942->3744 2943->2939 2945 1002f34 2944->2945 2946 1002f3e SetCurrentDirectoryA 2944->2946 2948 1005b71 5 API calls 2945->2948 2949 1001c7f 16 API calls 2946->2949 2948->2946 2949->2942 2951 1002646 2950->2951 2956 100264b 2950->2956 2952 1002613 14 API calls 2951->2952 2952->2956 2953 10038cc 24 API calls 2957 100266e 2953->2957 2954 1002689 3748 10018b5 GetCurrentProcess OpenProcessToken 2954->3748 2955 100267d ExitWindowsEx 2958 100268e 2955->2958 2956->2953 2956->2957 2956->2958 2957->2954 2957->2955 2957->2958 2958->2857 2961 1002a59 2960->2961 2963 1002a7d 2960->2963 2962 1002a62 FindResourceA LoadResource LockResource 2961->2962 2961->2963 2962->2963 2964 1002a81 FreeResource 2962->2964 2963->2868 2963->2869 2964->2963 2966 1003466 2965->2966 2990 10030c4 2965->2990 2966->2868 2966->2881 2967 100317c 2967->2966 2968 100319a GetModuleFileNameA 2967->2968 2970 10031c1 2968->2970 2971 10031b9 2968->2971 2969 10030fb CharNextA 2969->2990 2970->2966 3073 1005be8 2971->3073 2973 10031e4 CharUpperA 2974 1003518 2973->2974 2973->2990 3085 100189e 2974->3085 2977 10033db lstrlenA 2977->2990 2978 100348e lstrlenA 2978->2990 2979 1003526 CloseHandle 2980 100352d ExitProcess 2979->2980 2981 100302b lstrlenA 2981->2990 2982 1005b00 IsDBCSLeadByte CharNextA 2982->2990 2983 1003324 CharUpperA 2983->2990 2984 1003417 CharUpperA 2984->2990 2985 10032ef lstrcmpiA 2985->2990 2986 100338c CharUpperA 2986->2990 2987 100343c lstrcpyA 3078 1005b32 lstrlenA 2987->3078 2988 100327a CharUpperA 2988->2990 2990->2966 2990->2967 2990->2969 2990->2973 2990->2977 2990->2978 2990->2981 2990->2982 2990->2983 2990->2984 2990->2985 2990->2986 2990->2987 2990->2988 2992 10034fe lstrcpyA 2990->2992 3082 100285f 2990->3082 2992->2990 2994 100394c 2993->2994 2995 10038f2 2993->2995 2994->2890 3091 1002aa6 2995->3091 2998 1003954 3001 10039a3 2998->3001 3002 100395a lstrlenA lstrlenA lstrlenA LocalAlloc 2998->3002 2999 100390f 3094 1005d22 2999->3094 3004 10039a9 lstrlenA lstrlenA LocalAlloc 3001->3004 3005 10039ec lstrlenA LocalAlloc 3001->3005 3002->2994 3003 100398a wsprintfA 3002->3003 3007 1003a1b MessageBeep 3003->3007 3004->2994 3008 10039d6 wsprintfA 3004->3008 3005->2994 3009 1003a0d lstrcpyA 3005->3009 3011 1005d22 6 API calls 3007->3011 3008->3007 3009->3007 3010 1003927 MessageBoxA 3010->2994 3014 1003a29 3011->3014 3015 1003a3c MessageBoxA LocalFree 3014->3015 3016 1005cd4 EnumResourceLanguagesA 3014->3016 3015->2994 3016->3015 3019 1001c94 3018->3019 3021 1001da2 3018->3021 3020 1001c9d lstrcpyA lstrcatA FindFirstFileA 3019->3020 3019->3021 3020->3021 3022 1001ce3 lstrcpyA 3020->3022 3021->2890 3023 1001d51 lstrcatA SetFileAttributesA DeleteFileA 3022->3023 3024 1001cfc lstrcmpA 3022->3024 3025 1001d7a FindNextFileA 3023->3025 3024->3025 3026 1001d0c lstrcmpA 3024->3026 3025->3022 3028 1001d92 FindClose RemoveDirectoryA 3025->3028 3026->3025 3027 1001d22 lstrcatA 3026->3027 3029 1005b32 3 API calls 3027->3029 3028->3021 3030 1001d43 3029->3030 3030->3025 3031 1001c7f 3 API calls 3030->3031 3031->3030 3033 10041f3 3032->3033 3034 100420d 3032->3034 3035 10038cc 24 API calls 3033->3035 3034->3033 3037 1004222 3034->3037 3047 1004208 3035->3047 3036 1004360 3039 100445b 3036->3039 3041 10043be MessageBeep 3036->3041 3036->3047 3037->3036 3037->3047 3115 1002691 3037->3115 3040 10038cc 24 API calls 3039->3040 3040->3047 3042 1005d22 6 API calls 3041->3042 3043 10043cb 3042->3043 3044 10043de MessageBoxA 3043->3044 3045 1005cd4 EnumResourceLanguagesA 3043->3045 3044->3047 3045->3044 3047->2898 3048 100168b 3047->3048 3049 10016b8 3048->3049 3054 100179c 3048->3054 3146 10015f6 LoadLibraryA 3049->3146 3052 10016c9 GetCurrentProcess OpenProcessToken 3053 10016e4 GetTokenInformation 3052->3053 3052->3054 3055 1001790 CloseHandle 3053->3055 3056 1001700 GetLastError 3053->3056 3054->2898 3066 1004161 FindResourceA 3054->3066 3055->3054 3056->3055 3057 100170f LocalAlloc 3056->3057 3058 1001720 GetTokenInformation 3057->3058 3059 100178f 3057->3059 3060 1001733 AllocateAndInitializeSid 3058->3060 3061 1001788 LocalFree 3058->3061 3059->3055 3060->3061 3065 1001754 3060->3065 3061->3059 3062 100177f FreeSid 3062->3061 3063 100175b EqualSid 3064 1001772 3063->3064 3063->3065 3064->3062 3065->3062 3065->3063 3065->3064 3067 10041b1 3066->3067 3068 100417c LoadResource 3066->3068 3069 10038cc 24 API calls 3067->3069 3068->3067 3070 100418a DialogBoxIndirectParamA FreeResource 3068->3070 3071 10041c1 3069->3071 3070->3067 3070->3071 3071->2890 3076 1005bf2 3073->3076 3074 1005c15 3074->2970 3076->3074 3077 1005c07 CharNextA 3076->3077 3088 1005ad3 3076->3088 3077->3076 3079 1005b47 CharPrevA 3078->3079 3080 1005b54 lstrcpyA 3078->3080 3079->3080 3080->2990 3083 1002868 lstrlenA 3082->3083 3084 1002874 3082->3084 3083->3084 3084->2990 3086 10038cc 24 API calls 3085->3086 3087 10018b4 3086->3087 3087->2979 3087->2980 3089 1005ae9 3088->3089 3090 1005ade IsDBCSLeadByte 3088->3090 3089->3076 3090->3089 3092 1002ac7 3091->3092 3093 1002aaf LoadStringA 3091->3093 3092->2998 3092->2999 3093->3092 3095 1005d45 GetVersionExA 3094->3095 3096 1003914 3094->3096 3095->3096 3097 1005d65 3095->3097 3096->3010 3103 1005cd4 3096->3103 3097->3096 3098 1005d83 GetSystemMetrics 3097->3098 3098->3096 3099 1005d8f RegOpenKeyExA 3098->3099 3099->3096 3100 1005dae RegQueryValueExA RegCloseKey 3099->3100 3100->3096 3101 1005ddb 3100->3101 3109 1005c1c 3101->3109 3104 1005ce0 3103->3104 3107 1005d0b 3103->3107 3113 1005c9f EnumResourceLanguagesA 3104->3113 3106 1005cf7 3106->3107 3114 1005c9f EnumResourceLanguagesA 3106->3114 3107->3010 3110 1005c23 3109->3110 3111 1005c4f CharNextA 3110->3111 3112 1005c5d 3110->3112 3111->3110 3112->3096 3113->3106 3114->3107 3116 10027d0 3115->3116 3126 10026b1 3115->3126 3118 10027f1 3116->3118 3119 10027e8 GlobalFree 3116->3119 3118->3036 3119->3118 3120 10026e8 GetFileVersionInfoSizeA 3121 10026ff GlobalAlloc 3120->3121 3120->3126 3121->3116 3122 1002713 GlobalLock 3121->3122 3122->3116 3123 1002724 GetFileVersionInfoA 3122->3123 3124 1002737 VerQueryValueA 3123->3124 3125 10027a9 GlobalUnlock 3123->3125 3124->3125 3124->3126 3125->3126 3126->3116 3126->3120 3126->3125 3127 10027f8 GlobalUnlock 3126->3127 3128 1002081 3126->3128 3127->3116 3129 10020a3 CharUpperA CharNextA CharNextA 3128->3129 3132 100218c GetSystemDirectoryA 3128->3132 3131 10020c7 3129->3131 3129->3132 3133 10020d0 lstrcpyA 3131->3133 3134 100217e GetWindowsDirectoryA 3131->3134 3135 100219e 3132->3135 3136 1005b32 3 API calls 3133->3136 3134->3135 3137 10021ad 3135->3137 3138 1005b32 3 API calls 3135->3138 3139 10020f9 RegOpenKeyExA 3136->3139 3137->3126 3138->3137 3139->3135 3140 100211e RegQueryValueExA 3139->3140 3141 1002173 RegCloseKey 3140->3141 3142 100213d 3140->3142 3141->3135 3143 1002143 ExpandEnvironmentStringsA 3142->3143 3145 1002166 3142->3145 3144 1002158 lstrcpyA 3143->3144 3143->3145 3144->3145 3145->3141 3147 1001683 3146->3147 3148 1001627 GetProcAddress 3146->3148 3147->3052 3147->3054 3149 1001679 FreeLibrary 3148->3149 3150 100163a AllocateAndInitializeSid 3148->3150 3149->3147 3151 1001678 3150->3151 3152 1001668 FreeSid 3150->3152 3151->3149 3152->3151 3155 1002a34 6 API calls 3154->3155 3156 1003dad LocalAlloc 3155->3156 3157 1003dc1 3156->3157 3158 1003ddd 3156->3158 3159 10038cc 24 API calls 3157->3159 3160 1002a34 6 API calls 3158->3160 3161 1003dd1 3159->3161 3162 1003de5 3160->3162 3163 1003547 3 API calls 3161->3163 3164 1003de9 3162->3164 3165 1003e0c lstrcmpA 3162->3165 3173 1003dd6 3163->3173 3166 10038cc 24 API calls 3164->3166 3167 1003e28 3165->3167 3168 1003e1c LocalFree 3165->3168 3170 1003df9 LocalFree 3166->3170 3171 10038cc 24 API calls 3167->3171 3169 1003e23 3168->3169 3169->2908 3169->2911 3169->2932 3170->3169 3172 1003e39 LocalFree 3171->3172 3172->3173 3173->3169 3175 1002a34 6 API calls 3174->3175 3176 1003d25 3175->3176 3177 1003d2c 3176->3177 3178 1003d62 3176->3178 3179 10038cc 24 API calls 3177->3179 3180 1002a34 6 API calls 3178->3180 3181 1003d3c 3179->3181 3182 1003d73 3180->3182 3183 1003d91 3181->3183 3337 1003566 wsprintfA FindResourceA 3182->3337 3183->2912 3186 1003d81 3188 10038cc 24 API calls 3186->3188 3187 1003d95 3187->2912 3188->3183 3190 1002a34 6 API calls 3189->3190 3191 1005651 LocalAlloc 3190->3191 3192 1005667 3191->3192 3193 1005688 3191->3193 3194 10038cc 24 API calls 3192->3194 3195 1002a34 6 API calls 3193->3195 3197 1005677 3194->3197 3196 1005690 3195->3196 3198 1005694 3196->3198 3199 10056b7 lstrcmpA 3196->3199 3200 1003547 3 API calls 3197->3200 3201 10038cc 24 API calls 3198->3201 3202 10056d0 LocalFree 3199->3202 3203 10056ca 3199->3203 3204 100567c 3200->3204 3205 10056a4 LocalFree 3201->3205 3206 10056e0 3202->3206 3207 100571b 3202->3207 3203->3202 3226 1005681 3204->3226 3205->3226 3213 1004b1a 63 API calls 3206->3213 3208 10058db 3207->3208 3209 1005735 GetTempPathA 3207->3209 3210 1004161 28 API calls 3208->3210 3211 1005769 3209->3211 3212 100574a 3209->3212 3210->3226 3216 100577a lstrcpyA 3211->3216 3219 100578d GetDriveTypeA 3211->3219 3220 10058ad GetWindowsDirectoryA 3211->3220 3211->3226 3344 1004b1a 3212->3344 3215 1005702 3213->3215 3218 1005706 3215->3218 3215->3226 3216->3211 3221 10038cc 24 API calls 3218->3221 3222 10057a0 GetFileAttributesA 3219->3222 3235 100579b 3219->3235 3379 1003f0d 3220->3379 3221->3204 3222->3235 3226->2919 3226->2932 3237 1004112 GetWindowsDirectoryA 3226->3237 3227 1003f0d 40 API calls 3227->3235 3228 1004b1a 63 API calls 3228->3211 3229 1001f6e 25 API calls 3229->3235 3231 1005833 GetWindowsDirectoryA 3231->3235 3232 1005b32 3 API calls 3232->3235 3234 1005874 SetFileAttributesA lstrcpyA 3236 1004b1a 63 API calls 3234->3236 3235->3211 3235->3222 3235->3226 3235->3227 3235->3229 3235->3231 3235->3232 3235->3234 3372 1005e13 3235->3372 3376 1001f4b GetFileAttributesA 3235->3376 3236->3235 3238 1004131 3237->3238 3239 100414f 3237->3239 3240 10038cc 24 API calls 3238->3240 3241 1003f0d 40 API calls 3239->3241 3242 1004141 3240->3242 3243 100415f 3241->3243 3244 1003547 3 API calls 3242->3244 3243->2926 3245 1004146 3244->3245 3245->2926 3247 100520f 3246->3247 3247->3247 3248 1005256 3247->3248 3249 100522f 3247->3249 3450 10049db 3248->3450 3251 1004161 28 API calls 3249->3251 3252 1005254 3251->3252 3253 1003566 9 API calls 3252->3253 3254 100525f 3252->3254 3253->3254 3254->2922 3256 1001f03 3255->3256 3257 1001f2c 3255->3257 3259 1001f20 3256->3259 3260 1001f08 3256->3260 3590 1001ddf GetWindowsDirectoryA 3257->3590 3585 1001ea3 RegOpenKeyExA 3259->3585 3262 1001f1e 3260->3262 3580 1001e52 RegOpenKeyExA 3260->3580 3262->2933 3265 10052ad 3264->3265 3276 10052e8 3264->3276 3266 1002a34 6 API calls 3265->3266 3267 10052be 3266->3267 3269 10052c7 3267->3269 3267->3276 3268 1005400 lstrcpyA 3268->3276 3270 10038cc 24 API calls 3269->3270 3298 10052d7 3270->3298 3271 1002a34 6 API calls 3271->3276 3272 10053df 3274 10038cc 24 API calls 3272->3274 3274->3298 3275 10053f9 3275->2931 3276->3268 3276->3271 3276->3272 3276->3275 3277 1005440 lstrcmpiA 3276->3277 3279 10055bd 3276->3279 3282 1005591 LocalFree 3276->3282 3283 100562c LocalFree 3276->3283 3286 10055a3 3276->3286 3291 10053a3 lstrcmpiA 3276->3291 3299 10054c0 3276->3299 3596 10022ff lstrcpyA 3276->3596 3648 100198b RegCreateKeyExA 3276->3648 3669 1004560 3276->3669 3277->3276 3277->3286 3281 10038cc 24 API calls 3279->3281 3285 10055cd LocalFree 3281->3285 3282->3276 3282->3286 3283->3275 3285->3275 3286->3275 3689 1001b8b 3286->3689 3288 10055e1 3290 10038cc 24 API calls 3288->3290 3289 10054d4 GetProcAddress 3292 10055f7 3289->3292 3289->3299 3293 10055f5 3290->3293 3291->3276 3294 10038cc 24 API calls 3292->3294 3296 1005612 LocalFree 3293->3296 3295 100560b FreeLibrary 3294->3295 3295->3296 3297 1003547 3 API calls 3296->3297 3297->3298 3298->3275 3299->3288 3299->3289 3300 1005575 FreeLibrary 3299->3300 3301 1005626 FreeLibrary 3299->3301 3682 100370f lstrcpyA 3299->3682 3300->3282 3301->3283 3303 1002a34 6 API calls 3302->3303 3304 1004493 LocalAlloc 3303->3304 3305 10044c6 3304->3305 3306 10044aa 3304->3306 3308 1002a34 6 API calls 3305->3308 3307 10038cc 24 API calls 3306->3307 3309 10044ba 3307->3309 3310 10044ce 3308->3310 3311 1003547 3 API calls 3309->3311 3312 10044d2 3310->3312 3313 10044fa lstrcmpA 3310->3313 3318 10044bf 3311->3318 3316 10038cc 24 API calls 3312->3316 3314 1004547 LocalFree 3313->3314 3315 100450f 3313->3315 3314->3318 3317 1004161 28 API calls 3315->3317 3319 10044e2 LocalFree 3316->3319 3320 1004527 LocalFree 3317->3320 3318->2908 3318->2932 3319->3318 3320->3318 3322 1003554 GetLastError 3321->3322 3323 1003558 GetLastError 3321->3323 3322->2930 3323->2930 3325 1002a34 6 API calls 3324->3325 3326 100466a LocalAlloc 3325->3326 3327 1004690 3326->3327 3328 100467e 3326->3328 3330 1002a34 6 API calls 3327->3330 3329 10038cc 24 API calls 3328->3329 3332 100468e 3329->3332 3331 1004698 3330->3331 3333 10046a8 lstrcmpA 3331->3333 3334 100469c 3331->3334 3332->2932 3333->3334 3335 10046c8 LocalFree 3333->3335 3336 10038cc 24 API calls 3334->3336 3335->3332 3336->3335 3338 10035a4 3337->3338 3343 1003613 3337->3343 3339 10035a9 LoadResource LockResource 3338->3339 3341 1003624 FreeResource 3338->3341 3342 10035e7 FreeResource wsprintfA FindResourceA 3338->3342 3340 10035be lstrlenA 3339->3340 3339->3343 3340->3338 3341->3343 3342->3338 3342->3343 3343->3186 3343->3187 3345 1004ba7 lstrcpyA 3344->3345 3346 1004b2c 3344->3346 3348 1004ba5 3345->3348 3407 1002f7a 3346->3407 3416 1003e60 lstrlenA LocalAlloc 3348->3416 3351 1004be4 3351->3226 3368 1001f6e GetWindowsDirectoryA 3351->3368 3352 1004b43 lstrcpyA 3354 1004b9a 3352->3354 3355 1004b5f GetSystemInfo 3352->3355 3358 1005b32 3 API calls 3354->3358 3367 1004b71 3355->3367 3356 1004bc0 CreateDirectoryA 3359 1004bcc 3356->3359 3360 1004bef 3356->3360 3357 1004bd6 3361 1003f0d 40 API calls 3357->3361 3358->3348 3359->3357 3363 1003547 3 API calls 3360->3363 3362 1004be0 3361->3362 3362->3351 3366 1004c03 RemoveDirectoryA 3362->3366 3365 1004bf4 3363->3365 3364 1005b32 3 API calls 3364->3354 3365->3351 3366->3351 3367->3354 3367->3364 3369 1001f9d 3368->3369 3370 1001f8d 3368->3370 3369->3211 3369->3228 3371 10038cc 24 API calls 3370->3371 3371->3369 3373 1005e49 3372->3373 3374 1005e2e GetDiskFreeSpaceA 3372->3374 3373->3235 3374->3373 3375 1005e4d MulDiv 3374->3375 3375->3373 3377 1001f5a CreateDirectoryA 3376->3377 3378 1001f68 3376->3378 3377->3378 3378->3235 3380 1003f21 3379->3380 3381 1003f29 GetCurrentDirectoryA SetCurrentDirectoryA 3379->3381 3380->3211 3382 1003f4c 3381->3382 3383 1003f6d 3381->3383 3384 10038cc 24 API calls 3382->3384 3429 1005e67 GetDiskFreeSpaceA 3383->3429 3386 1003f5c 3384->3386 3388 1003547 3 API calls 3386->3388 3393 1003f61 3388->3393 3389 1003fd2 GetVolumeInformationA 3391 1003fea 3389->3391 3392 100404f SetCurrentDirectoryA lstrcpynA 3389->3392 3390 1003f7d 3394 1003547 3 API calls 3390->3394 3395 1003547 3 API calls 3391->3395 3396 100406e 3392->3396 3393->3380 3397 1003f98 GetLastError FormatMessageA 3394->3397 3398 1004003 GetLastError FormatMessageA 3395->3398 3401 1004082 3396->3401 3405 1004097 3396->3405 3399 100403b 3397->3399 3398->3399 3400 10038cc 24 API calls 3399->3400 3402 1004041 SetCurrentDirectoryA 3400->3402 3403 10038cc 24 API calls 3401->3403 3402->3380 3404 1004092 3403->3404 3404->3405 3405->3380 3432 1001fce 3405->3432 3408 1002f8f wsprintfA lstrcpyA 3407->3408 3409 1005b32 3 API calls 3408->3409 3410 1002fbd RemoveDirectoryA GetFileAttributesA 3409->3410 3411 1003015 CreateDirectoryA 3410->3411 3412 1002fd6 3410->3412 3413 1002fde GetTempFileNameA 3411->3413 3414 1003006 3411->3414 3412->3408 3412->3413 3413->3414 3415 1002ff7 DeleteFileA CreateDirectoryA 3413->3415 3414->3351 3414->3352 3415->3414 3417 1003ea0 lstrcpyA 3416->3417 3418 1003e82 3416->3418 3420 1005b32 3 API calls 3417->3420 3419 10038cc 24 API calls 3418->3419 3421 1003e92 3419->3421 3422 1003eb4 CreateFileA LocalFree 3420->3422 3425 1003547 3 API calls 3421->3425 3423 1003ed8 CloseHandle GetFileAttributesA 3422->3423 3424 1003eeb 3422->3424 3423->3424 3426 1003547 3 API calls 3424->3426 3428 1003eef 3424->3428 3427 1003e97 3425->3427 3426->3428 3427->3428 3428->3356 3428->3357 3430 1005e9a MulDiv 3429->3430 3431 1003f77 3429->3431 3430->3431 3431->3389 3431->3390 3433 1001fea 3432->3433 3434 100200e 3432->3434 3447 1001fb1 wsprintfA 3433->3447 3436 1002043 3434->3436 3437 1002014 3434->3437 3440 100200c 3436->3440 3449 1001fb1 wsprintfA 3436->3449 3448 1001fb1 wsprintfA 3437->3448 3438 1002000 3441 10038cc 24 API calls 3438->3441 3440->3380 3441->3440 3442 100202b 3444 10038cc 24 API calls 3442->3444 3444->3440 3445 100205f 3446 10038cc 24 API calls 3445->3446 3446->3440 3447->3438 3448->3442 3449->3445 3471 1002e6f 3450->3471 3452 10049e0 3453 10049e4 3452->3453 3454 10049f3 GetDlgItem ShowWindow GetDlgItem ShowWindow 3452->3454 3455 1004a1d 3452->3455 3453->3252 3454->3455 3474 1003c60 3455->3474 3457 1004a28 3459 1004a2c 3457->3459 3480 1006e88 3457->3480 3458 10038cc 24 API calls 3460 1004abb 3458->3460 3459->3458 3462 1004abd 3460->3462 3464 1004ad3 3462->3464 3465 1004ac6 FreeResource 3462->3465 3463 1004a8c 3463->3459 3463->3462 3466 1004aef 3464->3466 3468 1004adf 3464->3468 3465->3464 3467 1004b14 3466->3467 3469 1004b01 SendMessageA 3466->3469 3467->3252 3470 10038cc 24 API calls 3468->3470 3469->3467 3470->3466 3472 1002a34 6 API calls 3471->3472 3473 1002e7f FindResourceA LoadResource LockResource 3472->3473 3473->3452 3475 1003c9f 3474->3475 3479 1003cf6 3475->3479 3485 1003b9b 3475->3485 3477 1003cbd 3477->3479 3493 1002cb2 3477->3493 3479->3457 3482 1006ec3 3480->3482 3481 1006f9b 3481->3463 3482->3481 3509 1005bca GetFileAttributesA 3482->3509 3511 1006d39 3482->3511 3486 1003ba9 3485->3486 3487 1003bda lstrcmpA 3486->3487 3488 1003bbe 3486->3488 3490 1003bd3 3487->3490 3491 1003c2e 3487->3491 3489 10038cc 24 API calls 3488->3489 3489->3490 3490->3477 3496 1003b00 3491->3496 3494 1002ce5 CloseHandle 3493->3494 3495 1002cc9 3493->3495 3494->3495 3495->3479 3497 1003b08 3496->3497 3498 1003b10 CreateFileA 3496->3498 3497->3490 3498->3497 3500 1003b7b 3498->3500 3500->3497 3501 1003b80 3500->3501 3504 1002b34 3501->3504 3505 1002b97 CreateFileA 3504->3505 3506 1002b3f 3504->3506 3505->3497 3506->3505 3507 1002b89 CharNextA 3506->3507 3508 1002b7a CreateDirectoryA 3506->3508 3507->3506 3508->3507 3510 1005bd9 3509->3510 3510->3482 3512 1006df4 3511->3512 3514 1006d4d 3511->3514 3516 1002cb2 CloseHandle 3512->3516 3526 1004888 3512->3526 3513 1006dcb 3513->3482 3514->3512 3514->3513 3518 1002c23 3514->3518 3516->3513 3552 100288f 3518->3552 3521 1002c3a 3521->3514 3522 1002c3f WriteFile 3523 1002c63 3522->3523 3524 1002c68 3522->3524 3523->3514 3524->3523 3525 1002c89 SendDlgItemMessageA 3524->3525 3525->3523 3527 10048b5 3526->3527 3528 100489b 3526->3528 3529 10049d0 3527->3529 3530 10048c1 3527->3530 3531 10048ac 3528->3531 3533 1002cb2 CloseHandle 3528->3533 3579 1002e1b lstrcpyA lstrcpyA lstrcpyA 3529->3579 3530->3531 3534 10048c7 3530->3534 3535 100493e 3530->3535 3531->3513 3533->3531 3534->3531 3559 1002acd lstrlenA lstrlenA 3534->3559 3536 1004959 3535->3536 3537 100494a SetDlgItemTextA 3535->3537 3538 1002acd 8 API calls 3536->3538 3537->3536 3540 1004972 3538->3540 3540->3531 3544 1003b9b 29 API calls 3540->3544 3546 10049a4 3544->3546 3545 1002cb2 CloseHandle 3547 1004916 3545->3547 3546->3531 3548 10049b2 3546->3548 3549 1004923 SetFileAttributesA 3547->3549 3570 1003a7a LocalAlloc 3548->3570 3549->3531 3553 10028a6 MsgWaitForMultipleObjects 3552->3553 3554 10028f3 3553->3554 3555 10028bd PeekMessageA 3553->3555 3554->3521 3554->3522 3555->3553 3556 10028cb 3555->3556 3556->3553 3556->3554 3557 10028d6 DispatchMessageA 3556->3557 3558 10028e0 PeekMessageA 3556->3558 3557->3558 3558->3556 3560 1002af1 lstrcpyA lstrlenA 3559->3560 3561 1002aed 3559->3561 3562 1002b21 lstrcatA 3560->3562 3563 1002b08 lstrlenA 3560->3563 3561->3531 3565 1002d87 3561->3565 3562->3561 3563->3562 3564 1002b12 lstrlenA lstrlenA 3563->3564 3564->3562 3566 1002da0 3565->3566 3567 1002da4 DosDateTimeToFileTime 3565->3567 3566->3531 3566->3545 3567->3566 3568 1002db8 LocalFileTimeToFileTime 3567->3568 3568->3566 3569 1002dca SetFileTime 3568->3569 3569->3566 3571 1003a91 3570->3571 3572 1003aa8 lstrlenA LocalAlloc 3570->3572 3573 10038cc 24 API calls 3571->3573 3574 1003ade lstrcpyA 3572->3574 3575 1003abe 3572->3575 3576 1003aa6 3573->3576 3574->3576 3577 10038cc 24 API calls 3575->3577 3576->3531 3578 1003ad3 LocalFree 3577->3578 3578->3576 3579->3531 3581 1001e78 RegQueryValueExA 3580->3581 3582 1001e9b 3580->3582 3583 1001e92 RegCloseKey 3581->3583 3584 1001e8f 3581->3584 3582->3262 3583->3582 3584->3583 3586 1001ef0 3585->3586 3587 1001ec9 RegQueryInfoKeyA 3585->3587 3586->3262 3588 1001ee4 3587->3588 3589 1001ee7 RegCloseKey 3587->3589 3588->3589 3589->3586 3591 1001e01 3590->3591 3592 1001e4c 3590->3592 3593 1005b32 3 API calls 3591->3593 3592->3262 3594 1001e13 WritePrivateProfileStringA _lopen 3593->3594 3594->3592 3595 1001e39 _llseek _lclose 3594->3595 3595->3592 3597 1002326 3596->3597 3698 1001840 3597->3698 3602 1002360 lstrcpyA 3605 1005b32 3 API calls 3602->3605 3603 1002377 lstrcpyA 3604 1002375 3603->3604 3606 1005be8 2 API calls 3604->3606 3605->3604 3607 1002383 3606->3607 3608 1002511 3607->3608 3609 1002391 lstrcmpiA 3607->3609 3610 1005be8 2 API calls 3608->3610 3609->3608 3611 10023a1 3609->3611 3612 1002519 3610->3612 3613 1005bca GetFileAttributesA 3611->3613 3614 1002575 LocalAlloc 3612->3614 3615 100251f lstrcmpiA 3612->3615 3616 10023ad 3613->3616 3618 10023b1 3614->3618 3619 100259d GetFileAttributesA 3614->3619 3615->3614 3617 100252b lstrlenA lstrlenA LocalAlloc 3615->3617 3616->3618 3621 1001840 2 API calls 3616->3621 3617->3618 3620 100255e wsprintfA 3617->3620 3625 10038cc 24 API calls 3618->3625 3622 10025e6 3619->3622 3623 10025af 3619->3623 3629 1002601 3620->3629 3626 10023db lstrlenA 3621->3626 3624 10025e9 lstrcpyA 3622->3624 3623->3622 3627 10025b3 lstrcpyA 3623->3627 3628 10025f2 3624->3628 3630 1002599 3625->3630 3631 1002411 3626->3631 3632 10023ee 3626->3632 3627->3628 3633 10025ca 3627->3633 3707 10021fb 3628->3707 3629->3276 3630->3629 3635 1002414 LocalAlloc 3631->3635 3638 1001840 2 API calls 3632->3638 3633->3628 3634 10025cf lstrcatA 3633->3634 3634->3624 3635->3618 3637 100243a GetPrivateProfileIntA GetPrivateProfileStringA 3635->3637 3642 1002490 lstrcpyA lstrcpyA 3637->3642 3643 10024b5 3637->3643 3639 1002404 3638->3639 3639->3635 3641 100240c lstrlenA 3639->3641 3641->3635 3642->3629 3645 10024e6 wsprintfA 3643->3645 3646 10024c6 GetShortPathNameA 3643->3646 3645->3629 3646->3645 3649 10019f2 3648->3649 3650 1001b86 3648->3650 3651 1001a00 wsprintfA RegQueryValueExA 3649->3651 3652 1001a2f 3649->3652 3650->3276 3651->3649 3651->3652 3653 1001a34 RegCloseKey 3652->3653 3654 1001a49 GetSystemDirectoryA 3652->3654 3653->3650 3655 1005b32 3 API calls 3654->3655 3656 1001a6d LoadLibraryA 3655->3656 3657 1001a85 GetProcAddress FreeLibrary 3656->3657 3658 1001b0b GetModuleFileNameA 3656->3658 3657->3658 3661 1001aa9 GetSystemDirectoryA 3657->3661 3659 1001b23 RegCloseKey 3658->3659 3660 1001acc lstrlenA lstrlenA LocalAlloc 3658->3660 3659->3650 3662 1001af9 3660->3662 3663 1001b2e wsprintfA lstrlenA RegSetValueExA RegCloseKey LocalFree 3660->3663 3661->3660 3664 1001abb 3661->3664 3665 10038cc 24 API calls 3662->3665 3663->3650 3667 1005b32 3 API calls 3664->3667 3668 1001b09 3665->3668 3667->3660 3668->3659 3670 100457b CreateProcessA 3669->3670 3680 100464c 3669->3680 3671 1004609 3670->3671 3672 100459f WaitForSingleObject GetExitCodeProcess 3670->3672 3673 1003547 3 API calls 3671->3673 3674 10045c2 3672->3674 3681 10045dd 3672->3681 3676 100460e GetLastError FormatMessageA 3673->3676 3674->3681 3678 10038cc 24 API calls 3676->3678 3678->3680 3679 1004602 3679->3680 3680->3276 3733 10028fa 3681->3733 3683 1005b32 3 API calls 3682->3683 3684 1003739 GetFileAttributesA 3683->3684 3685 1003762 LoadLibraryA 3684->3685 3686 100374b 3684->3686 3688 100376b 3685->3688 3686->3685 3687 100374f LoadLibraryExA 3686->3687 3687->3688 3688->3299 3690 1001ba3 RegOpenKeyExA 3689->3690 3691 1001c7c 3689->3691 3690->3691 3692 1001bc5 RegQueryValueExA 3690->3692 3691->3275 3693 1001bf1 GetSystemDirectoryA 3692->3693 3694 1001c72 RegCloseKey 3692->3694 3695 1001c1d 3693->3695 3696 1001c2e wsprintfA lstrlenA RegSetValueExA 3693->3696 3694->3691 3697 1005b32 3 API calls 3695->3697 3696->3694 3697->3696 3699 100184f 3698->3699 3701 1001866 3699->3701 3702 100186e 3699->3702 3721 1005b00 3699->3721 3701->3702 3703 1005b00 2 API calls 3701->3703 3704 1001da9 3702->3704 3703->3701 3705 1001db2 lstrlenA 3704->3705 3706 1001dbe 3704->3706 3705->3706 3706->3602 3706->3603 3708 100221c 3707->3708 3717 10022ef 3707->3717 3709 1002225 GetModuleFileNameA 3708->3709 3708->3717 3711 1002247 3709->3711 3709->3717 3710 1002255 IsDBCSLeadByte 3710->3711 3711->3710 3712 10022db CharNextA 3711->3712 3713 100226f CharNextA CharUpperA 3711->3713 3714 10022e0 CharNextA 3711->3714 3726 1005b71 lstrlenA CharPrevA 3711->3726 3712->3714 3713->3711 3715 10022b1 CharUpperA 3713->3715 3714->3710 3714->3717 3715->3711 3716 10022bf lstrcpyA lstrlenA 3715->3716 3716->3714 3717->3629 3720 10022a7 3720->3716 3722 1005b07 3721->3722 3723 1005b28 3722->3723 3724 1005ad3 IsDBCSLeadByte 3722->3724 3725 1005b1a CharNextA 3722->3725 3723->3699 3724->3722 3725->3722 3727 1005b97 CharPrevA 3726->3727 3728 1005ba0 3727->3728 3729 1005b91 3727->3729 3730 1005bb2 CharNextA 3728->3730 3731 1005ba9 CharPrevA 3728->3731 3732 100228c lstrlenA CharPrevA 3728->3732 3729->3727 3729->3728 3730->3732 3731->3730 3731->3732 3732->3716 3732->3720 3734 1002909 3733->3734 3736 1002903 CloseHandle CloseHandle 3733->3736 3737 1002613 3734->3737 3736->3679 3736->3680 3738 1002620 3737->3738 3740 1002634 3737->3740 3741 1001f34 3738->3741 3740->3736 3742 1001ef8 14 API calls 3741->3742 3743 1001f3d 3742->3743 3743->3740 3745 1001953 RegOpenKeyExA 3744->3745 3746 1001989 3744->3746 3745->3746 3747 1001972 RegDeleteValueA RegCloseKey 3745->3747 3746->2941 3747->3746 3749 10018e1 LookupPrivilegeValueA AdjustTokenPrivileges 3748->3749 3751 10018d5 3748->3751 3750 1001920 ExitWindowsEx 3749->3750 3749->3751 3750->3751 3752 100193c 3750->3752 3753 10038cc 24 API calls 3751->3753 3752->2958 3753->3752

                                                                                                                      Executed Functions

                                                                                                                      Function 010022FF Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 255stringmemoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 10022ff-1002324 lstrcpyA 1 1002333-1002339 0->1 2 1002326-1002331 0->2 3 100233e-100235e call 1001840 call 1001da9 1->3 2->3 8 1002360-1002375 lstrcpyA call 1005b32 3->8 9 1002377-1002379 lstrcpyA 3->9 10 100237b-100238b call 1005be8 8->10 9->10 15 1002511-100251d call 1005be8 10->15 16 1002391-100239b lstrcmpiA 10->16 21 1002575-1002587 LocalAlloc 15->21 22 100251f-1002529 lstrcmpiA 15->22 16->15 18 10023a1-10023af call 1005bca 16->18 27 10023b1-10023c2 18->27 28 10023c7-10023ec call 1001840 lstrlenA 18->28 25 1002589-1002593 21->25 26 100259d-10025ad GetFileAttributesA 21->26 22->21 24 100252b-1002558 lstrlenA * 2 LocalAlloc 22->24 29 100242a-1002435 24->29 30 100255e-1002570 wsprintfA 24->30 31 1002594-100259b call 10038cc 25->31 33 10025e6 26->33 34 10025af-10025b1 26->34 27->31 43 1002411 28->43 44 10023ee-10023f1 28->44 29->31 36 1002601-100260b 30->36 41 100260c-1002610 31->41 35 10025e9-10025f0 lstrcpyA 33->35 34->33 39 10025b3-10025c8 lstrcpyA 34->39 40 10025f2-10025fc call 10021fb 35->40 36->41 39->40 45 10025ca-10025cd 39->45 40->36 47 1002414-1002428 LocalAlloc 43->47 49 10023f3 44->49 50 10023f6-100240a call 1001840 44->50 45->40 46 10025cf-10025e4 lstrcatA 45->46 46->35 47->29 51 100243a-1002444 47->51 49->50 50->47 56 100240c-100240f lstrlenA 50->56 54 1002446 51->54 55 1002448-100248e GetPrivateProfileIntA GetPrivateProfileStringA 51->55 54->55 57 1002490-100249a 55->57 58 10024b5-10024c4 55->58 56->47 59 100249c 57->59 60 100249e-10024b0 lstrcpyA * 2 57->60 61 10024e6 58->61 62 10024c6-10024e4 GetShortPathNameA 58->62 59->60 60->36 63 10024eb-10024ee 61->63 62->63 64 10024f0 63->64 65 10024f2-100250c wsprintfA 63->65 64->65 65->36
                                                                                                                      APIs
                                                                                                                      • lstrcpyA.KERNEL32(?,00000000,00000001,74DEF530,00000000), ref: 0100231B
                                                                                                                      • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,01001324), ref: 01002366
                                                                                                                      • lstrcpyA.KERNEL32(?,?,?,?,01001324), ref: 01002379
                                                                                                                      • lstrcmpiA.KERNEL32(00000000,.INF), ref: 01002397
                                                                                                                      • lstrlenA.KERNEL32(DefaultInstall,?,01001318,?), ref: 010023E8
                                                                                                                      • lstrlenA.KERNEL32(?,?,01001314), ref: 0100240D
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000200), ref: 0100241B
                                                                                                                      • GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 01002457
                                                                                                                      • GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,01001251,?,00000008,?), ref: 01002486
                                                                                                                      • lstrcpyA.KERNEL32(00000000,?), ref: 010024A2
                                                                                                                      • lstrcpyA.KERNEL32(?,?), ref: 010024AE
                                                                                                                      • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 010024DE
                                                                                                                      • wsprintfA.USER32 ref: 01002503
                                                                                                                      • lstrcmpiA.KERNEL32(00000000,.BAT), ref: 01002525
                                                                                                                      • lstrlenA.KERNEL32(Command.com /c %s), ref: 01002537
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 01002542
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000008), ref: 0100254B
                                                                                                                      • wsprintfA.USER32 ref: 01002567
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000400,?,0000002E,?,0000002E), ref: 0100257C
                                                                                                                      • GetFileAttributesA.KERNELBASE(?), ref: 010025A4
                                                                                                                      • lstrcpyA.KERNEL32(?,?), ref: 010025C1
                                                                                                                      • lstrcatA.KERNEL32(?,01001324), ref: 010025E1
                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 010025F0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcpy$lstrlen$AllocLocal$PrivateProfilelstrcmpiwsprintf$AttributesFileNamePathShortStringlstrcat
                                                                                                                      • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                                      • API String ID: 1932099537-3544074861
                                                                                                                      • Opcode ID: 9cfc3f925ef709eea2b6e4c056a8937429d4c1d82baa32382744840923556eea
                                                                                                                      • Instruction ID: f0cbcbf04177e37c30e3133f67ae01d03030f470cf72cf61e2aa79d8b69a16e6
                                                                                                                      • Opcode Fuzzy Hash: 9cfc3f925ef709eea2b6e4c056a8937429d4c1d82baa32382744840923556eea
                                                                                                                      • Instruction Fuzzy Hash: 47916071A00249BAFB23DBA4CD49FDE7BBCAB45700F144195F6C5E6080E7B5DA808B60
                                                                                                                      Function 0100198B Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 169registrystringlibraryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,00000000,?,00000001,74DEF530), ref: 010019E4
                                                                                                                      • wsprintfA.USER32 ref: 01001A09
                                                                                                                      • RegQueryValueExA.KERNELBASE(00000000,wextract_cleanup0,00000000,00000000,00000000,?), ref: 01001A1D
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 01001A37
                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001A56
                                                                                                                      • LoadLibraryA.KERNELBASE(?,?,advpack.dll), ref: 01001A74
                                                                                                                      • GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 01001A8B
                                                                                                                      • FreeLibrary.KERNELBASE(?), ref: 01001A9F
                                                                                                                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001AB1
                                                                                                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01001AD7
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 01001AE2
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000050), ref: 01001AEB
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000104), ref: 01001B19
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,000004B5,00000000,00000000,00000010,00000000), ref: 01001B26
                                                                                                                      • wsprintfA.USER32 ref: 01001B59
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 01001B63
                                                                                                                      • RegSetValueExA.KERNELBASE(00000000,wextract_cleanup0,00000000,00000001,00000000,00000001), ref: 01001B70
                                                                                                                      • RegCloseKey.KERNELBASE(00000000), ref: 01001B79
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 01001B80
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Closelstrlen$DirectoryFreeLibraryLocalSystemValuewsprintf$AddressAllocCreateFileLoadModuleNameProcQuery
                                                                                                                      • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                                                      • API String ID: 3084642846-3726664654
                                                                                                                      • Opcode ID: c9262a911cf3084d63b0fa5f4be99a77ebbc8ce96a0a011a0b05c5970966fbed
                                                                                                                      • Instruction ID: bcd9c67c776e79ec80fa89b258506c9e143caafd4bb2848af9ab02cf1fab0281
                                                                                                                      • Opcode Fuzzy Hash: c9262a911cf3084d63b0fa5f4be99a77ebbc8ce96a0a011a0b05c5970966fbed
                                                                                                                      • Instruction Fuzzy Hash: 31514071A40218BBEB229BA5DD49EDE7BBCEB08700F004495F685E6085D7B9DA41CF90
                                                                                                                      Function 01004C18 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172synchronizationCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 278 1004c18-1004c72 call 1002a34 281 1004c78-1004c7d 278->281 282 1004e3d-1004e42 278->282 281->282 283 1004c83-1004cac CreateEventA SetEvent call 1002a34 281->283 284 1004e47-1004e48 call 10038cc 282->284 289 1004cd5-1004cef call 10038cc 283->289 290 1004cae-1004cb5 283->290 287 1004e4d 284->287 291 1004e4f-1004e53 287->291 289->287 292 1004d65-1004d75 call 10030a7 290->292 293 1004cbb-1004cd3 call 1002a34 290->293 300 1004d86-1004d8c 292->300 301 1004d77-1004d81 292->301 293->289 302 1004cf4-1004d0a CreateMutexA 293->302 303 1004d9d-1004daf FindResourceA 300->303 304 1004d8e-1004d98 call 1001c7f 300->304 301->284 302->292 305 1004d0c-1004d17 GetLastError 302->305 308 1004db1-1004dbb LoadResource 303->308 309 1004dbe-1004dc4 303->309 304->287 305->292 307 1004d19-1004d20 305->307 311 1004d22-1004d32 call 10038cc 307->311 312 1004d34-1004d48 call 10038cc 307->312 308->309 313 1004dc6 #17 309->313 314 1004dcc-1004dd2 309->314 322 1004d4a-1004d60 CloseHandle 311->322 312->292 312->322 313->314 317 1004dd4-1004dde call 10041cd 314->317 318 1004e39-1004e3b 314->318 317->287 324 1004de0-1004de9 317->324 318->291 322->287 325 1004df7-1004dfe 324->325 326 1004deb-1004def 324->326 325->318 328 1004e00-1004e07 325->328 326->325 327 1004df1-1004df5 326->327 327->318 327->325 328->318 329 1004e09-1004e10 call 100168b 328->329 329->318 332 1004e12-1004e37 call 1004161 329->332 332->287 332->318
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                        • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                        • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                        • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01004C87
                                                                                                                      • SetEvent.KERNEL32(00000000,?,00000000), ref: 01004C93
                                                                                                                        • Part of subcall function 01002A34: FreeResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A97
                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000001,?,INSTANCECHECK,?,00000104,EXTRACTOPT,0100B494,00000004,?,00000000), ref: 01004CFD
                                                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 01004D0C
                                                                                                                      • FindResourceA.KERNEL32(00000000,VERCHECK,0000000A), ref: 01004DA7
                                                                                                                      • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 01004DB5
                                                                                                                      • #17.COMCTL32(?,00000000), ref: 01004DC6
                                                                                                                      • CloseHandle.KERNEL32(00000000,00000524,DirectX 9.0 Web setup,00000000,00000020,00000004,?,00000000), ref: 01004D50
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Find$CreateEventLoad$CloseErrorFreeHandleLastLockMessageMutexSizeof
                                                                                                                      • String ID: DirectX 9.0 Web setup$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                                                                                                      • API String ID: 612345255-3861042123
                                                                                                                      • Opcode ID: 6e61b948a8d2d4fbc5d951fd4a04286bee1605d2895dff06b8bbb81afb43d88a
                                                                                                                      • Instruction ID: 917ad5cb818e3c264ff7b4ff8797261597b45a6a0e97e5d7e7b17e1e85fa401a
                                                                                                                      • Opcode Fuzzy Hash: 6e61b948a8d2d4fbc5d951fd4a04286bee1605d2895dff06b8bbb81afb43d88a
                                                                                                                      • Instruction Fuzzy Hash: 7C5127B0644385BAF7336B289D89FAA3B9DEB55744F000465F7C5DA1C5CBB98E808728
                                                                                                                      Function 01003F0D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 181COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetCurrentDirectoryA.KERNEL32(00000104,?,74DE83C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01003F37
                                                                                                                      • SetCurrentDirectoryA.KERNELBASE(00000000), ref: 01003F46
                                                                                                                      Strings
                                                                                                                      • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003F29
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectory
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 1611563598-305352358
                                                                                                                      • Opcode ID: 7272f09d9cc4f95465a0350aed80e63b7b027015254899d99047417d38069267
                                                                                                                      • Instruction ID: a82620e449f5b1383de194113fdcc55ed895d330ee11bc6e5bf4c8a97130a73d
                                                                                                                      • Opcode Fuzzy Hash: 7272f09d9cc4f95465a0350aed80e63b7b027015254899d99047417d38069267
                                                                                                                      • Instruction Fuzzy Hash: 1351A0B1A00209BEFB23DB64CC85EFE7B6CAB08344F0044A5B7C5E60C5D6759E858B64
                                                                                                                      Function 01004B1A Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 83stringCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 391 1004b1a-1004b2a 392 1004ba7-1004bb0 lstrcpyA 391->392 393 1004b2c-1004b36 call 1002f7a 391->393 395 1004bb6-1004bbe call 1003e60 392->395 396 1004b3b-1004b3d 393->396 404 1004bc0-1004bca CreateDirectoryA 395->404 405 1004bd6-1004bdb call 1003f0d 395->405 398 1004c10 396->398 399 1004b43-1004b5d lstrcpyA 396->399 401 1004c12-1004c15 398->401 402 1004b9a-1004ba5 call 1005b32 399->402 403 1004b5f-1004b6f GetSystemInfo 399->403 402->395 407 1004b71-1004b72 403->407 408 1004b8f 403->408 409 1004bcc 404->409 410 1004bef-1004bf9 call 1003547 404->410 415 1004be0-1004be2 405->415 413 1004b74-1004b75 407->413 414 1004b88-1004b8d 407->414 416 1004b94-1004b95 call 1005b32 408->416 409->405 410->398 420 1004b81-1004b86 413->420 421 1004b77-1004b78 413->421 414->416 422 1004be4-1004bed 415->422 423 1004bfb-1004c01 415->423 416->402 420->416 421->402 425 1004b7a-1004b7f 421->425 422->401 423->398 424 1004c03-1004c0a RemoveDirectoryA 423->424 424->398 425->416
                                                                                                                      APIs
                                                                                                                      • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01004B50
                                                                                                                      • GetSystemInfo.KERNEL32(?), ref: 01004B63
                                                                                                                      • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01004BB0
                                                                                                                      • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004BC2
                                                                                                                        • Part of subcall function 01002F7A: wsprintfA.USER32 ref: 01002F9A
                                                                                                                        • Part of subcall function 01002F7A: lstrcpyA.KERNEL32(?,?), ref: 01002FAC
                                                                                                                        • Part of subcall function 01002F7A: RemoveDirectoryA.KERNELBASE(?,?,?), ref: 01002FBE
                                                                                                                        • Part of subcall function 01002F7A: GetFileAttributesA.KERNELBASE(?), ref: 01002FC5
                                                                                                                        • Part of subcall function 01002F7A: GetTempFileNameA.KERNEL32(?,IXP,00000000,?), ref: 01002FED
                                                                                                                        • Part of subcall function 01002F7A: DeleteFileA.KERNEL32(?), ref: 01002FFB
                                                                                                                        • Part of subcall function 01002F7A: CreateDirectoryA.KERNEL32(?,00000000), ref: 01003004
                                                                                                                      • RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004C0A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$Filelstrcpy$CreateRemove$AttributesDeleteInfoNameSystemTempwsprintf
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                                                      • API String ID: 2618030033-3374052426
                                                                                                                      • Opcode ID: d5e147964fd9a8698458917d450e8c8beedf36294136644907e6467125a92c41
                                                                                                                      • Instruction ID: 863f2b1f4f4a5febeb1d47ca0d15cb2489539e343ca057a3309e34f4a0df478a
                                                                                                                      • Opcode Fuzzy Hash: d5e147964fd9a8698458917d450e8c8beedf36294136644907e6467125a92c41
                                                                                                                      • Instruction Fuzzy Hash: 5421A131505B19ABFB639F699C44FEA3ADCAB05385F4000A9F7C5E10C4DB39C941CB69
                                                                                                                      Function 01005E67 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDiskFreeSpaceA.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 01005E90
                                                                                                                      • MulDiv.KERNEL32(00000000,00000000,00000400), ref: 01005EAB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DiskFreeSpace
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1705453755-0
                                                                                                                      • Opcode ID: 81f4c4850e346c9080ac81259ce3d45f8a1d835a9eef6e91ffedc07ec51b2c28
                                                                                                                      • Instruction ID: 8a5b4a76b2f8f35f795143fc95d6367980ae63d8bc1465d256248162a8adc07a
                                                                                                                      • Opcode Fuzzy Hash: 81f4c4850e346c9080ac81259ce3d45f8a1d835a9eef6e91ffedc07ec51b2c28
                                                                                                                      • Instruction Fuzzy Hash: C3F0E776D01218BFEF05DF94C844BEEBBBCEF14316F008496AA51A6180D775AB04CF90
                                                                                                                      Function 01005288 Relevance: 38.8, APIs: 11, Strings: 11, Instructions: 269stringlibraryloaderCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 90 1005288-10052ab 91 10052e8-10052f0 90->91 92 10052ad-10052c0 call 1002a34 90->92 94 10052f3-100530d 91->94 98 10052c2-10052c5 92->98 99 10052c7-10052e3 call 10038cc 92->99 96 1005400-1005414 lstrcpyA 94->96 97 1005313-1005325 call 1002a34 94->97 100 1005415-1005418 96->100 108 100532b-100532e 97->108 109 10053df-10053ef call 10038cc 97->109 98->91 98->99 113 10055b7-10055bc 99->113 103 100545a-1005470 call 10022ff 100->103 104 100541a-1005432 call 1002a34 100->104 116 1005472-1005475 103->116 117 10053f9-10053fb 103->117 104->109 119 1005434-100543a 104->119 108->109 115 1005334-100533a 108->115 109->117 120 1005342-1005346 115->120 121 100533c-1005340 115->121 124 1005495-1005498 116->124 125 1005477-100547e 116->125 126 10055b5-10055b6 117->126 127 1005440-1005454 lstrcmpiA 119->127 128 10055a6-10055ac 119->128 122 1005350-1005354 120->122 123 1005348-100534e 120->123 129 100535c 121->129 130 1005356 122->130 131 100535f-1005362 122->131 123->129 135 100557d-1005584 call 1004560 124->135 136 100549e-10054a4 124->136 125->124 132 1005480-1005486 125->132 126->113 127->103 127->128 133 10055b3 128->133 134 10055ae call 1001b8b 128->134 129->131 130->129 131->100 139 1005368-1005371 131->139 132->124 137 1005488-100548b 132->137 133->126 134->133 148 1005589-100558b 135->148 140 10054aa-10054ad 136->140 141 10055bd-10055dc call 10038cc LocalFree 136->141 137->136 143 100548d-1005490 call 100198b 137->143 144 1005373-1005375 139->144 145 10053bc-10053bf 139->145 140->135 147 10054b3-10054ba 140->147 141->117 143->124 153 1005380-1005382 144->153 154 1005377-100537e 144->154 145->103 149 10053c5-10053dd call 1002a34 145->149 147->135 156 10054c0-10054ce call 100370f 147->156 150 1005591-100559d LocalFree 148->150 151 100562c-1005631 LocalFree 148->151 149->100 149->109 150->94 158 10055a3-10055a5 150->158 151->117 159 100538b-10053a1 call 1002a34 153->159 160 1005384 153->160 154->159 166 10055e1-10055f5 call 10038cc 156->166 167 10054d4-10054e2 GetProcAddress 156->167 158->128 159->109 169 10053a3-10053b7 lstrcmpiA 159->169 160->159 180 1005612-1005621 LocalFree call 1003547 166->180 170 10055f7-100560c call 10038cc FreeLibrary 167->170 171 10054e8-1005523 167->171 169->145 175 10053b9 169->175 170->180 172 1005525 171->172 173 1005529-1005532 171->173 172->173 178 1005534 173->178 179 1005538-100553b 173->179 175->145 178->179 182 1005541-100554a 179->182 183 100553d 179->183 180->117 185 1005550-1005552 182->185 186 100554c 182->186 183->182 187 1005554 185->187 188 1005558-100556f 185->188 186->185 187->188 190 1005575-100557b FreeLibrary 188->190 191 1005626 FreeLibrary 188->191 190->150 191->151
                                                                                                                      APIs
                                                                                                                      • lstrcpyA.KERNEL32(?,0100BAA2,?,00000000), ref: 0100540C
                                                                                                                      • lstrcmpiA.KERNEL32(?,<None>), ref: 010053AF
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                        • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                        • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                        • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • lstrcmpiA.KERNEL32(?,<None>), ref: 0100544C
                                                                                                                      • GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 010054DA
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 01005575
                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 01005594
                                                                                                                      • LocalFree.KERNEL32(?,00000000,000004C7,00000000,00000000,00000010,00000000,?,?,?,?,00000000), ref: 010055D0
                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,000004C9,DoInfInstall,00000000,00000010,00000000,?,00000000), ref: 0100560C
                                                                                                                      • LocalFree.KERNEL32(?,00000000,000004C8,advpack.dll,00000000,00000010,00000000,advpack.dll,?,?,?,?,00000000), ref: 01005615
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 01005626
                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0100562F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Free$Resource$Local$Library$Findlstrcmpi$AddressLoadLockProcSizeoflstrcpy
                                                                                                                      • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DirectX 9.0 Web setup$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll
                                                                                                                      • API String ID: 770626793-139585130
                                                                                                                      • Opcode ID: 9bf6c9ac14c3ca6bcf4a5ac89318c0245a048f76e75a5681400d6749ac64c027
                                                                                                                      • Instruction ID: 2f43a83221f47182914e3832709c3c8ca3f90824a361c088b79cbbea01e2dab8
                                                                                                                      • Opcode Fuzzy Hash: 9bf6c9ac14c3ca6bcf4a5ac89318c0245a048f76e75a5681400d6749ac64c027
                                                                                                                      • Instruction Fuzzy Hash: ACA1C070A003499BFF23DF65CC85AEE3BA9AB05305F00416AFAC5960D1DBB68984CF24
                                                                                                                      Function 01005636 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 233stringmemoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 192 1005636-1005665 call 1002a34 LocalAlloc 195 1005667-100567c call 10038cc call 1003547 192->195 196 1005688-1005692 call 1002a34 192->196 211 1005681-1005683 195->211 201 1005694-10056b5 call 10038cc LocalFree 196->201 202 10056b7-10056c8 lstrcmpA 196->202 201->211 205 10056d0-10056de LocalFree 202->205 206 10056ca 202->206 209 10056e0-10056e2 205->209 210 100571b-1005723 205->210 206->205 214 10056f2-10056f4 209->214 215 10056e4-10056ea 209->215 212 1005729-100572f 210->212 213 10058db-10058f7 call 1004161 210->213 216 10058f9-10058fd 211->216 212->213 217 1005735-1005748 GetTempPathA 212->217 213->216 220 10056f6-1005704 call 1004b1a 214->220 215->214 219 10056ec-10056f0 215->219 221 1005774 217->221 222 100574a-100574e call 1004b1a 217->222 219->220 230 1005706-1005716 call 10038cc 220->230 231 100576d-100576f 220->231 227 100577a-1005788 lstrcpyA 221->227 229 1005753-1005755 222->229 228 100589a-10058a7 227->228 232 100578d-1005799 GetDriveTypeA 228->232 233 10058ad-10058cb GetWindowsDirectoryA call 1003f0d 228->233 229->231 234 1005757-100575f call 1001f6e 229->234 230->211 231->216 237 10057a0-10057b0 GetFileAttributesA 232->237 238 100579b-100579e 232->238 233->227 247 10058d1 233->247 234->221 248 1005761-100576b call 1004b1a 234->248 241 10057b2-10057b5 237->241 242 10057eb-10057fe call 1003f0d 237->242 238->237 238->241 245 10057e0-10057e6 241->245 246 10057b7-10057be 241->246 256 1005800-100580e call 1001f6e 242->256 257 1005823-1005831 call 1001f6e 242->257 245->228 246->245 250 10057c0-10057c7 246->250 254 10058d6-10058d9 247->254 248->221 248->231 250->245 253 10057c9-10057d7 call 1005e13 250->253 253->245 267 10057d9-10057de 253->267 254->216 256->245 264 1005810-1005821 call 1003f0d 256->264 265 1005833-100583f GetWindowsDirectoryA 257->265 266 1005845-1005864 call 1005b32 call 1001f4b 257->266 264->245 264->257 265->266 274 1005874-1005898 SetFileAttributesA lstrcpyA call 1004b1a 266->274 275 1005866-1005872 266->275 267->242 267->245 274->228 274->254 275->228
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                        • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                        • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                        • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,RUNPROGRAM,00000000,00000000,?,00000000), ref: 01005659
                                                                                                                      • lstrcmpA.KERNEL32(00000000,<None>,RUNPROGRAM,00000000,00000000,?,00000000), ref: 010056BD
                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000), ref: 010056D1
                                                                                                                      • LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,RUNPROGRAM,00000000,00000000,?,00000000), ref: 010056A5
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32(74E04B00,01004003), ref: 0100354E
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                                      • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 01005740
                                                                                                                      • lstrcpyA.KERNEL32(?,A:\,?,00000000), ref: 01005786
                                                                                                                      • GetDriveTypeA.KERNEL32(0000005A,?,00000000), ref: 0100578E
                                                                                                                      • GetFileAttributesA.KERNEL32(0000005A,?,00000000), ref: 010057A7
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,00000000,?,00000000), ref: 010058B3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Local$ErrorFindFreeLast$AllocAttributesDirectoryDriveFileLoadLockMessagePathSizeofTempTypeWindowslstrcmplstrcpy
                                                                                                                      • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                                      • API String ID: 535033332-2740620654
                                                                                                                      • Opcode ID: 6850fc883a11cab837c26050fb0a112f3f6a7a0a4a41dfd58cf56b6d104f570a
                                                                                                                      • Instruction ID: 096894b9e67c34d8375bb897499805253a01f20e87239c6fdf17a2f350f7322a
                                                                                                                      • Opcode Fuzzy Hash: 6850fc883a11cab837c26050fb0a112f3f6a7a0a4a41dfd58cf56b6d104f570a
                                                                                                                      • Instruction Fuzzy Hash: B661AAB4A40355BAFB3397755D89FEB26ACAB19744F400491FBC9E60C1E6B4C6808F64
                                                                                                                      Function 01002F7A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 63filestringCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 01002F9A
                                                                                                                      • lstrcpyA.KERNEL32(?,?), ref: 01002FAC
                                                                                                                        • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                        • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                        • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      • RemoveDirectoryA.KERNELBASE(?,?,?), ref: 01002FBE
                                                                                                                      • GetFileAttributesA.KERNELBASE(?), ref: 01002FC5
                                                                                                                      • GetTempFileNameA.KERNEL32(?,IXP,00000000,?), ref: 01002FED
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 01002FFB
                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 01003004
                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 01003019
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DirectoryFile$Createlstrcpy$AttributesCharDeleteNamePrevRemoveTemplstrlenwsprintf
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
                                                                                                                      • API String ID: 3224660439-775753704
                                                                                                                      • Opcode ID: cc23fafd31c200b07fe8fdd91d20a1ba6cd3f4739df2429ec796210adebc7534
                                                                                                                      • Instruction ID: e7c67a7043ec5c6bac1d4f2c1b8a734ea561e127a1ee01801807ea9209cd36ee
                                                                                                                      • Opcode Fuzzy Hash: cc23fafd31c200b07fe8fdd91d20a1ba6cd3f4739df2429ec796210adebc7534
                                                                                                                      • Instruction Fuzzy Hash: A311E1312092496FE373AB65EC48FEB3BACEF46351F000129F6C5D1084DEBA950587A6
                                                                                                                      Function 01003E60 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65stringmemoryfileCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • lstrlenA.KERNEL32(01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003E68
                                                                                                                      • LocalAlloc.KERNEL32(00000040,-00000014,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003E74
                                                                                                                      • lstrcpyA.KERNEL32(00000000,01004BBC,74DE83C0,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003EA3
                                                                                                                      • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,00000000,TMP4351$.TMP,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003EC4
                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003ECD
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003ED9
                                                                                                                      • GetFileAttributesA.KERNELBASE(01004BBC,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003EE0
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32(74E04B00,01004003), ref: 0100354E
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                                      Strings
                                                                                                                      • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003E66
                                                                                                                      • TMP4351$.TMP, xrefs: 01003EA9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFileLastLocal$AllocAttributesCloseCreateFreeHandleMessagelstrcpylstrlen
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
                                                                                                                      • API String ID: 3688570051-1664176527
                                                                                                                      • Opcode ID: cec466b1454d8152f2b6b7027edac8848f359d804bd141f2f042a694d3e2b742
                                                                                                                      • Instruction ID: 07e8854d2f4717a7fcec1bdd87890a29ac9275318df03397e391de66aed45773
                                                                                                                      • Opcode Fuzzy Hash: cec466b1454d8152f2b6b7027edac8848f359d804bd141f2f042a694d3e2b742
                                                                                                                      • Instruction Fuzzy Hash: 9A11A5726016447FE223AF799C49F9F3E5CEB06369F014514F2D6E90C5C7BA94418B74
                                                                                                                      Function 010049DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 443 10049db-10049e2 call 1002e6f 446 10049e4 443->446 447 10049e5-10049f1 443->447 448 10049f3-1004a1b GetDlgItem ShowWindow GetDlgItem ShowWindow 447->448 449 1004a1d-1004a2a call 1003c60 447->449 448->449 452 1004a38-1004a6e call 1005ebf 449->452 453 1004a2c-1004a36 449->453 458 1004aa0-1004aaf 452->458 459 1004a70-1004a87 call 1006e88 452->459 454 1004ab0-1004abb call 10038cc 453->454 462 1004abd-1004ac4 454->462 458->454 463 1004a8c-1004a93 459->463 464 1004ad3-1004ad5 462->464 465 1004ac6-1004acd FreeResource 462->465 463->462 466 1004a95-1004a9e call 10069c2 463->466 467 1004ad7-1004add 464->467 468 1004aef-1004af6 464->468 465->464 466->458 466->462 467->468 472 1004adf-1004aea call 10038cc 467->472 469 1004b14-1004b19 468->469 470 1004af8-1004aff 468->470 470->469 473 1004b01-1004b0e SendMessageA 470->473 472->468 473->469
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002E6F: FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01002E89
                                                                                                                        • Part of subcall function 01002E6F: LoadResource.KERNEL32(00000000,00000000,?,010059A0), ref: 01002E92
                                                                                                                        • Part of subcall function 01002E6F: LockResource.KERNEL32(00000000,?,010059A0), ref: 01002E99
                                                                                                                      • GetDlgItem.USER32(00000000,00000842), ref: 01004A00
                                                                                                                      • ShowWindow.USER32(00000000,?,00000000,00000001,0100525B,?,010059A0), ref: 01004A09
                                                                                                                      • GetDlgItem.USER32(00000841,00000005), ref: 01004A18
                                                                                                                      • ShowWindow.USER32(00000000,?,00000000,00000001,0100525B,?,010059A0), ref: 01004A1B
                                                                                                                      • FreeResource.KERNEL32(00000000,-00000514,00000000,00000000,00000010,00000000,?,?,?,00000000,00000001,0100525B,?,010059A0), ref: 01004AC7
                                                                                                                      • SendMessageA.USER32(00000FA1,00000000,00000000,-00000514), ref: 01004B0E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$ItemShowWindow$FindFreeLoadLockMessageSend
                                                                                                                      • String ID: *MEMCAB
                                                                                                                      • API String ID: 3694369891-3211172518
                                                                                                                      • Opcode ID: c58f8bc2a7f7b26109adb1d35207193ebaf4e78ef12d8e4ecae876ef37705db9
                                                                                                                      • Instruction ID: 5c6169ab3c9c94f66ae9421972872bc9d1b968acd00de396031396c823d54b5c
                                                                                                                      • Opcode Fuzzy Hash: c58f8bc2a7f7b26109adb1d35207193ebaf4e78ef12d8e4ecae876ef37705db9
                                                                                                                      • Instruction Fuzzy Hash: 3E31EA313813117AF63367579C89F972D8DDB56B65F400454F7C8E60C6C6FA889087A9
                                                                                                                      Function 01004560 Relevance: 10.6, APIs: 7, Instructions: 90processsynchronizationwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 476 1004560-1004575 477 1004651-1004654 476->477 478 100457b-100459d CreateProcessA 476->478 479 1004609-1004647 call 1003547 GetLastError FormatMessageA call 10038cc 478->479 480 100459f-10045c0 WaitForSingleObject GetExitCodeProcess 478->480 492 100464c 479->492 482 10045c2-10045c9 480->482 483 10045e3-1004600 call 10028fa CloseHandle * 2 480->483 482->483 486 10045cb-10045cd 482->486 490 1004602-1004605 483->490 491 100464e-1004650 483->491 486->483 489 10045cf-10045db 486->489 489->483 493 10045dd 489->493 490->491 494 1004607 490->494 491->477 492->491 493->483 494->492
                                                                                                                      APIs
                                                                                                                      • CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?,00000001,74DEF530,00000000), ref: 01004595
                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 010045A4
                                                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 010045B1
                                                                                                                      • CloseHandle.KERNEL32(?,?), ref: 010045F2
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 010045F7
                                                                                                                      • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 01004621
                                                                                                                      • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 0100462E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3183975587-0
                                                                                                                      • Opcode ID: 5c87e306d1f07bbbd259af49f0d2f9332393d95cbae5d4cdd0f23aea241cfee2
                                                                                                                      • Instruction ID: 4dc6fc445a0a4644286cad31dd2cd9ca33170ca9f30bc41b6ca94f876d6a0a06
                                                                                                                      • Opcode Fuzzy Hash: 5c87e306d1f07bbbd259af49f0d2f9332393d95cbae5d4cdd0f23aea241cfee2
                                                                                                                      • Instruction Fuzzy Hash: 4521AD35501228BFEB239FA5CC48EEF7BA9FF09360F004025FB94D6095C6768644CBA5
                                                                                                                      Function 01003D9A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 76memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 495 1003d9a-1003dbf call 1002a34 LocalAlloc 498 1003dc1-1003ddb call 10038cc call 1003547 495->498 499 1003ddd-1003de7 call 1002a34 495->499 511 1003e59 498->511 505 1003de9-1003e0a call 10038cc LocalFree 499->505 506 1003e0c-1003e1a lstrcmpA 499->506 505->511 509 1003e28-1003e45 call 10038cc LocalFree 506->509 510 1003e1c-1003e1d LocalFree 506->510 517 1003e47-1003e4d 509->517 518 1003e4f 509->518 513 1003e23-1003e26 510->513 516 1003e5b-1003e5f 511->516 513->516 517->513 518->511
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                        • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                        • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                        • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,?,00000000,?,?,01005917,00000000,01005A22,00000000,01005ACB,?,?), ref: 01003DB5
                                                                                                                      • LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,UPROMPT,00000000,00000000,?,00000000,?,?,01005917,00000000), ref: 01003DFA
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32(74E04B00,01004003), ref: 0100354E
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$ErrorFindLastLocal$AllocFreeLoadLockMessageSizeof
                                                                                                                      • String ID: <None>$UPROMPT
                                                                                                                      • API String ID: 226386726-2980973527
                                                                                                                      • Opcode ID: 19c4e163a1090a162578199d223b225934aaa3b1b5a0be56976e72415ee7bbe1
                                                                                                                      • Instruction ID: fcd82f8eb2d96e34fe2045f7d831227921619ed0845e22903694ad8dcf9b4982
                                                                                                                      • Opcode Fuzzy Hash: 19c4e163a1090a162578199d223b225934aaa3b1b5a0be56976e72415ee7bbe1
                                                                                                                      • Instruction Fuzzy Hash: F01190B164178ABFF2236B329C48F9B3B5CEB0A798F014114F6C29D0C6D7BAA4004B74
                                                                                                                      Function 01004888 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 519 1004888-1004899 520 10048b5-10048bb 519->520 521 100489b-100489f 519->521 522 10049d0-10049d3 call 1002e1b 520->522 523 10048c1-10048c2 520->523 524 10048a1-10048ac call 1002cb2 521->524 525 10048ad-10048b0 521->525 526 10049d8-10049da 522->526 528 10048c4-10048c5 523->528 529 10048cd-10048cf 523->529 524->525 525->526 531 10048c7-10048c8 528->531 532 100493e-1004948 528->532 529->526 536 10048d4-10048f2 call 1002acd 531->536 537 10048ca-10048cb 531->537 534 1004959-1004974 call 1002acd 532->534 535 100494a-1004953 SetDlgItemTextA 532->535 534->525 542 100497a-1004988 call 1004809 534->542 535->534 536->525 543 10048f4-100490c call 1002d87 536->543 537->525 537->529 542->529 548 100498e-10049ac call 1003b9b 542->548 543->525 549 100490e-1004939 call 1002cb2 call 1002ded SetFileAttributesA 543->549 548->525 554 10049b2-10049c0 call 1003a7a 548->554 549->526 554->525 559 10049c6-10049ce 554->559 559->526
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002ACD: lstrlenA.KERNEL32(00000104,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002ADB
                                                                                                                        • Part of subcall function 01002ACD: lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AE2
                                                                                                                      • SetFileAttributesA.KERNELBASE(?,00000000,?,?,?,?,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 0100492B
                                                                                                                      • SetDlgItemTextA.USER32(00000000,00000837,?), ref: 01004953
                                                                                                                        • Part of subcall function 01002E1B: lstrcpyA.KERNEL32(0100B17C,AA4CA1C3,?,?,010049D8,?), ref: 01002E3E
                                                                                                                        • Part of subcall function 01002E1B: lstrcpyA.KERNEL32(0100B280,FFFFE48F,?,?,010049D8,?), ref: 01002E48
                                                                                                                        • Part of subcall function 01002E1B: lstrcpyA.KERNEL32(0100B384,0175C085,?,?,010049D8,?), ref: 01002E52
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcpy$lstrlen$AttributesFileItemText
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 1052324692-305352358
                                                                                                                      • Opcode ID: fe65d99b2ab9b239a6f2feaefbfaa6b709843359da61f41e70cea4a7b0a25d04
                                                                                                                      • Instruction ID: 9c3945019062b96abff1775c7a9c12b98a3233307227bea5132d982746a7d7c1
                                                                                                                      • Opcode Fuzzy Hash: fe65d99b2ab9b239a6f2feaefbfaa6b709843359da61f41e70cea4a7b0a25d04
                                                                                                                      • Instruction Fuzzy Hash: EB31F47160020AABFF73AB78CD44EDE77E8AB04714F0049A1BBD5D60C0DAB4DA94C724
                                                                                                                      Function 01002D87 Relevance: 4.5, APIs: 3, Instructions: 39timeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 560 1002d87-1002d9e 561 1002da0-1002da2 560->561 562 1002da4-1002db6 DosDateTimeToFileTime 560->562 563 1002de8-1002dea 561->563 562->561 564 1002db8-1002dc8 LocalFileTimeToFileTime 562->564 564->561 565 1002dca-1002de6 SetFileTime 564->565 565->563
                                                                                                                      APIs
                                                                                                                      • DosDateTimeToFileTime.KERNEL32(?,00000104,00000104), ref: 01002DAE
                                                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01002DC0
                                                                                                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 01002DDC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$File$DateLocal
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2071732420-0
                                                                                                                      • Opcode ID: 96a0a1fe93097ab5083efa3cebb417dec1f1aca17dfb0d7ec9085fdad69f0f66
                                                                                                                      • Instruction ID: 272d08cd781b42647d3e3cd2aab8a48c674a3e0d441df13359d39e46509fec88
                                                                                                                      • Opcode Fuzzy Hash: 96a0a1fe93097ab5083efa3cebb417dec1f1aca17dfb0d7ec9085fdad69f0f66
                                                                                                                      • Instruction Fuzzy Hash: 81F01D7650011AABDF62DFA4CD49DEF7BBCEF04300F00056AFA96D2054EA31D605CB60
                                                                                                                      Function 01001E52 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 566 1001e52-1001e76 RegOpenKeyExA 567 1001e78-1001e8d RegQueryValueExA 566->567 568 1001e9b-1001ea0 566->568 569 1001e92-1001e95 RegCloseKey 567->569 570 1001e8f 567->570 569->568 570->569
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,010045E9,00000000,00020019,010045E9,00000000,?,?,01001F1E,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,01001F3D,010045E9,01002634,00000003,00000000), ref: 01001E6E
                                                                                                                      • RegQueryValueExA.KERNELBASE(010045E9,0100290E,00000000,00000000,00000000,?,?,01001F1E,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,01001F3D,010045E9,01002634,00000003,00000000,0100290E), ref: 01001E85
                                                                                                                      • RegCloseKey.KERNELBASE(010045E9,?,01001F1E,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,01001F3D,010045E9,01002634,00000003,00000000,0100290E,010045E9,?), ref: 01001E95
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3677997916-0
                                                                                                                      • Opcode ID: 7a797c0b9dcb7767ccf906ce318d436ef8d89cccfb9cdaf3cd7182f96baaf62c
                                                                                                                      • Instruction ID: 28be454f978d5970a4e16e1394c3bca2c1ef4d0bed3d580e281dbf39f647a0de
                                                                                                                      • Opcode Fuzzy Hash: 7a797c0b9dcb7767ccf906ce318d436ef8d89cccfb9cdaf3cd7182f96baaf62c
                                                                                                                      • Instruction Fuzzy Hash: E1F0D475A01128FBEB229F92DD08DEFBFACEF057A0F008055F98996150D771DA10EBA0
                                                                                                                      Function 01005B32 Relevance: 4.5, APIs: 3, Instructions: 27stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                      • CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                      • lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharPrevlstrcpylstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3191087442-0
                                                                                                                      • Opcode ID: fdd7714bb6593d9bd24b37b8e314602ef278b422ca2b5f9048e4f286ffae7ea1
                                                                                                                      • Instruction ID: a8693eed6350a8dedeae3d565ef5e12137dbdc0ab456e1eef33ff5164d9f3c36
                                                                                                                      • Opcode Fuzzy Hash: fdd7714bb6593d9bd24b37b8e314602ef278b422ca2b5f9048e4f286ffae7ea1
                                                                                                                      • Instruction Fuzzy Hash: 5AE06531504A909FF36757189C08BAB7FD8EB86261F150485F5DA93181D37958428F71
                                                                                                                      Function 010058FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,01005A22,00000000,01005ACB,?,?,01005ACB,00000000), ref: 0100596D
                                                                                                                        • Part of subcall function 01003D9A: LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,?,00000000,?,?,01005917,00000000,01005A22,00000000,01005ACB,?,?), ref: 01003DB5
                                                                                                                      Strings
                                                                                                                      • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01005968
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocCurrentDirectoryLocal
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 4261067767-305352358
                                                                                                                      • Opcode ID: 8bb4dfa89a94fb33ff207bed1ff5b7d72056520cb165bd43416798504c0b475c
                                                                                                                      • Instruction ID: 549888cb111fa0db324d5ce591e14e605fa8575ce561743fb142ccc2cd60ac89
                                                                                                                      • Opcode Fuzzy Hash: 8bb4dfa89a94fb33ff207bed1ff5b7d72056520cb165bd43416798504c0b475c
                                                                                                                      • Instruction Fuzzy Hash: 572175356453139FBFB3BB796D0276A37D4AA176B4F0804AAD5C4C11C5EB3A8180DFA2
                                                                                                                      Function 01003B00 Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileA.KERNELBASE(01003CBD,00000000,00000000,00000000,0000017D,00000080,00000000,00000000,00000000,?,00000000,01003C3C,00000180,00008000,?), ref: 01003B74
                                                                                                                      • CreateFileA.KERNEL32(01003CBD,00000000,00000000,00000000,0000017D,00000080,00000000,01003CBD,?,00000000,01003C3C,00000180,00008000,?,?,01003CBD), ref: 01003B92
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 823142352-0
                                                                                                                      • Opcode ID: 9bfb39b486322ac668261688a7a5e61f2137a86f97e3518c83b150ea2e59270c
                                                                                                                      • Instruction ID: da6b65ada72e5227994d070599185fef503f662e9f89374a7cd07d64c63b9061
                                                                                                                      • Opcode Fuzzy Hash: 9bfb39b486322ac668261688a7a5e61f2137a86f97e3518c83b150ea2e59270c
                                                                                                                      • Instruction Fuzzy Hash: 8501B9B2514A097DF7538538DC85F77BADCEB9626DF144729FBE5D50D0C229C8418220
                                                                                                                      Function 01002C23 Relevance: 3.0, APIs: 2, Instructions: 46fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0100288F: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 010028B3
                                                                                                                        • Part of subcall function 0100288F: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028C5
                                                                                                                        • Part of subcall function 0100288F: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028E8
                                                                                                                      • WriteFile.KERNELBASE(?,?,?,00000000), ref: 01002C59
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1084409-0
                                                                                                                      • Opcode ID: d96f9e2c227fc8fd5b123fd756cf88f8dd5409e60f2e5f7db06c1da812d6ec4c
                                                                                                                      • Instruction ID: f7ff3d6030b5b4b6263aff2ff2ca75ae18718437ba1bcdff345b54a36bb66057
                                                                                                                      • Opcode Fuzzy Hash: d96f9e2c227fc8fd5b123fd756cf88f8dd5409e60f2e5f7db06c1da812d6ec4c
                                                                                                                      • Instruction Fuzzy Hash: 8A01923130030CDBEB278F69EC48F6537A9B790729F008225F6A5865E4CB769964CB00
                                                                                                                      Function 01004112 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 01004127
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32(74E04B00,01004003), ref: 0100354E
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$DirectoryMessageWindows
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 824312211-0
                                                                                                                      • Opcode ID: ca96c28c2df01ffdf837ee669907e7b40b94055632e991d685ff63f2d1cff087
                                                                                                                      • Instruction ID: bca2c9432b1f888fb9469f10f577c2e1376d14a01b837acd07ddd468fc16ab10
                                                                                                                      • Opcode Fuzzy Hash: ca96c28c2df01ffdf837ee669907e7b40b94055632e991d685ff63f2d1cff087
                                                                                                                      • Instruction Fuzzy Hash: 0CE04FF5B403057BFA22FBB45D4AFE632AC6710B08F0044A177C5EA0C6E6F4D5848B64
                                                                                                                      Function 01005BCA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFileAttributesA.KERNELBASE(?,010023AD,?), ref: 01005BCE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AttributesFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3188754299-0
                                                                                                                      • Opcode ID: 9581c502d22aba61f5526ad2671cdf4715d83c214d9c839e97df5bb296cd7dd6
                                                                                                                      • Instruction ID: b3f3ffb5a34c765f4dd1797c4ec993e395d72c4c0f957be6f6d41efe976d23e8
                                                                                                                      • Opcode Fuzzy Hash: 9581c502d22aba61f5526ad2671cdf4715d83c214d9c839e97df5bb296cd7dd6
                                                                                                                      • Instruction Fuzzy Hash: 5BC08C361148044AA5124230AC020993592AB00239F948B20E1F2C00D0E279D410DD20
                                                                                                                      Function 01005A00 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01004C18: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01004C87
                                                                                                                        • Part of subcall function 01004C18: SetEvent.KERNEL32(00000000,?,00000000), ref: 01004C93
                                                                                                                      • CloseHandle.KERNEL32(00000000,01005ACB,?,?,01005ACB,00000000), ref: 01005A50
                                                                                                                        • Part of subcall function 010058FE: SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,01005A22,00000000,01005ACB,?,?,01005ACB,00000000), ref: 0100596D
                                                                                                                        • Part of subcall function 01002EAF: SetFileAttributesA.KERNEL32(00670838,00000080,?,?,00000000), ref: 01002EE4
                                                                                                                        • Part of subcall function 01002EAF: DeleteFileA.KERNEL32(00670838,?,?,00000000), ref: 01002EEC
                                                                                                                        • Part of subcall function 01002EAF: LocalFree.KERNEL32(00670838,?,?,00000000), ref: 01002EF7
                                                                                                                        • Part of subcall function 01002EAF: LocalFree.KERNEL32(00670838,?,?,00000000), ref: 01002EFA
                                                                                                                        • Part of subcall function 01002EAF: lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 01002F25
                                                                                                                        • Part of subcall function 01002EAF: SetCurrentDirectoryA.KERNEL32(01001284,?,00000000), ref: 01002F43
                                                                                                                        • Part of subcall function 0100263F: ExitWindowsEx.USER32(00000002,00000000), ref: 01002681
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectoryEventFileFreeLocal$AttributesCloseCreateDeleteExitHandleWindowslstrcpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2109604340-0
                                                                                                                      • Opcode ID: 6bb0501f5843ebe1865109c29f3cf8357a2669cd15ada572a2d507304c427ffa
                                                                                                                      • Instruction ID: 84a9f70d874b0ce605a0360ea1fac1df0a3d9085ade5438d4a511a43078ce571
                                                                                                                      • Opcode Fuzzy Hash: 6bb0501f5843ebe1865109c29f3cf8357a2669cd15ada572a2d507304c427ffa
                                                                                                                      • Instruction Fuzzy Hash: 81F08C31E003419BFB73EFB89D88B5A3BD5AB43250F044448E9C0931D8CB7AC4848F18
                                                                                                                      Function 01002CB2 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CloseHandle.KERNELBASE(?,00000000,00000000,01003CF6,00000000,?,?,?,?,?,00000000), ref: 01002CEB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2962429428-0
                                                                                                                      • Opcode ID: a9b46e3db594f2fcd46db8c9e3fd42ad0b2307defafbda2f4743e6373b85ddb5
                                                                                                                      • Instruction ID: c15912df4965dd569d42e93d5fd4232a5505faff8a50d4eacb1245b87f6ff462
                                                                                                                      • Opcode Fuzzy Hash: a9b46e3db594f2fcd46db8c9e3fd42ad0b2307defafbda2f4743e6373b85ddb5
                                                                                                                      • Instruction Fuzzy Hash: 1BF01275506716EE97E3CF2D994869BBFE5FF84750F12092ED4EEC2290DB3099018B10
                                                                                                                      Function 01002E03 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GlobalAlloc.KERNELBASE(00000000,?), ref: 01002E09
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocGlobal
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3761449716-0
                                                                                                                      • Opcode ID: 12b5d25ff1b6920fdbd45c6bb364aca1b53fd2bb8657c90971766ff1ed60e0e7
                                                                                                                      • Instruction ID: aceb04de2820cb8e4959a70ec4af59ab00b6b623b0161863bd08f56dc2faf270
                                                                                                                      • Opcode Fuzzy Hash: 12b5d25ff1b6920fdbd45c6bb364aca1b53fd2bb8657c90971766ff1ed60e0e7
                                                                                                                      • Instruction Fuzzy Hash: 1DA00239648241EBEE529B90DF09B097AA1AB84B02F008544F2CD4519486B68410EF62
                                                                                                                      Function 01002E10 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeGlobal
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2979337801-0
                                                                                                                      • Opcode ID: a050d75f0b9f73008538d2428d150b865eddb9cf78cebb317d7b67494dfc1878
                                                                                                                      • Instruction ID: fe044374dafef1cb320f1ead0a573a760266085682d6567bdb0ea2f0c700d41b
                                                                                                                      • Opcode Fuzzy Hash: a050d75f0b9f73008538d2428d150b865eddb9cf78cebb317d7b67494dfc1878
                                                                                                                      • Instruction Fuzzy Hash: 239002304081009BDF165B20DA0D9497B71AB80701F404454A0858016487368850EB01

                                                                                                                      Non-executed Functions

                                                                                                                      Function 01001C7F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 86stringfileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrcpyA.KERNEL32(?,00000000,00000001,DirectX 9.0 Web setup,00000000), ref: 01001CAD
                                                                                                                      • lstrcatA.KERNEL32(?,0100128C), ref: 01001CC1
                                                                                                                      • FindFirstFileA.KERNEL32(?,?), ref: 01001CD1
                                                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 01001CEB
                                                                                                                      • lstrcmpA.KERNEL32(?,01001288), ref: 01001D02
                                                                                                                      • lstrcmpA.KERNEL32(?,01001284), ref: 01001D18
                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 01001D30
                                                                                                                        • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                        • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                        • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      • lstrcatA.KERNEL32(?,?), ref: 01001D59
                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 01001D67
                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 01001D74
                                                                                                                      • FindNextFileA.KERNEL32(00000000,00000010), ref: 01001D84
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 01001D95
                                                                                                                      • RemoveDirectoryA.KERNEL32(00000000), ref: 01001D9C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Findlstrcatlstrcpy$lstrcmp$AttributesCharCloseDeleteDirectoryFirstNextPrevRemovelstrlen
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 2233361564-3102400635
                                                                                                                      • Opcode ID: 678c5ee2d3b4477588ce13c604fb9acbca6998944e647f19a3d9bdee4b119596
                                                                                                                      • Instruction ID: a00f6dc85045b5a751000bc1c93d4bef5bd8a44fc60f5db9cfdca4d6f7f72306
                                                                                                                      • Opcode Fuzzy Hash: 678c5ee2d3b4477588ce13c604fb9acbca6998944e647f19a3d9bdee4b119596
                                                                                                                      • Instruction Fuzzy Hash: 0F3119B690415DABEF62EBB5DD88FCA7BBCAF14340F440592B6C5D2084DBB4D6848F60
                                                                                                                      Function 0100168B Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 107memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 010015F6: LoadLibraryA.KERNEL32(advapi32.dll,00000000,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100161A
                                                                                                                        • Part of subcall function 010015F6: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0100162E
                                                                                                                        • Part of subcall function 010015F6: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,DirectX 9.0 Web setup,?,?,010016C1), ref: 0100165E
                                                                                                                        • Part of subcall function 010015F6: FreeSid.ADVAPI32(00000000,?,?,010016C1), ref: 01001672
                                                                                                                        • Part of subcall function 010015F6: FreeLibrary.KERNEL32(010016C1,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100167C
                                                                                                                      • GetCurrentProcess.KERNEL32(00000008,?,?,00000000,?,01004E0E,?,?,00000000), ref: 010016CF
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,01004E0E,?,?,00000000), ref: 010016D6
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00000000,00000001,?,01004E0E,?,?,00000000), ref: 010016F6
                                                                                                                      • GetLastError.KERNEL32(?,01004E0E,?,?,00000000), ref: 01001700
                                                                                                                      • LocalAlloc.KERNEL32(00000000,00000000,DirectX 9.0 Web setup,?,01004E0E,?,?,00000000), ref: 01001714
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00000000,?,01004E0E,?,?,00000000), ref: 0100172D
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01004E0E,?,?,00000000), ref: 0100174A
                                                                                                                      • EqualSid.ADVAPI32(00000004,?,?,01004E0E,?,?,00000000), ref: 01001760
                                                                                                                      • FreeSid.ADVAPI32(?,?,01004E0E,?,?,00000000), ref: 01001782
                                                                                                                      • LocalFree.KERNEL32(00000000,?,01004E0E,?,?,00000000), ref: 01001789
                                                                                                                      • CloseHandle.KERNEL32(?,?,01004E0E,?,?,00000000), ref: 01001793
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 2168512254-3102400635
                                                                                                                      • Opcode ID: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                                                                                                      • Instruction ID: fa5215c0b5e6886bf03ae5b40989aa8fe66889e67d1830d7472693dfac7b44e0
                                                                                                                      • Opcode Fuzzy Hash: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                                                                                                      • Instruction Fuzzy Hash: A7315E71A00249EFEB23DBA49988EEE7BB9FF04340F5004A5F6C5E2085D775D644CB61
                                                                                                                      Function 01005D22 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32(?), ref: 01005D57
                                                                                                                      • GetSystemMetrics.USER32(0000004A), ref: 01005D85
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01005DA4
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?,?), ref: 01005DC5
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 01005DD0
                                                                                                                        • Part of subcall function 01005C1C: CharNextA.USER32(?,00000000,01005DE8,?,?), ref: 01005C55
                                                                                                                      Strings
                                                                                                                      • Control Panel\Desktop\ResourceLocale, xrefs: 01005D9A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                                      • String ID: Control Panel\Desktop\ResourceLocale
                                                                                                                      • API String ID: 3346862599-1109908249
                                                                                                                      • Opcode ID: 431f45f9673300b689da86ba081f87beb83a14b1989b5a4117b9124139db4642
                                                                                                                      • Instruction ID: 083c54a924ab9761291a410baedf6ac57de624089c224ea8294de35afb17b59e
                                                                                                                      • Opcode Fuzzy Hash: 431f45f9673300b689da86ba081f87beb83a14b1989b5a4117b9124139db4642
                                                                                                                      • Instruction Fuzzy Hash: 17212571640248DBEB36CFA9DC48B9D37E8AB04715F105129F991D20C3E7BAC488CF91
                                                                                                                      Function 010018B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(00000028,00000004,00000000,?,?,01005ACB,00000000), ref: 010018C2
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 010018C9
                                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 010018EB
                                                                                                                      • AdjustTokenPrivileges.ADVAPI32(00000004,00000000), ref: 0100190A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                      • String ID: SeShutdownPrivilege
                                                                                                                      • API String ID: 2349140579-3733053543
                                                                                                                      • Opcode ID: 593663a4c8d54b802f0f1e7a054ef3afb4eab00d1d64c970485e8e945c1f4114
                                                                                                                      • Instruction ID: 05607d40d37e3d7cfa1acf5e7c24027e9414555ed0db78eb33ce689f5d9f9449
                                                                                                                      • Opcode Fuzzy Hash: 593663a4c8d54b802f0f1e7a054ef3afb4eab00d1d64c970485e8e945c1f4114
                                                                                                                      • Instruction Fuzzy Hash: 21014C71642225BAF7329BA28C0DFEF7EACEF06794F000410BA89E40C5D6B5D70496F5
                                                                                                                      Function 0100263F Relevance: 1.5, APIs: 1, Instructions: 24shutdownCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 01002681
                                                                                                                        • Part of subcall function 010018B5: GetCurrentProcess.KERNEL32(00000028,00000004,00000000,?,?,01005ACB,00000000), ref: 010018C2
                                                                                                                        • Part of subcall function 010018B5: OpenProcessToken.ADVAPI32(00000000), ref: 010018C9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CurrentExitOpenTokenWindows
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2795981589-0
                                                                                                                      • Opcode ID: be1fa5d6ff6b383463169fe5ad6f937a4c193f6604caf8e2e6f9bacbda75ccd5
                                                                                                                      • Instruction ID: 51cfbc9f9594ef64733f325afd49e40a3b229e39ce56858cbad60d3a963125f2
                                                                                                                      • Opcode Fuzzy Hash: be1fa5d6ff6b383463169fe5ad6f937a4c193f6604caf8e2e6f9bacbda75ccd5
                                                                                                                      • Instruction Fuzzy Hash: 5EE08C7068830670FEB327A44E4FB2956D05B5DF18F148589FBC5B90C2CEF9C5918A2A
                                                                                                                      Function 010080E2 Relevance: .3, Instructions: 268COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 94dfc90b70575c19e3580177b28661a5fa6066ea7c0266af5a04ec66b46a9598
                                                                                                                      • Instruction ID: f4983a0e36b43ffcb518e60d76000cdcfe8a0af48af8faed87a4da5ec99b531e
                                                                                                                      • Opcode Fuzzy Hash: 94dfc90b70575c19e3580177b28661a5fa6066ea7c0266af5a04ec66b46a9598
                                                                                                                      • Instruction Fuzzy Hash: FBB18835A056959BDB1ACF28C4B02EEBBA0BF45314F18C2AED9D65B782C7309A55C7C0
                                                                                                                      Function 01007E02 Relevance: .3, Instructions: 256COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a6cf292941154d0cd74ae677f771b0fd9eb91a69feae1d5814fbd6b05e46b596
                                                                                                                      • Instruction ID: 2aba7d770cb182b78b7652e6660436575dda3edefe08705f868ec3b507a5431e
                                                                                                                      • Opcode Fuzzy Hash: a6cf292941154d0cd74ae677f771b0fd9eb91a69feae1d5814fbd6b05e46b596
                                                                                                                      • Instruction Fuzzy Hash: 30A18331A052959BDB0ACF58C0A01EDFBB0FF15714F1982AED9D66B782C7346A55CB80
                                                                                                                      Function 0100791E Relevance: .2, Instructions: 212COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 84d648d0c2a16e755c7f17ce33ad772204976945cc31b9215aee01e7bcf3b4c0
                                                                                                                      • Instruction ID: a80a0796c6c78a90fa091916d3490ddb8f164fad7c0897db2317df91665225f3
                                                                                                                      • Opcode Fuzzy Hash: 84d648d0c2a16e755c7f17ce33ad772204976945cc31b9215aee01e7bcf3b4c0
                                                                                                                      • Instruction Fuzzy Hash: 7B8186319056569FDB1ACF58C0E01EDBBB0FF46314F1882ADD9D66B382C6346A95CBC0
                                                                                                                      Function 0100878E Relevance: .2, Instructions: 203COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fac211542a3869dc8880f68233b4de0dfb7fb2ced29cb3492eb621ecda2867df
                                                                                                                      • Instruction ID: 8b19583f7cc30d59397d6f805d7a34eb48c67b28d2acfd70727ba9726ee87818
                                                                                                                      • Opcode Fuzzy Hash: fac211542a3869dc8880f68233b4de0dfb7fb2ced29cb3492eb621ecda2867df
                                                                                                                      • Instruction Fuzzy Hash: 4961C231A105598BEF2ADE6CC4504AD7BE2FFC9380F28852EEDD2C7295DA30D856C740
                                                                                                                      Function 010030A7 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 351stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharNextA.USER32(00000000,00000001,DirectX 9.0 Web setup,00000000), ref: 010030FC
                                                                                                                      • GetModuleFileNameA.KERNEL32(0100B99E,00000104,00000001,DirectX 9.0 Web setup,00000000), ref: 010031AB
                                                                                                                      • CharUpperA.USER32(?), ref: 010031F2
                                                                                                                      • CharUpperA.USER32(-0000004F), ref: 0100327E
                                                                                                                      • lstrcmpiA.KERNEL32(RegServer,?), ref: 010032FB
                                                                                                                      • CharUpperA.USER32(?), ref: 0100332C
                                                                                                                      • CharUpperA.USER32(-0000004E), ref: 01003390
                                                                                                                      • lstrlenA.KERNEL32(0000002F), ref: 010033F4
                                                                                                                      • CharUpperA.USER32(?,0000002F,00000000), ref: 0100341F
                                                                                                                      • lstrcpyA.KERNEL32(0100B89A,0000002F), ref: 01003445
                                                                                                                      • lstrlenA.KERNEL32(0000002F), ref: 010034A7
                                                                                                                      • lstrcpyA.KERNEL32(0100BAA2,0000002F,0000002F,00000000,0000002F,0000005D,0000002F,0000005B), ref: 01003510
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 01003527
                                                                                                                      • ExitProcess.KERNEL32 ref: 0100352F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$Upper$lstrcpylstrlen$CloseExitFileHandleModuleNameNextProcesslstrcmpi
                                                                                                                      • String ID: "$-$:$DirectX 9.0 Web setup$RegServer
                                                                                                                      • API String ID: 497476604-3032641433
                                                                                                                      • Opcode ID: 371de19490df7cb82253388f7ccfcefcc3d42cf60ba8daf27433a3a64da543f6
                                                                                                                      • Instruction ID: dd2cde4f62ecb0696e2bc8a39cc73c6255fd3d926b1c092d9355c5c2792a8576
                                                                                                                      • Opcode Fuzzy Hash: 371de19490df7cb82253388f7ccfcefcc3d42cf60ba8daf27433a3a64da543f6
                                                                                                                      • Instruction Fuzzy Hash: 74C1E075908694AEFB738B2C88493FA7FE4BB12341F4840D6E6C19E1D5CBB88685CB51
                                                                                                                      Function 010038CC Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 138stringmemorywindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002AA6: LoadStringA.USER32(?,00000200,?,LoadString() Error. Could not load string resource.), ref: 01002AC1
                                                                                                                      • MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                      • lstrlenA.KERNEL32(0000007F,?,?,00000200,00000001,DirectX 9.0 Web setup), ref: 01003963
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0100396A
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 01003975
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000064), ref: 0100397E
                                                                                                                      • wsprintfA.USER32 ref: 01003998
                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,DirectX 9.0 Web setup), ref: 010039B2
                                                                                                                      • lstrlenA.KERNEL32(00000000), ref: 010039BD
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000064), ref: 010039C6
                                                                                                                      • wsprintfA.USER32 ref: 010039E1
                                                                                                                      • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,DirectX 9.0 Web setup), ref: 010039F3
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 010039FD
                                                                                                                      • lstrcpyA.KERNEL32(00000000,00000000), ref: 01003A15
                                                                                                                      • MessageBeep.USER32(?), ref: 01003A1E
                                                                                                                      • MessageBoxA.USER32(00000000,00000000,DirectX 9.0 Web setup,00000000), ref: 01003A5E
                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 01003A67
                                                                                                                        • Part of subcall function 01005D22: GetVersionExA.KERNEL32(?), ref: 01005D57
                                                                                                                        • Part of subcall function 01005D22: GetSystemMetrics.USER32(0000004A), ref: 01005D85
                                                                                                                        • Part of subcall function 01005D22: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01005DA4
                                                                                                                        • Part of subcall function 01005D22: RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?,?), ref: 01005DC5
                                                                                                                        • Part of subcall function 01005D22: RegCloseKey.ADVAPI32(?), ref: 01005DD0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$Local$AllocMessage$wsprintf$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersionlstrcpy
                                                                                                                      • String ID: DirectX 9.0 Web setup$LoadString() Error. Could not load string resource.
                                                                                                                      • API String ID: 374963636-2857572701
                                                                                                                      • Opcode ID: 29eaf20adb8414ecd2b4ec2a36024fe3784d745325a63702e793e7b321412cb4
                                                                                                                      • Instruction ID: 9f594f166ace6732594a8fb8e6c25f38449a5eba683ea2e31a4322fc80030977
                                                                                                                      • Opcode Fuzzy Hash: 29eaf20adb8414ecd2b4ec2a36024fe3784d745325a63702e793e7b321412cb4
                                                                                                                      • Instruction Fuzzy Hash: A6416631500259AFFB63AB64DC49FEA3AA8FF04350F040551FDC1DA195DBB5CA94CBA0
                                                                                                                      Function 01004E56 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 183windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadStringA.USER32(000003E8,0100A640,00000200), ref: 01004EAF
                                                                                                                      • GetDesktopWindow.USER32 ref: 01005009
                                                                                                                      • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 0100501F
                                                                                                                      • SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 01005038
                                                                                                                      • GetDlgItem.USER32(?,00000836), ref: 01005051
                                                                                                                      • EnableWindow.USER32(00000000), ref: 01005058
                                                                                                                      • EndDialog.USER32(?,00000000), ref: 01005065
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DirectX 9.0 Web setup
                                                                                                                      • API String ID: 2418873061-624023041
                                                                                                                      • Opcode ID: 631fb0b2ebf77da2618df05cbc4a49d4bbcce4c3538e6841af407c24bcd3fbff
                                                                                                                      • Instruction ID: 5d03767cd6d44e1ff7b95dfa45677d46a9542d139ef34e3ffbaad0eb8858980f
                                                                                                                      • Opcode Fuzzy Hash: 631fb0b2ebf77da2618df05cbc4a49d4bbcce4c3538e6841af407c24bcd3fbff
                                                                                                                      • Instruction Fuzzy Hash: EF519070241745BAF6735B668C4CFAF2EACEB86B45F004018B7C5EA0C5DAB9C611C7B8
                                                                                                                      Function 01005075 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 126threadwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • TerminateThread.KERNEL32(00000000), ref: 010050B2
                                                                                                                      • EndDialog.USER32(?,?), ref: 010050BE
                                                                                                                      • ResetEvent.KERNEL32 ref: 010050DF
                                                                                                                      • SetEvent.KERNEL32(000004B2,01001251,00000000,00000020,00000004), ref: 0100510F
                                                                                                                      • GetDesktopWindow.USER32 ref: 01005146
                                                                                                                      • GetDlgItem.USER32(?,0000083B), ref: 01005176
                                                                                                                      • SendMessageA.USER32(00000000,?,?,00000000), ref: 0100517F
                                                                                                                      • GetDlgItem.USER32(?,0000083B), ref: 01005191
                                                                                                                      • SendMessageA.USER32(00000000,?,?,00000000), ref: 01005194
                                                                                                                      • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 010051A2
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000049DB,00000000,00000000,0100AA48), ref: 010051B6
                                                                                                                      • EndDialog.USER32(?,00000000), ref: 010051D7
                                                                                                                      • EndDialog.USER32(?,00000000), ref: 010051FC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Dialog$EventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 2636921890-3102400635
                                                                                                                      • Opcode ID: 2e5909da755b8dd92093ec91b293cd0599467003ecf1b2f192f568b12a924e3b
                                                                                                                      • Instruction ID: 23f09e72cf5f3eaed0e006cdafc8c359d8237540093a3079cf3abfc6ea3c4f62
                                                                                                                      • Opcode Fuzzy Hash: 2e5909da755b8dd92093ec91b293cd0599467003ecf1b2f192f568b12a924e3b
                                                                                                                      • Instruction Fuzzy Hash: 0A415F31641225FBFB331B689C49EAA3EA8EB46B50F004011F6C5A64D9C77A9951CFD4
                                                                                                                      Function 010046D4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 109libraryloaderstringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(SHELL32.DLL,0100A640,0100A338,?), ref: 010046E2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 01004703
                                                                                                                      • GetProcAddress.KERNEL32(00000000,000000C3), ref: 01004716
                                                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 01004729
                                                                                                                      • GetTempPathA.KERNEL32(00000104,0100AA80), ref: 01004749
                                                                                                                      • lstrlenA.KERNEL32(0100AA80), ref: 01004750
                                                                                                                      • CharPrevA.USER32(0100AA80,00000000), ref: 01004760
                                                                                                                      • CharPrevA.USER32(0100AA80,00000000), ref: 0100476C
                                                                                                                      • lstrcpyA.KERNEL32(?,0100AA80), ref: 010047BD
                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 010047CC
                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 010047DC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemplstrcpylstrlen
                                                                                                                      • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                                      • API String ID: 2439948570-1731843650
                                                                                                                      • Opcode ID: 3324b512f0aa79aaecc928bbb591f72aff6d5178d9e94c9ee451a4be34d2a9a1
                                                                                                                      • Instruction ID: 193eb6bc1a1b02d365b45401d2cfe27bf2cb542b23eb453a0d77d81c3b9a3dce
                                                                                                                      • Opcode Fuzzy Hash: 3324b512f0aa79aaecc928bbb591f72aff6d5178d9e94c9ee451a4be34d2a9a1
                                                                                                                      • Instruction Fuzzy Hash: 3F315EB1A01258BFEB139F69CC88DAE7FB8BF0A340F554069F688E6180C7758945CB65
                                                                                                                      Function 01002081 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101registrystringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperA.USER32(?,00000001,?,00000000), ref: 010020A8
                                                                                                                      • CharNextA.USER32(?), ref: 010020B7
                                                                                                                      • CharNextA.USER32(00000000), ref: 010020BA
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000000), ref: 01002110
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?), ref: 01002133
                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0100214E
                                                                                                                      • lstrcpyA.KERNEL32(?,?), ref: 01002162
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 01002176
                                                                                                                      • lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010020EA
                                                                                                                        • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                        • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                        • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,?), ref: 01002184
                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,?), ref: 01002198
                                                                                                                      Strings
                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 010020D6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$lstrcpy$DirectoryNext$CloseEnvironmentExpandOpenPrevQueryStringsSystemUpperValueWindowslstrlen
                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                                      • API String ID: 347548745-2428544900
                                                                                                                      • Opcode ID: a6771fd5372bea0d88a9c6ef6506abc8c0f7b881c05286ce2042d5bdc15aa5be
                                                                                                                      • Instruction ID: d6a3e7514927295ec277a6c60e19e56b03ab3a9e12423da05e88d21a123d547c
                                                                                                                      • Opcode Fuzzy Hash: a6771fd5372bea0d88a9c6ef6506abc8c0f7b881c05286ce2042d5bdc15aa5be
                                                                                                                      • Instruction Fuzzy Hash: E0314A79900248BFEF228F64CC48FEE7BBDAF15350F008095FA84A6090D7B5DA958F90
                                                                                                                      Function 01001B8B Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75registrystringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000000), ref: 01001BB7
                                                                                                                      • RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,00000000,74DEF530), ref: 01001BE3
                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001C12
                                                                                                                      • wsprintfA.USER32 ref: 01001C46
                                                                                                                      • lstrlenA.KERNEL32(?), ref: 01001C56
                                                                                                                      • RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,00000001), ref: 01001C6C
                                                                                                                        • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                        • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                        • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 01001C75
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Valuelstrlen$CharCloseDirectoryOpenPrevQuerySystemlstrcpywsprintf
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                                                      • API String ID: 11565330-2036266374
                                                                                                                      • Opcode ID: 5599e54c7d9c30600de5d0d1969bc1e94db08515ae13c163f555adafc5244e2b
                                                                                                                      • Instruction ID: 2fb7fcdbff80cae6b570ff950ba8ccadd0e573114065fe0f363dccfd66d38777
                                                                                                                      • Opcode Fuzzy Hash: 5599e54c7d9c30600de5d0d1969bc1e94db08515ae13c163f555adafc5244e2b
                                                                                                                      • Instruction Fuzzy Hash: 25215375A4021CBBEB22DBA5DD49FDABB7CEB08740F0000A5F689E6081D7B5DB448F60
                                                                                                                      Function 01003566 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • wsprintfA.USER32 ref: 0100358A
                                                                                                                      • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003596
                                                                                                                      • LoadResource.KERNEL32(00000000,00000000,00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035AB
                                                                                                                      • LockResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035B2
                                                                                                                      • lstrlenA.KERNEL32(00000008,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035CD
                                                                                                                      • FreeResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035E7
                                                                                                                      • wsprintfA.USER32 ref: 010035FC
                                                                                                                      • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003609
                                                                                                                      • FreeResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 01003628
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$FindFreewsprintf$LoadLocklstrlen
                                                                                                                      • String ID: UPDFILE%lu
                                                                                                                      • API String ID: 3821519360-2329316264
                                                                                                                      • Opcode ID: cefe3b29808c0de11ca19ee608c6f983850b7a9791d33d4cc506cee2b882d878
                                                                                                                      • Instruction ID: 67bd43b507032c87e08e44f5702343a162528d16cb23afe419e5d1f44a4bfc8c
                                                                                                                      • Opcode Fuzzy Hash: cefe3b29808c0de11ca19ee608c6f983850b7a9791d33d4cc506cee2b882d878
                                                                                                                      • Instruction Fuzzy Hash: C8215171A00209AFDB12DFD5DC88AEEBBF8FB48701F108055F585E6144D776D6008B61
                                                                                                                      Function 010021FB Relevance: 16.6, APIs: 11, Instructions: 90stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleFileNameA.KERNEL32(00000104,00000104,00000000,74DE83C0), ref: 01002235
                                                                                                                      • IsDBCSLeadByte.KERNEL32(00000000,?,74DEE800), ref: 01002256
                                                                                                                      • CharNextA.USER32(?,?,74DEE800), ref: 01002270
                                                                                                                      • CharUpperA.USER32(00000000,?,74DEE800), ref: 01002278
                                                                                                                      • lstrlenA.KERNEL32(?,?,?,74DEE800), ref: 01002291
                                                                                                                      • CharPrevA.USER32(?,?,?,74DEE800), ref: 0100229D
                                                                                                                      • CharUpperA.USER32(00000000,?,74DEE800), ref: 010022B5
                                                                                                                      • lstrcpyA.KERNEL32(?,?,?,74DEE800), ref: 010022C5
                                                                                                                      • lstrlenA.KERNEL32(?,?,74DEE800), ref: 010022D0
                                                                                                                      • CharNextA.USER32(?,?,74DEE800), ref: 010022DC
                                                                                                                      • CharNextA.USER32(?,?,74DEE800), ref: 010022E1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$Next$Upperlstrlen$ByteFileLeadModuleNamePrevlstrcpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2740425872-0
                                                                                                                      • Opcode ID: 6f55dd0f941396175fb476c6ce2b428a4e45a6200b6cc63fadfff151ab2f4b34
                                                                                                                      • Instruction ID: c065ed5666d739eb8cb46574119231d274ae865d8c51cf87fce0dafe64722b0d
                                                                                                                      • Opcode Fuzzy Hash: 6f55dd0f941396175fb476c6ce2b428a4e45a6200b6cc63fadfff151ab2f4b34
                                                                                                                      • Instruction Fuzzy Hash: B631B1714083816FE773DFB88848BAABBEC6F4A700F58489AE5D0D3182D779D445CB66
                                                                                                                      Function 010015F6 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58librarymemoryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,00000000,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100161A
                                                                                                                      • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0100162E
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,DirectX 9.0 Web setup,?,?,010016C1), ref: 0100165E
                                                                                                                      • FreeSid.ADVAPI32(00000000,?,?,010016C1), ref: 01001672
                                                                                                                      • FreeLibrary.KERNEL32(010016C1,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100167C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                                      • String ID: CheckTokenMembership$DirectX 9.0 Web setup$advapi32.dll
                                                                                                                      • API String ID: 4204503880-3291049768
                                                                                                                      • Opcode ID: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                                                                                                      • Instruction ID: 7c54915b23e232019903c0576df7497f5bb26148f144bc74401e3466b5a6cae1
                                                                                                                      • Opcode Fuzzy Hash: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                                                                                                      • Instruction Fuzzy Hash: 87117071944289FBDB12DFA99C48ADEBFB8EF18344F540099F181A3181C6758A04CB65
                                                                                                                      Function 01002EAF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filestringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetFileAttributesA.KERNEL32(00670838,00000080,?,?,00000000), ref: 01002EE4
                                                                                                                      • DeleteFileA.KERNEL32(00670838,?,?,00000000), ref: 01002EEC
                                                                                                                      • LocalFree.KERNEL32(00670838,?,?,00000000), ref: 01002EF7
                                                                                                                      • LocalFree.KERNEL32(00670838,?,?,00000000), ref: 01002EFA
                                                                                                                      • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 01002F25
                                                                                                                      • SetCurrentDirectoryA.KERNEL32(01001284,?,00000000), ref: 01002F43
                                                                                                                      Strings
                                                                                                                      • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01002F1B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFreeLocal$AttributesCurrentDeleteDirectorylstrcpy
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 2574644873-305352358
                                                                                                                      • Opcode ID: 93e692ac1587df938e33032a71ea2a0dccc3e90e8b89d3b20b57e192b1dc1fa6
                                                                                                                      • Instruction ID: 960ce29c7a69c0d0d6bd76a451a08647df6ffba3f75ce7ea97df57adcc28d351
                                                                                                                      • Opcode Fuzzy Hash: 93e692ac1587df938e33032a71ea2a0dccc3e90e8b89d3b20b57e192b1dc1fa6
                                                                                                                      • Instruction Fuzzy Hash: DB11E27A500259DFFB73EF58E94C96577E8FB04340F45406EE2C052198CBBB9548CB50
                                                                                                                      Function 01003777 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EndDialog.USER32(?,00000000), ref: 010037A8
                                                                                                                      • GetDesktopWindow.USER32 ref: 010037B8
                                                                                                                      • SetDlgItemTextA.USER32(?,00000834,?), ref: 010037D5
                                                                                                                      • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 010037E1
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 010037E8
                                                                                                                      • GetDlgItem.USER32(?,00000834), ref: 010037F5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ItemText$DesktopDialogForeground
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 882158425-3102400635
                                                                                                                      • Opcode ID: 31fca7addef12a85220fc4ee9a434365704a7fa7ebee4832296a44cf362da215
                                                                                                                      • Instruction ID: b92666fedc931ae2314974b143b7e110fb4808a8db69f0f48a9fcf9bb23ff515
                                                                                                                      • Opcode Fuzzy Hash: 31fca7addef12a85220fc4ee9a434365704a7fa7ebee4832296a44cf362da215
                                                                                                                      • Instruction Fuzzy Hash: 7B01B135045201AFF7232BA09C4CAFE3EA8FF4A761F000565F5D9980C1C7798241D7A2
                                                                                                                      Function 01002A34 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                      • SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                      • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                      • LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                      • LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • FreeResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A97
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Find$FreeLoadLockSizeof
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 468261009-3102400635
                                                                                                                      • Opcode ID: 60513ed6fa868ebe5019eda0ed49016e3eb50df202396a8709f0f5900e5d54f2
                                                                                                                      • Instruction ID: b81af5958d1d79e739a71e668ea852868a10399b4e191fd1668772ccbe63b742
                                                                                                                      • Opcode Fuzzy Hash: 60513ed6fa868ebe5019eda0ed49016e3eb50df202396a8709f0f5900e5d54f2
                                                                                                                      • Instruction Fuzzy Hash: D301D631700148BBEB339B66AC88D7F7BADFB8A791F044019F986C7144CA768880DB61
                                                                                                                      Function 0100383D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EndDialog.USER32(?,?), ref: 01003878
                                                                                                                      • GetDesktopWindow.USER32 ref: 01003882
                                                                                                                      • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 01003898
                                                                                                                      • SetDlgItemTextA.USER32(?,00000838), ref: 010038AA
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 010038B1
                                                                                                                      • EndDialog.USER32(?,00000002), ref: 010038BE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$DialogText$DesktopForegroundItem
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 852535152-3102400635
                                                                                                                      • Opcode ID: 75a087d82200ebd705203d3342fd985e8dff23fa491e07dc86cdd8fdf240c47c
                                                                                                                      • Instruction ID: 5c13e9e4d6d24029a2895105e5d04483bb2c3333f3e538078e74f50813a3fb26
                                                                                                                      • Opcode Fuzzy Hash: 75a087d82200ebd705203d3342fd985e8dff23fa491e07dc86cdd8fdf240c47c
                                                                                                                      • Instruction Fuzzy Hash: 7E017C31510214AFFB675BA8D8089ED7B94FB05741F004891FAC2DA0C5CB7ACB41CBE0
                                                                                                                      Function 01002691 Relevance: 12.1, APIs: 8, Instructions: 123memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 010027EB
                                                                                                                        • Part of subcall function 01002081: CharUpperA.USER32(?,00000001,?,00000000), ref: 010020A8
                                                                                                                        • Part of subcall function 01002081: CharNextA.USER32(?), ref: 010020B7
                                                                                                                        • Part of subcall function 01002081: CharNextA.USER32(00000000), ref: 010020BA
                                                                                                                        • Part of subcall function 01002081: lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010020EA
                                                                                                                        • Part of subcall function 01002081: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000000), ref: 01002110
                                                                                                                        • Part of subcall function 01002081: RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?), ref: 01002133
                                                                                                                        • Part of subcall function 01002081: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0100214E
                                                                                                                        • Part of subcall function 01002081: lstrcpyA.KERNEL32(?,?), ref: 01002162
                                                                                                                        • Part of subcall function 01002081: RegCloseKey.ADVAPI32(?), ref: 01002176
                                                                                                                      • GetFileVersionInfoSizeA.VERSION(?,?,?,00000001,?,?,?,?,00000104,?,?,?,?,?,?,?), ref: 010026EF
                                                                                                                      • GlobalAlloc.KERNEL32(00000042,00000000,0000003C,?,0000003C,00000001,?,?,?,?,00000001,?,?,?,?,00000104), ref: 01002702
                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 01002714
                                                                                                                      • GetFileVersionInfoA.VERSION(0000003C,?,?,00000000), ref: 0100272E
                                                                                                                      • VerQueryValueA.VERSION(00000000,0100132C,0000003C,0000003C,0000003C,?,?,00000000), ref: 01002745
                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 010027AC
                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 010027FB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Global$Char$FileInfoNextQueryUnlockValueVersionlstrcpy$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2416581039-0
                                                                                                                      • Opcode ID: d36b2cbb2bcf2f010609546f27dacd5adc000b5a5f889186ab3a9f49350142b4
                                                                                                                      • Instruction ID: 715b562a5a0b13aa3d3becab1fee66edbba7586ed49f21780c7e5d38fec6c3f0
                                                                                                                      • Opcode Fuzzy Hash: d36b2cbb2bcf2f010609546f27dacd5adc000b5a5f889186ab3a9f49350142b4
                                                                                                                      • Instruction Fuzzy Hash: 1B41717090020AEFEF12DF94CD88AEDBBF5FF44304F144069EA85A6591C7759980CF50
                                                                                                                      Function 01002ACD Relevance: 12.0, APIs: 8, Instructions: 42stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrlenA.KERNEL32(00000104,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002ADB
                                                                                                                      • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AE2
                                                                                                                      • lstrcpyA.KERNEL32(?,00000104,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AF8
                                                                                                                      • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AFF
                                                                                                                      • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B09
                                                                                                                      • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B13
                                                                                                                      • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B1A
                                                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B25
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen$lstrcatlstrcpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2414487701-0
                                                                                                                      • Opcode ID: 7294cccf960f3f366eb54c5e099d3ec04d4912deaa84471d2f8e17bbbdc9ee5a
                                                                                                                      • Instruction ID: 5cb71324bf1073ba797ff75ade76f469c3bffa4559f515a1268d3d36d40ed6b7
                                                                                                                      • Opcode Fuzzy Hash: 7294cccf960f3f366eb54c5e099d3ec04d4912deaa84471d2f8e17bbbdc9ee5a
                                                                                                                      • Instruction Fuzzy Hash: 2701D63140829ABEEB23DF64DC48EAF3FE9DF4A310F044469F98492052CB75E0159BA1
                                                                                                                      Function 01002969 Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0100297F
                                                                                                                      • GetWindowRect.USER32(010017FA,?), ref: 01002994
                                                                                                                      • GetDC.USER32(?), ref: 010029A8
                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 010029B4
                                                                                                                      • GetDeviceCaps.GDI32(010017FA,0000000A), ref: 010029C2
                                                                                                                      • ReleaseDC.USER32(?,010017FA), ref: 010029D1
                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 01002A27
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$CapsDeviceRect$Release
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2212493051-0
                                                                                                                      • Opcode ID: e5b264a83dd9e846005674263491b2207fbfe43a598662fe0941c5ab6264e4cb
                                                                                                                      • Instruction ID: 4c28801afd84217de1cb5c416d2791a7d42eb7b966f216dd91684d3200acc53b
                                                                                                                      • Opcode Fuzzy Hash: e5b264a83dd9e846005674263491b2207fbfe43a598662fe0941c5ab6264e4cb
                                                                                                                      • Instruction Fuzzy Hash: 0B215932A0010AAFDF12CFBCCD899EEBBB9EB88310F008125F941E7254D735A9458B50
                                                                                                                      Function 01004481 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                        • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                        • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                        • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,LICENSE,00000000,00000000,?,00000000,?,0100592D,00000000,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 0100449B
                                                                                                                      • LocalFree.KERNEL32(00000000,000004B1,00000000,00000000,00000010,00000000,LICENSE,00000000,00000000,?,00000000,?,0100592D,00000000,01005A22,00000000), ref: 010044E8
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32(74E04B00,01004003), ref: 0100354E
                                                                                                                        • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                                      • LocalFree.KERNEL32(?,00000000,?,0100592D,00000000,01005A22,00000000,01005ACB,?,?,01005ACB,00000000), ref: 0100454D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Local$ErrorFindFreeLast$AllocLoadLockMessageSizeof
                                                                                                                      • String ID: <None>$LICENSE
                                                                                                                      • API String ID: 3899723493-383193767
                                                                                                                      • Opcode ID: 9d552bdc682831cc17b8e5f489639f4026cf8ed1a791820ee76a1c03ef31662f
                                                                                                                      • Instruction ID: 6e0dad04b0308800c6e7bb6f83685405a54a227f071ddc6dc43be68e18665347
                                                                                                                      • Opcode Fuzzy Hash: 9d552bdc682831cc17b8e5f489639f4026cf8ed1a791820ee76a1c03ef31662f
                                                                                                                      • Instruction Fuzzy Hash: 791172B4600245BEF7236F21ACC4D7B366DE704399F018024B6C5D94C9DBBB8D408B34
                                                                                                                      Function 01001DDF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104,?), ref: 01001DF7
                                                                                                                        • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                        • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                        • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 01001E1D
                                                                                                                      • _lopen.KERNEL32(?,00000040), ref: 01001E2C
                                                                                                                      • _llseek.KERNEL32(00000000,00000000,00000002), ref: 01001E3D
                                                                                                                      • _lclose.KERNEL32(00000000), ref: 01001E46
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CharDirectoryPrevPrivateProfileStringWindowsWrite_lclose_llseek_lopenlstrcpylstrlen
                                                                                                                      • String ID: wininit.ini
                                                                                                                      • API String ID: 1211533111-4206010578
                                                                                                                      • Opcode ID: f92e39143841338b23a30a7285bd343bbb73fc4a946f94324873422716c0777d
                                                                                                                      • Instruction ID: b7b4abcde96b08424be1b8ef761040528c423947c2d44bd333b95f446d3817fe
                                                                                                                      • Opcode Fuzzy Hash: f92e39143841338b23a30a7285bd343bbb73fc4a946f94324873422716c0777d
                                                                                                                      • Instruction Fuzzy Hash: BCF0AFB6600194A7E732E7799D8CEEB3ABCAB85710F000095B7D9E30C0D6B8C9458B70
                                                                                                                      Function 0100366A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100368D
                                                                                                                        • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                        • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                        • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?), ref: 010036B8
                                                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 010036E2
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 010036FF
                                                                                                                      Strings
                                                                                                                      • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003675
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Filelstrcpy$CharCloseCreateHandlePrevWritelstrlen
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 3080743287-305352358
                                                                                                                      • Opcode ID: f3c43e67ddf95b47fdb9e484ccd9ecd1a78d65d94e8c236f23dda56cc12f1390
                                                                                                                      • Instruction ID: 19b174ac764301658f5366c9defac34423b59d1cd1d6115009132bdfdfa86dce
                                                                                                                      • Opcode Fuzzy Hash: f3c43e67ddf95b47fdb9e484ccd9ecd1a78d65d94e8c236f23dda56cc12f1390
                                                                                                                      • Instruction Fuzzy Hash: 48114F71900218EBDB22DF55DC88EDE7F7CFB49760F108155F58596184C7B59A84CFA0
                                                                                                                      Function 01004161 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindResourceA.KERNEL32(00000000,?,00000005), ref: 01004170
                                                                                                                      • LoadResource.KERNEL32(00000000,00000000,?,01004E32,000007D6,00000000,010017B1,00000547,0000083E,?,?,00000000), ref: 0100417E
                                                                                                                      • DialogBoxIndirectParamA.USER32(00000000,00000000,?,0000083E,00000547), ref: 0100419D
                                                                                                                      • FreeResource.KERNEL32(00000000,?,01004E32,000007D6,00000000,010017B1,00000547,0000083E,?,?,00000000), ref: 010041A6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 1214682469-3102400635
                                                                                                                      • Opcode ID: e997d8be0718b2931c3f9f962151c7850337d5e5bb85679e49a3f60c032731a3
                                                                                                                      • Instruction ID: 90e970f1d2589a349edb739379ec95ef873ddad6063cdbf399ebe6a889d0bac2
                                                                                                                      • Opcode Fuzzy Hash: e997d8be0718b2931c3f9f962151c7850337d5e5bb85679e49a3f60c032731a3
                                                                                                                      • Instruction Fuzzy Hash: 21018172300219BFEB235FA9AC88DEF7AADEB553A4F014465FB81A6080C7758C5087E4
                                                                                                                      Function 0100370F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28librarystringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003724
                                                                                                                        • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                                        • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                                        • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                                      • GetFileAttributesA.KERNEL32(?,?,00000000), ref: 01003740
                                                                                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0100375A
                                                                                                                      • LoadLibraryA.KERNEL32(00000000), ref: 01003765
                                                                                                                      Strings
                                                                                                                      • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003718
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LibraryLoadlstrcpy$AttributesCharFilePrevlstrlen
                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                                      • API String ID: 4003292530-305352358
                                                                                                                      • Opcode ID: 2a1abe798eeda10e1ecd94666a9ff7b2e6d0c61b8320ab0a73d9c68e693d9404
                                                                                                                      • Instruction ID: 9f94e3723cca4d266b99732e7a80262a7a37e234bfc11ab39ee7921fbbd2d32f
                                                                                                                      • Opcode Fuzzy Hash: 2a1abe798eeda10e1ecd94666a9ff7b2e6d0c61b8320ab0a73d9c68e693d9404
                                                                                                                      • Instruction Fuzzy Hash: E8F05EB4900608AFEB22AB64DE89EC97B68BB14305F404590F2C9E50C0D7B9E6898F50
                                                                                                                      Function 01001946 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,?,?,00000000,01002F6A,?,00000000), ref: 01001968
                                                                                                                      • RegDeleteValueA.ADVAPI32(?,wextract_cleanup0,?,00000000,01002F6A,?,00000000), ref: 0100197A
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,01002F6A,?,00000000), ref: 01001983
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseDeleteOpenValue
                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                                                      • API String ID: 849931509-702805525
                                                                                                                      • Opcode ID: 458768e2f170180f9e320fe5dbc18e42d63c941c0fb649dab67b6fa9c1c2255c
                                                                                                                      • Instruction ID: ccbb5ff6748fd46fc05444b67dc659029424084cb7ec84c162ec529ad60e6887
                                                                                                                      • Opcode Fuzzy Hash: 458768e2f170180f9e320fe5dbc18e42d63c941c0fb649dab67b6fa9c1c2255c
                                                                                                                      • Instruction Fuzzy Hash: D3E04F30740358FBF733CB959D0EF697AACA700788F100058F2C1A1095D7F6D5009714
                                                                                                                      Function 01004657 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 57memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                        • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                        • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                        • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,FINISHMSG,00000000,00000000,?,00000000,?,?,010059FB), ref: 01004672
                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000,?,?,010059FB), ref: 010046C9
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$FindLocal$AllocFreeLoadLockMessageSizeof
                                                                                                                      • String ID: <None>$FINISHMSG
                                                                                                                      • API String ID: 1166655539-3091758298
                                                                                                                      • Opcode ID: 9fc84565805aa23d4fd31d628d8c3b998d3dee3f2991ba92e449fc6c41aa1772
                                                                                                                      • Instruction ID: c5b0bc608187105c25715251356598fe5d23ec77e1943fddc57e6d3d47a5b5c3
                                                                                                                      • Opcode Fuzzy Hash: 9fc84565805aa23d4fd31d628d8c3b998d3dee3f2991ba92e449fc6c41aa1772
                                                                                                                      • Instruction Fuzzy Hash: 5CF06D71241219BBF22366239C49F9B3E4CDB4A7D9F020151BBC5A50C2EAAAF400417D
                                                                                                                      Function 01005B71 Relevance: 7.5, APIs: 5, Instructions: 44stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrlenA.KERNEL32(74DF0440,?,00000000,75BF3530,74DF0440,0100228C,?,?,74DEE800), ref: 01005B7C
                                                                                                                      • CharPrevA.USER32(74DF0440,00000000,?,74DEE800), ref: 01005B8C
                                                                                                                      • CharPrevA.USER32(74DF0440,00000000,?,74DEE800), ref: 01005B98
                                                                                                                      • CharPrevA.USER32(74DF0440,00000000,?,74DEE800), ref: 01005BAB
                                                                                                                      • CharNextA.USER32(00000000,?,74DEE800), ref: 01005BB3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Char$Prev$Nextlstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 295585802-0
                                                                                                                      • Opcode ID: 4b52c76db2cf62ff621c8a08fa6ba7fb40a7dbd169611f4951299f618a72bbfa
                                                                                                                      • Instruction ID: 9baf6fa903052a509665a9fab5b6fb85594512577d769c7e3968725e671f5898
                                                                                                                      • Opcode Fuzzy Hash: 4b52c76db2cf62ff621c8a08fa6ba7fb40a7dbd169611f4951299f618a72bbfa
                                                                                                                      • Instruction Fuzzy Hash: 0DF0F672505A542EF7331A2D8C88E7BBFDCDB872A1F040189F6C092081DAA95C408E72
                                                                                                                      Function 010017B1 Relevance: 7.5, APIs: 5, Instructions: 40windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EndDialog.USER32(?,0000083E), ref: 010017E3
                                                                                                                      • GetDesktopWindow.USER32 ref: 010017EB
                                                                                                                      • LoadStringA.USER32(?,00000000,00000200,?), ref: 01001816
                                                                                                                      • SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 0100182B
                                                                                                                      • MessageBeep.USER32(000000FF), ref: 01001833
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1273765764-0
                                                                                                                      • Opcode ID: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                                                                                                      • Instruction ID: dbb55cd7090eff77bfa65d7c4eba401a97cfafb7d2c079e3b47d5aa362050595
                                                                                                                      • Opcode Fuzzy Hash: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                                                                                                      • Instruction Fuzzy Hash: D601283140024AABFB265FA4DC4CAEA3AB8BB04745F044564BAA9950E5CBB9CB51CB91
                                                                                                                      Function 010041CD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetVersionExA.KERNEL32(?,DirectX 9.0 Web setup), ref: 010041E9
                                                                                                                      • MessageBeep.USER32(00000000), ref: 010043C0
                                                                                                                      • MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,?), ref: 01004439
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message$BeepVersion
                                                                                                                      • String ID: DirectX 9.0 Web setup
                                                                                                                      • API String ID: 2519184315-3102400635
                                                                                                                      • Opcode ID: b07f304ec63bc814189986a0719c39693d795c7fab61f747b2dc9ea387807f31
                                                                                                                      • Instruction ID: 4e04eab14abf842a0a3c42a681093732e4e7dc93d7d51bc9d8c979872b2e196d
                                                                                                                      • Opcode Fuzzy Hash: b07f304ec63bc814189986a0719c39693d795c7fab61f747b2dc9ea387807f31
                                                                                                                      • Instruction Fuzzy Hash: A971DB30A04209DBEB77DF68DA40BAD7BE9FB44304F11806AEBD1C61E5DB76A045CB58
                                                                                                                      Function 01002E6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                                        • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                                        • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                                        • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                                        • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                                      • FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01002E89
                                                                                                                      • LoadResource.KERNEL32(00000000,00000000,?,010059A0), ref: 01002E92
                                                                                                                      • LockResource.KERNEL32(00000000,?,010059A0), ref: 01002E99
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$Find$LoadLock$Sizeof
                                                                                                                      • String ID: CABINET
                                                                                                                      • API String ID: 1933721802-1940454314
                                                                                                                      • Opcode ID: fee46d4037bcf492714a1928356b3615369b2f8f05e7677fcc6bc0c80cc05536
                                                                                                                      • Instruction ID: f41c840c6a8244764c1701102c9fef1f774684e0028f7af970c8500be1e35917
                                                                                                                      • Opcode Fuzzy Hash: fee46d4037bcf492714a1928356b3615369b2f8f05e7677fcc6bc0c80cc05536
                                                                                                                      • Instruction Fuzzy Hash: 3EE08C71B42310ABE326ABB1AC1DB8B3A58AB19751F000416F286DA0C4CBBA84008791
                                                                                                                      Function 01003A7A Relevance: 6.3, APIs: 5, Instructions: 51memorystringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000008,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003A87
                                                                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AAC
                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AB6
                                                                                                                      • LocalFree.KERNEL32(00000000,000004B5,00000000,00000000,00000010,00000000,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AD4
                                                                                                                        • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                                      • lstrcpyA.KERNEL32(00000000,00000000,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AE3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Local$Alloc$FreeMessagelstrcpylstrlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3247521446-0
                                                                                                                      • Opcode ID: 1c252e24ed27c8a3c89f68d47637d6c558a56de84ee84e0859bd78fbfeca7fcd
                                                                                                                      • Instruction ID: be99e61ba3297938531ad782b9381de073ce5d9bd08aee7874bfad80a1221b46
                                                                                                                      • Opcode Fuzzy Hash: 1c252e24ed27c8a3c89f68d47637d6c558a56de84ee84e0859bd78fbfeca7fcd
                                                                                                                      • Instruction Fuzzy Hash: FB015EB1740305AFE3239F649C85E6A76ACFB55755F014425F3C5A6084D6BA88508B24
                                                                                                                      Function 0100288F Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 010028B3
                                                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028C5
                                                                                                                      • DispatchMessageA.USER32(?), ref: 010028DA
                                                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028E8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2776232527-0
                                                                                                                      • Opcode ID: a56fe23e79c58ba78c4517e1b38a4719a0d3d39021dba4458620cccc97c02652
                                                                                                                      • Instruction ID: 9019c9b4a7aa9e97d921e157395a9add37c16d99774a71cba0f29cd9f7e0b4b7
                                                                                                                      • Opcode Fuzzy Hash: a56fe23e79c58ba78c4517e1b38a4719a0d3d39021dba4458620cccc97c02652
                                                                                                                      • Instruction Fuzzy Hash: E1012176D01219BABF218A999D48CEB7ABCEA85654F14016ABA41E2084E634D600C771
                                                                                                                      Function 01005A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCommandLineA.KERNEL32 ref: 01005A65
                                                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 01005AA4
                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 01005ABF
                                                                                                                      • ExitProcess.KERNEL32 ref: 01005ACC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000001.00000002.2936538318.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                                      • Associated: 00000001.00000002.2936510032.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936595385.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      • Associated: 00000001.00000002.2936623561.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_1_2_1000000_dxwebsetup.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2164999147-0
                                                                                                                      • Opcode ID: 2f495b8465459854e2a67ff318fe6398d5d3dc67db26c03b0204fa68f66db23f
                                                                                                                      • Instruction ID: 3b7e2d213fbb4e8bb4e10cefaec2fc303bbd8eb181140a99f14634f11779781f
                                                                                                                      • Opcode Fuzzy Hash: 2f495b8465459854e2a67ff318fe6398d5d3dc67db26c03b0204fa68f66db23f
                                                                                                                      • Instruction Fuzzy Hash: 07017C718043995AFB734BAC8C897FA7BE89F1B211F2404C5E9C1922C6C66884C28BA5