Behavioral Report

Analysis

max time kernel
153s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 20:21

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

ovisetup.exe
Size

4MB
MD5

1692aec61ddcdda471defa199c62d25a
SHA1

484af221468ddb534b74e12970de80d5dfee2b28
SHA256

84bde632c5bfd2a7ff84e579e6f7561543ca0aad6d8e7275dae5926ba4f561c1
SHA512

19155d0770fc0931ab8ac1bf35f56b32c8c122379adac6866b07cebec28932f92be124638cd7bb9fdaff5edd091f3af0c1fbd0757a99de44e24f11214f13329a
SSDEEP

49152:9Hox6U/D1LbDxklrSWZAhizWV4yFK73bBxaaNNG0pHSdtDLboHTBWpHg6UvM98IQ:2x6qaAVpchNG0pHA57HgR

Score

7^/10

discovery evasion persistence trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

ovisetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ovisetup.exe

Executes dropped EXE 64 IoCs

Processes:

dxwebsetup.exedxwsetup.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exe

pid	process
1612	dxwebsetup.exe
3172	dxwsetup.exe
2460	infinst.exe
3940	infinst.exe
4912	infinst.exe
2668	infinst.exe
788	infinst.exe
2836	infinst.exe
1824	infinst.exe
3028	infinst.exe
2136	infinst.exe
2032	infinst.exe
1404	infinst.exe
3368	infinst.exe
2704	infinst.exe
3228	infinst.exe
4124	infinst.exe
4572	infinst.exe
332	infinst.exe
604	infinst.exe
4192	infinst.exe
4276	infinst.exe
3800	infinst.exe
3504	infinst.exe
3316	infinst.exe
4484	infinst.exe
4800	infinst.exe
4552	infinst.exe
1504	infinst.exe
2268	infinst.exe
4760	infinst.exe
4264	infinst.exe
3644	infinst.exe
5008	infinst.exe
4056	infinst.exe
752	infinst.exe
4784	infinst.exe
4340	infinst.exe
4864	infinst.exe
4248	infinst.exe
4716	infinst.exe
3380	infinst.exe
3068	infinst.exe
4448	infinst.exe
2780	infinst.exe
3288	infinst.exe
2828	infinst.exe
2256	infinst.exe
2604	infinst.exe
2260	infinst.exe
1684	infinst.exe
540	infinst.exe
444	infinst.exe
3948	infinst.exe
3932	infinst.exe
4804	infinst.exe
1536	infinst.exe
3616	infinst.exe
812	infinst.exe
4300	infinst.exe
1292	infinst.exe
5024	infinst.exe
2284	infinst.exe
1928	infinst.exe

Loads dropped DLL 64 IoCs

Processes:

dxwsetup.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
4780	regsvr32.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
3012	regsvr32.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
2160	regsvr32.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
4380	regsvr32.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
4960	regsvr32.exe
4960	regsvr32.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
5068	regsvr32.exe
3172	dxwsetup.exe
3172	dxwsetup.exe
448	regsvr32.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_6.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cd0d66ec-8057-43f5-acbd-66dfb36fd78c}\InProcServer32\ = "C:\\Windows\\system32\\xactengine2_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{343e68e6-8f82-4a8d-a2da-6e9a944b378c}\InProcServer32\ = "C:\\Windows\\system32\\xactengine2_9.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{fac23f48-31f5-45a8-b49b-5225d61401aa}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94c1affa-66e7-4961-9521-cfdef3128d4f}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_3.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d3332f02-3dd0-4de9-9aec-20d85c4111b6}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b802058a-464a-42db-bc10-b650d6f2586a}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e180344b-ac83-4483-959e-18a5c56a5e19}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8bb7778b-645b-4475-9a73-1de3170bd3af}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{074b110f-7f58-4743-aea5-12f15b5074ed}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c60fae90-4183-4a3f-b2f7-ac1dc49b0e5c}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1138472b-d187-44e9-81f2-ae1b0e7785f1}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3a2495ce-31d0-435b-8ccf-e9f0843fd960}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94c1affa-66e7-4961-9521-cfdef3128d4f}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54b68bc7-3a45-416b-a8c9-19bf19ec1df5}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f6ea3a9-2cf5-41cf-91c1-2170b1540063}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03219e78-5bc3-44d1-b92e-f63d89cc6526}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4c9b6dde-6809-46e6-a278-9b6a97588670}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_5.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2139e6da-c341-4774-9ac3-b4e026347f64}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{bc3e0fc6-2e0d-4c45-bc61-d9c328319bd8}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{65d822a4-4799-42c6-9b18-d26cf66dd320}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9cab402c-1d37-44b4-886d-fa4f36170a4c}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c7338b95-52b8-4542-aa79-42eb016c8c1c}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{629cf0de-3ecc-41e7-9926-f7e43eebec51}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4c5e637a-16c7-4de3-9c46-5ed22181962d}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4c5e637a-16c7-4de3-9c46-5ed22181962d}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b802058a-464a-42db-bc10-b650d6f2586a}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f5ca7b34-8055-42c0-b836-216129eb7e30}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{629cf0de-3ecc-41e7-9926-f7e43eebec51}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{074b110f-7f58-4743-aea5-12f15b5074ed}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c0c56f46-29b1-44e9-9939-a32ce86867e2}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c1e3f122-a2ea-442c-854f-20d98f8357a1}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1138472b-d187-44e9-81f2-ae1b0e7785f1}\InProcServer32\ = "C:\\Windows\\system32\\xactengine2_3.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_4.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9cab402c-1d37-44b4-886d-fa4f36170a4c}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_3.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_6.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0aa000aa-f404-11d9-bd7a-0010dc4f8f81}\InProcServer32\ = "C:\\Windows\\system32\\xactengine2_0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3b80ee2a-b0f5-4780-9e30-90cb39685b03}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{fac23f48-31f5-45a8-b49b-5225d61401aa}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b802058a-464a-42db-bc10-b650d6f2586a}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c7338b95-52b8-4542-aa79-42eb016c8c1c}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d06df0d0-8518-441e-822f-5451d5c595b8}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cd0d66ec-8057-43f5-acbd-66dfb36fd78c}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3b80ee2a-b0f5-4780-9e30-90cb39685b03}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3b80ee2a-b0f5-4780-9e30-90cb39685b03}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f6ea3a9-2cf5-41cf-91c1-2170b1540063}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4c9b6dde-6809-46e6-a278-9b6a97588670}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2139e6da-c341-4774-9ac3-b4e026347f64}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_5.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{65d822a4-4799-42c6-9b18-d26cf66dd320}\InProcServer32\ = "C:\\Windows\\system32\\xactengine2_10.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{629cf0de-3ecc-41e7-9926-f7e43eebec51}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e180344b-ac83-4483-959e-18a5c56a5e19}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_3.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c7338b95-52b8-4542-aa79-42eb016c8c1c}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_4.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c1e3f122-a2ea-442c-854f-20d98f8357a1}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{074b110f-7f58-4743-aea5-12f15b5074ed}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_5.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{bcc782bc-6492-4c22-8c35-f5d72fe73c6e}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54b68bc7-3a45-416b-a8c9-19bf19ec1df5}\InProcServer32\ = "C:\\Windows\\system32\\xactengine2_5.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

dxwebsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dxwebsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

TTPs:

System Information Discovery

Processes:

ovisetup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ovisetup.exe
Drops desktop.ini file(s) 2 IoCs

Processes:

dxwsetup.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini dxwsetup.exe
File opened for modification C:\Windows\assembly\Desktop.ini dxwsetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ovisetup.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	dxwsetup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dxwsetup.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

dxwsetup.exe

description	ioc	process
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\F:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe

Drops file in System32 directory 64 IoCs

Processes:

infinst.exeinfinst.exeinfinst.exedxwsetup.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SETF0B9.tmp	infinst.exe
File created	C:\Windows\system32\SET896.tmp	infinst.exe
File opened for modification	C:\Windows\system32\x3daudio1_2.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\D3DX9_42.dll	dxwsetup.exe
File created	C:\Windows\system32\SET35C2.tmp	infinst.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2008_xaudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\system32\SETF2CC.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET450.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SETD10.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET1EC6.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET279F.tmp	dxwsetup.exe
File opened for modification	C:\Windows\system32\d3dx10_43.dll	infinst.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Feb2007_xact_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\system32\XAudio2_7.dll	infinst.exe
File created	C:\Windows\SysWOW64\SET1284.tmp	dxwsetup.exe
File created	C:\Windows\system32\SET2323.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\xactengine3_4.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET2C98.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SETE80F.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\SETFC11.tmp	dxwsetup.exe
File opened for modification	C:\Windows\system32\d3dx9_31.dll	infinst.exe
File opened for modification	C:\Windows\system32\d3dx10.dll	infinst.exe
File opened for modification	C:\Windows\system32\SET1F1C.tmp	infinst.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_d3dx9_37_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_x3daudio_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2008_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_xaudio_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\SET147.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SETD10.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET1EC7.tmp	dxwsetup.exe
File opened for modification	C:\Windows\system32\SET2B03.tmp	infinst.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Dec2005_d3dx9_28_x86.cab	dxwsetup.exe
File created	C:\Windows\system32\SET3BBC.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\X3DAudio1_7.dll	dxwsetup.exe
File created	C:\Windows\system32\SETE927.tmp	infinst.exe
File created	C:\Windows\system32\SETEED4.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SET4E6.tmp	dxwsetup.exe
File opened for modification	C:\Windows\system32\xactengine3_0.dll	infinst.exe
File created	C:\Windows\system32\SET27C7.tmp	infinst.exe
File opened for modification	C:\Windows\system32\XAudio2_6.dll	infinst.exe
File created	C:\Windows\SysWOW64\SET3697.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xinput_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET381F.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_39.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET23B1.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\XAudio2_5.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET1690.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\SET262.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_35.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\d3dx9_36.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SET15D4.tmp	dxwsetup.exe
File created	C:\Windows\system32\SET2863.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET2F39.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SETD6.tmp	infinst.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx10_33_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_x3daudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\SETEC38.tmp	dxwsetup.exe
File created	C:\Windows\system32\SET11FD.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\X3DAudio1_2.dll	dxwsetup.exe
File created	C:\Windows\system32\SET20D2.tmp	infinst.exe
File opened for modification	C:\Windows\system32\XAudio2_4.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\system32\SET55A.tmp	infinst.exe

Drops file in Windows directory 64 IoCs

Processes:

dxwsetup.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exeinfinst.exe

description	ioc	process
File opened for modification	C:\Windows\msdownld.tmp\AS56F4FA.tmp\Mar2008_d3dx9_37_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS572244.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS574675.tmp\Nov2008_xaudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\msdownld.tmp\AS570229.tmp\Aug2009_d3dx10_42_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS571FF2.tmp\Feb2007_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll	dxwsetup.exe
File created	C:\Windows\assembly\tmp\R1XFV3AZ\Microsoft.DirectX.Direct3D.dll	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\msdownld.tmp\AS56DFFB.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS57282F.tmp\Jun2007_xact_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS575375.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS57574E.tmp\Aug2009_D3DCompiler_42_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\DirectX.log	infinst.exe
File created	C:\Windows\msdownld.tmp\AS570834.tmp\Jun2010_d3dx10_43_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS576A68.tmp\MDX_1.0.2905.0_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5766EE.tmp\MDX_1.0.2902.0_x86.cab	dxwsetup.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS56EE24.tmp\Jun2007_d3dx9_34_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS56FB24.tmp\Aug2008_d3dx10_39_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS570834.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS571786.tmp\Jun2006_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS576548.tmp\Jun2010_xaudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS576DF3.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS56F70D.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS570B70.tmp\Feb2005_d3dx9_24_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5724A5.tmp\Jun2007_d3dx9_34_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS573D1F.tmp\Jun2008_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS57617F.tmp\Jun2010_d3dcsx_43_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS56EF4D.tmp\Jun2007_d3dx10_34_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS57235D.tmp\Apr2007_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5728EB.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS574B28.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS575ED0.tmp\Jun2010_d3dx9_43_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\assembly\tmp\L7BLPM4B\__AssemblyInfo__.ini	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS56E153.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS56E9CE.tmp\Oct2006_d3dx9_31_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS57072A.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS570CA8.tmp\Apr2005_d3dx9_25_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS571BEB.tmp	dxwsetup.exe
File created	C:\Windows\assembly\tmp\O32JTAQU\Microsoft.DirectX.Direct3DX.dll	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS57096C.tmp\Jun2010_d3dcsx_43_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5727B2.tmp\Jun2007_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5743E5.tmp\Aug2008_xaudio_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\DirectX.log	infinst.exe
File created	C:\Windows\msdownld.tmp\AS56FEED.tmp\Mar2009_d3dx9_41_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5710FE.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS575375.tmp\Aug2009_d3dx10_42_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5764BB.tmp\Jun2010_xact_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS56E6F0.tmp\Dec2005_d3dx9_28_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS57072A.tmp\Jun2010_d3dx9_43_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5734A3.tmp	dxwsetup.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.xml	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\msdownld.tmp\AS56E356.tmp\Feb2005_d3dx9_24_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS56F076.tmp\Aug2007_d3dx9_35_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5719C8.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS573109.tmp	dxwsetup.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.xml	dxwsetup.exe
File opened for modification	C:\Windows\assembly\tmp\1IHJU2O8\__AssemblyInfo__.ini	dxwsetup.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.xml	dxwsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exedxwsetup.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{962f5027-99be-4692-a468-85802cf8de61}\ = "XACT Engine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f5ca7b34-8055-42c0-b836-216129eb7e30}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4c5e637a-16c7-4de3-9c46-5ed22181962d}\ = "XAudio2"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0977d092-2d95-4e43-8d42-9ddcc2545ed5}\ = "XACT Engine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{343e68e6-8f82-4a8d-a2da-6e9a944b378c}	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6f6ea3a9-2cf5-41cf-91c1-2170b1540063}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_0.dll"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d3332f02-3dd0-4de9-9aec-20d85c4111b6}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f5ca7b34-8055-42c0-b836-216129eb7e30}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_2.dll"	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65d822a4-4799-42c6-9b18-d26cf66dd320}\InProcServer32	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{bc3e0fc6-2e0d-4c45-bc61-d9c328319bd8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03219e78-5bc3-44d1-b92e-f63d89cc6526}\ = "XAudio2"	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c60fae90-4183-4a3f-b2f7-ac1dc49b0e5c}\InProcServer32	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cecec95a-d894-491a-bee3-5e106fb59f2d}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_6.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c7338b95-52b8-4542-aa79-42eb016c8c1c}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d06df0d0-8518-441e-822f-5451d5c595b8}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d06df0d0-8518-441e-822f-5451d5c595b8}	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54b68bc7-3a45-416b-a8c9-19bf19ec1df5}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{629cf0de-3ecc-41e7-9926-f7e43eebec51}\InProcServer32	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77c56bf4-18a1-42b0-88af-5072ce814949}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3b80ee2a-b0f5-4780-9e30-90cb39685b03}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f6ea3a9-2cf5-41cf-91c1-2170b1540063}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f1b577e-5e5a-4e8a-ba73-c657ea8e8598}\InProcServer32\ = "C:\\Windows\\system32\\xactengine2_1.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e48c5a3f-93ef-43bb-a092-2c7ceb946f27}\ = "AudioVolumeMeter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f5ca7b34-8055-42c0-b836-216129eb7e30}	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65d822a4-4799-42c6-9b18-d26cf66dd320}\InProcServer32\ = "C:\\Windows\\SysWow64\\xactengine2_10.dll"	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3b80ee2a-b0f5-4780-9e30-90cb39685b03}	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d3332f02-3dd0-4de9-9aec-20d85c4111b6}\InProcServer32	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d06df0d0-8518-441e-822f-5451d5c595b8}\ = "AudioReverb"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2139e6da-c341-4774-9ac3-b4e026347f64}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248d8a3b-6256-44d3-a018-2ac96c459f47}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_6.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cd0d66ec-8057-43f5-acbd-66dfb36fd78c}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{343e68e6-8f82-4a8d-a2da-6e9a944b378c}\InProcServer32	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54b68bc7-3a45-416b-a8c9-19bf19ec1df5}\ = "XACT Engine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{65d822a4-4799-42c6-9b18-d26cf66dd320}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d06df0d0-8518-441e-822f-5451d5c595b8}\InProcServer32\ThreadingModel = "Both"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}\ = "XAudio2"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3a2495ce-31d0-435b-8ccf-e9f0843fd960}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{629cf0de-3ecc-41e7-9926-f7e43eebec51}\ = "AudioReverb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d3332f02-3dd0-4de9-9aec-20d85c4111b6}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_2.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b802058a-464a-42db-bc10-b650d6f2586a}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03219e78-5bc3-44d1-b92e-f63d89cc6526}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_4.dll"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{bcc782bc-6492-4c22-8c35-f5d72fe73c6e}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\ = "XAudio2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f1b577e-5e5a-4e8a-ba73-c657ea8e8598}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c60fae90-4183-4a3f-b2f7-ac1dc49b0e5c}\InProcServer32\ThreadingModel = "Both"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c0c56f46-29b1-44e9-9939-a32ce86867e2}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3eda9b49-2085-498b-9bb2-39a6778493de}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{074b110f-7f58-4743-aea5-12f15b5074ed}\ = "XACT Engine"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c1e3f122-a2ea-442c-854f-20d98f8357a1}\ = "AudioVolumeMeter"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4769300-b949-4df9-b333-00d33932e9a6}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_1.dll"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bcc782bc-6492-4c22-8c35-f5d72fe73c6e}\InProcServer32\ThreadingModel = "Both"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aa000aa-f404-11d9-bd7a-0010dc4f8f81}\InProcServer32\ThreadingModel = "Both"	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4c9b6dde-6809-46e6-a278-9b6a97588670}\InProcServer32	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6f6ea3a9-2cf5-41cf-91c1-2170b1540063}\ = "AudioReverb"	dxwsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8bb7778b-645b-4475-9a73-1de3170bd3af}\InProcServer32\ThreadingModel = "Both"	dxwsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f1b577e-5e5a-4e8a-ba73-c657ea8e8598}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3b80ee2a-b0f5-4780-9e30-90cb39685b03}\InProcServer32\ = "C:\\Windows\\system32\\xactengine3_0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e180344b-ac83-4483-959e-18a5c56a5e19}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_3.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ovisetup.exe

pid process

4884 ovisetup.exe
4884 ovisetup.exe
4884 ovisetup.exe
4884 ovisetup.exe

pid	process
4884	ovisetup.exe
4884	ovisetup.exe
4884	ovisetup.exe
4884	ovisetup.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

vssvc.exesrtasks.exe

description	pid	process
Token: SeBackupPrivilege	2248	vssvc.exe
Token: SeRestorePrivilege	2248	vssvc.exe
Token: SeAuditPrivilege	2248	vssvc.exe
Token: SeBackupPrivilege	4776	srtasks.exe
Token: SeRestorePrivilege	4776	srtasks.exe
Token: SeSecurityPrivilege	4776	srtasks.exe
Token: SeTakeOwnershipPrivilege	4776	srtasks.exe
Token: SeBackupPrivilege	4776	srtasks.exe
Token: SeRestorePrivilege	4776	srtasks.exe
Token: SeSecurityPrivilege	4776	srtasks.exe
Token: SeTakeOwnershipPrivilege	4776	srtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenIV.exe

pid process

1332 OpenIV.exe

pid	process
1332	OpenIV.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ovisetup.exedxwebsetup.exedxwsetup.exe

description	pid	process	target process
PID 4884 wrote to memory of 1612	4884	ovisetup.exe	dxwebsetup.exe
PID 4884 wrote to memory of 1612	4884	ovisetup.exe	dxwebsetup.exe
PID 4884 wrote to memory of 1612	4884	ovisetup.exe	dxwebsetup.exe
PID 1612 wrote to memory of 3172	1612	dxwebsetup.exe	dxwsetup.exe
PID 1612 wrote to memory of 3172	1612	dxwebsetup.exe	dxwsetup.exe
PID 1612 wrote to memory of 3172	1612	dxwebsetup.exe	dxwsetup.exe
PID 3172 wrote to memory of 2460	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2460	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3940	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3940	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4912	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4912	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2668	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2668	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 788	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 788	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2836	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2836	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 1824	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 1824	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4780	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 4780	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 3028	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3028	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2136	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2136	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3012	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 3012	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 2032	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2032	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 1404	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 1404	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2160	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 2160	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 3368	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3368	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2704	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 2704	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4380	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 4380	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 3228	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3228	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4124	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4124	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4960	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 4960	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 4572	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4572	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 332	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 332	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 604	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 604	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 5068	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 5068	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 4192	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4192	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 448	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 448	3172	dxwsetup.exe	regsvr32.exe
PID 3172 wrote to memory of 4276	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 4276	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3800	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3800	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3504	3172	dxwsetup.exe	infinst.exe
PID 3172 wrote to memory of 3504	3172	dxwsetup.exe	infinst.exe

C:\Users\Admin\AppData\Local\Temp\ovisetup.exe

"C:\Users\Admin\AppData\Local\Temp\ovisetup.exe"

Checks computer location settings
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:4884

C:\Users\Admin\AppData\Local\Temp\OpenIV Setup_0E566883\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\OpenIV Setup_0E566883\dxwebsetup.exe" /Q

Executes dropped EXE
Adds Run key to start application
Suspicious use of WriteProcessMemory

PID:1612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe /windowsupdate

Executes dropped EXE
Loads dropped DLL
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Modifies registry class
Suspicious use of WriteProcessMemory

PID:3172

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_24_x64.inf

Executes dropped EXE
Drops file in Windows directory

PID:2460

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_25_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:3940

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_26_x64.inf

Executes dropped EXE

PID:4912

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_27_x64.inf

Executes dropped EXE

PID:2668

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_28_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:788

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_29_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:2836

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:1824

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_0.dll

Loads dropped DLL
Registers COM server for autorun

PID:4780

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_30_x64.inf

Executes dropped EXE

PID:3028

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_1_x64.inf

Executes dropped EXE

PID:2136

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_1.dll

Loads dropped DLL
Modifies registry class

PID:3012

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe xinput1_1_x64.inf, Install_Driver

Executes dropped EXE

PID:2032

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_2_x64.inf

Executes dropped EXE

PID:1404

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_2.dll

Loads dropped DLL
Registers COM server for autorun

PID:2160

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe xinput1_2_x64.inf, Install_Driver

Executes dropped EXE

PID:3368

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_3_x64.inf

Executes dropped EXE

PID:2704

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_3.dll

Loads dropped DLL
Registers COM server for autorun

PID:4380

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_31_x64.inf

Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory

PID:3228

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_4_x64.inf

Executes dropped EXE

PID:4124

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_4.dll

Loads dropped DLL
Registers COM server for autorun
Modifies registry class

PID:4960

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_32_x64.inf

Executes dropped EXE
Drops file in Windows directory

PID:4572

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_00_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:332

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_5_x64.inf

Executes dropped EXE

PID:604

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_5.dll

Loads dropped DLL
Registers COM server for autorun
Modifies registry class

PID:5068

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_6_x64.inf

Executes dropped EXE

PID:4192

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_6.dll

Loads dropped DLL
Registers COM server for autorun
Modifies registry class

PID:448

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_33_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:4276

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_33_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:3800

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_7_x64.inf

Executes dropped EXE

PID:3504

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_7.dll

Registers COM server for autorun
Modifies registry class

PID:3360

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe xinput1_3_x64.inf, Install_Driver

Executes dropped EXE

PID:3316

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_34_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:4484

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_34_x64.inf

Executes dropped EXE

PID:4800

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_8_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:4552

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_8.dll

Modifies registry class

PID:4764

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_35_x64.inf

Executes dropped EXE

PID:1504

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_35_x64.inf

Executes dropped EXE

PID:2268

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_9_x64.inf

Executes dropped EXE

PID:4760

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_9.dll

Registers COM server for autorun

PID:2992

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx9_36_x64.inf

Executes dropped EXE

PID:4264

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_36_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:3644

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe X3DAudio1_2_x64.inf

Executes dropped EXE

PID:5008

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT2_10_x64.inf

Executes dropped EXE

PID:4056

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_10.dll

Registers COM server for autorun
Modifies registry class

PID:3140

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DX9_37_x64.inf

Executes dropped EXE

PID:752

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_37_x64.inf

Executes dropped EXE

PID:4784

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe X3DAudio1_3_x64.inf

Executes dropped EXE

PID:4340

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_0_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:4864

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_0.dll

Registers COM server for autorun
Modifies registry class

PID:3112

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_0_x64.inf

Executes dropped EXE

PID:4248

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_0.dll

Registers COM server for autorun
Modifies registry class

PID:3404

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DX9_38_x64.inf

Executes dropped EXE

PID:4716

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_38_x64.inf

Executes dropped EXE

PID:3380

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe X3DAudio1_4_x64.inf

Executes dropped EXE

PID:3068

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_1_x64.inf

Executes dropped EXE

PID:4448

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_1.dll

Modifies registry class

PID:2684

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_1_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:2780

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_1.dll

Registers COM server for autorun

PID:1468

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DX9_39_x64.inf

Executes dropped EXE

PID:3288

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_39_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:2828

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_2_x64.inf

Executes dropped EXE

PID:2256

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_2.dll

Registers COM server for autorun
Modifies registry class

PID:916

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_2_x64.inf

Executes dropped EXE

PID:2604

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_2.dll

Registers COM server for autorun
Modifies registry class

PID:4920

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe X3DAudio1_5_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:2260

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_3_x64.inf

Executes dropped EXE

PID:1684

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_3.dll

Registers COM server for autorun

PID:4476

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_3_x64.inf

Executes dropped EXE

PID:540

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_3.dll

Registers COM server for autorun
Modifies registry class

PID:4324

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DX9_40_x64.inf

Executes dropped EXE

PID:444

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_40_x64.inf

Executes dropped EXE

PID:3948

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe X3DAudio1_6_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:3932

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_4_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:4804

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_4.dll

Registers COM server for autorun
Modifies registry class

PID:4836

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_4_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:1536

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_4.dll

Registers COM server for autorun
Modifies registry class

PID:2072

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DX9_41_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:3616

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_41_x64.inf

Executes dropped EXE

PID:812

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DX9_42_x64.inf

Executes dropped EXE
Drops file in Windows directory

PID:4300

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_42_x64.inf

Executes dropped EXE
Drops file in Windows directory

PID:1292

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx11_42_x64.inf

Executes dropped EXE
Drops file in Windows directory

PID:5024

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dcsx_42_x64.inf

Executes dropped EXE
Drops file in System32 directory

PID:2284

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DCompiler_42_x64.inf

Executes dropped EXE
Drops file in Windows directory

PID:1928

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_5_x64.inf

PID:1776

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_5.dll

Registers COM server for autorun

PID:2412

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_5_x64.inf

PID:628

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_5.dll

Registers COM server for autorun
Modifies registry class

PID:64

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe X3DAudio1_7_x64.inf

PID:1056

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_6_x64.inf

PID:4304

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_6.dll

Modifies registry class

PID:4076

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_6_x64.inf

Drops file in System32 directory

PID:2136

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_6.dll

Registers COM server for autorun
Modifies registry class

PID:3012

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DX9_43_x64.inf

PID:4944

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx10_43_x64.inf

Drops file in System32 directory

PID:1700

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dx11_43_x64.inf

PID:1404

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe d3dcsx_43_x64.inf

PID:4024

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe D3DCompiler_43_x64.inf

PID:4512

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XACT3_7_x64.inf

PID:3064

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_7.dll

Registers COM server for autorun
Modifies registry class

PID:3364

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe XAudio2_7_x64.inf

Drops file in System32 directory

PID:1948

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll

Registers COM server for autorun
Modifies registry class

PID:5064

C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe

"C:\Users\Admin\AppData\Local\New Technology Studio\Apps\OpenIV\OpenIV.exe"

Suspicious use of SetWindowsHookEx

PID:1332

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken

PID:2248

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Suspicious use of AdjustPrivilegeToken

PID:4776

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\XACT_x64.inf
Filesize
765B

MD5
d04068a4eb11d24217a7f24cbb17c1cb

SHA1
35a12d7abbf3635efb3bd9f5bb4d1bed2d9c13c5

SHA256
0015e51246d381e426489c733a5d5662cb6db3caafa25fe4d00554b082fc753f

SHA512
46170920353534fda9d0476aa3c8ae4273beef52dfca70e1dd2251f608e0b57092ef7f5ce16cb67c84bdfc40188429695c1b25054fbbe23374bff4ba77c4ef23

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_24.dll
Filesize
3MB

MD5
b165df72e13e6af74d47013504319921

SHA1
c45b192cf8904b7579bbc26c799aa7ffa5cbb1d4

SHA256
1ec422bd6421c741eef57847260967f215913649901e21dd9c46eb1b3bb10906

SHA512
859b6cd538735e5cc1c44f63d66b25588ad1ad32202cae606ff95b8c4a80f6a66db9ef7c5d43820010de9334b8bbbfb079939ce89ba0b760f5d651d7fa8268ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_24_x64.inf
Filesize
679B

MD5
2c4e850789bf9606aa4783cd9c26099a

SHA1
036ee1c9ce3b8c495b3d155fe83e54c00a2611d4

SHA256
f02bd6bb0ca1ed41698def1465c05f5b47ca459f886647f2d84f85c5c09dad9c

SHA512
f09cb85eb7024c89024d12dd40021d1df046bb825a985bee1cb164a5c026693325bc5d64491702731ed5cb71b5af7eef34f8a922bee6d9d5881ff113dce23d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_25.dll
Filesize
3MB

MD5
4c56e7c5b2a61353e534c7d15d05856d

SHA1
e6e0a59a1e8217ae06cda29942537bc4be25d5a1

SHA256
10b09474bfe4e2bb395472628646bc5f353fbfbec976575c45eeff49984ebaa6

SHA512
6f630ea0764b4551d80a96f6c2b9391ed5741f14431eec951699c0e42b9434a45841d71bea5576b285cc20d38fd082b4cfc8062e4aa61f80aed9e57869cdd5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_25_x64.inf
Filesize
667B

MD5
fbed164855ae10f4c2d4eb238f414e6a

SHA1
7c3ec7759a23e77242bdc70c8033c013f2c794d6

SHA256
9af2752d59fc38dd26d30769132a0887ff4123269c0dc4406f5107295e69c7c1

SHA512
68e7d441aa0b842329f63ed34bb392d1582b635eee1bd1c8a797e9a59303fc85b0d842de0fd29d88fa3c8ac0bb6d858671101633161487d6353e73c862fb228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_26.dll
Filesize
3MB

MD5
44f5c5e27d6825e4e62420bc29b8b533

SHA1
046455294e199af99c7c2d9174d25b230e6fd0e6

SHA256
30b06dbbd202494bae3b87487e7273adcffd17a9d2c29977030fde0570aa841b

SHA512
0c9adca329c386cb2caf0f36d672ba326929f02c29748b13188bb7ade3fbec9131ce86a6bf1b3064a2fbb8de6b8adc34208f667df31c5db182918e79744a830b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_26_x64.inf
Filesize
667B

MD5
831fb8a4394d256a5d7c15c16757912c

SHA1
961d7274de32808c4dce971d943ddd79a12e8d49

SHA256
6c152334efa5b011a44f160a23a5c58b66f3bcebbf6c4bc0722a526d36699a4b

SHA512
40f3d40cb40bd887ffa15a5fc60468e48f06bb1704d19061f9b51a9e2c15ab363644aac4618276910f6fc8d90f1083931916a9943306dcf736fc72feba2385c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_27.dll
Filesize
3MB

MD5
914c3237e4d145a18dcd1d0d4c8659e1

SHA1
32503c8f8d80551c896bc2dbf2c8ae3c490f0ec4

SHA256
f9dd288c9895973f8db1856d172779041c6dee173ad1ef53b1727fc85cb6b75f

SHA512
c760b5b0b5507da8f2336b2b0625f344f28fac33da16a7d8771a122b0ba54ebf5d2a2f702f4ebb83ded746f38d63abd378a9aa3b3e50579fab7c047fe38e2c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_27_x64.inf
Filesize
667B

MD5
925202b48a83647982cb0d55ab10668d

SHA1
b04a29859288545a3f8f9daf6aa39bb7a8b4b59c

SHA256
6f56c5be97e703584dd832f35ebdc78c6aeb07cc9df155d47ed9903142086488

SHA512
72b6b4b951d04ecee1c4ea613734113b864a542dcc554e86e8d7b7fa2b0d05a1e7623051ca0809c3e934cf28cadca54acb76ad515f71a263ffd17c3872677b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_28.dll
Filesize
3MB

MD5
88bac8306d4ec79a82b1ffa17dc8cf4a

SHA1
0a0ab361f04ccba8268418ebff098d3da1ac26a9

SHA256
a2870f86e2f1b11646ff3f404bdbde10520c481c1400b20d25fdf56e66fb0a17

SHA512
b664033e270d71ff88139bb3e71fcdfc8417f65d7c80a12f921a60b0d825ebfe26a14bf16f9d23a10af5c866c1715e21c879993f9be1c54261c376a7cbbe511f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_28_x64.inf
Filesize
667B

MD5
2e7a073438fe5ef17d0a7581afc4e37e

SHA1
adf56255c6f49509c04db26b2594756030df29fd

SHA256
dae4f2beced67333eb6aade70a4a711581f789d0a442f8fb16ba6db5ab261700

SHA512
2244afec5dc7a549d2782fe3caf7f825351a3209df70a5ad9f379cc89ec6099a72ef7316f4b96f641cf978b51cd8c1fc143a3d3f504639e24241f66418863749

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_29.dll
Filesize
3MB

MD5
68b35cbdb4a8cc424718bbcc894feeea

SHA1
c1874de5c76a55a1c42c5da20d7204201586ca4c

SHA256
d496c31a6b0f41398ecad7698987c55c2cb88eb6568976ba9b01a197879dd9dc

SHA512
da3b8251417b63d086e4223219309faea6faf3ed9f70f0345ad77f6843fc8c121ed36403aa50601434962d3089d529baa1faef0bc29602567fa3f91749d8625f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\d3dx9_29_x64.inf
Filesize
667B

MD5
45be046f3bd08c19a5d1d0eecc97ad55

SHA1
8ce2e16a977e39ef24d9821f9dbf0aefa49472bf

SHA256
5ce705889566e690bc48e7f3fc41ec12b856e92d52c60aee45e1c223aa44848c

SHA512
340814dfd9faffd008e3c2eb0065d36f64d4cd418d4f648c4b594539daf45b41bfc641cc53176c2c577f72384b959912e0041b4a02341636941ede39b142bfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
56KB

MD5
ac36c85030678eb69a498793a36a81e9

SHA1
a1719053eec7a206bd1d005e1038a1a7ca2eb1a0

SHA256
85a8b155b066d81efb5d4959f5ea59a9ce43d40663cb2aba05ef0e6d01c22c18

SHA512
47f26ed02bedc96b504344ac53418f63b1da4844b6db61d334dd9b09d0481584dbddc166a654c5b553d5609fb8fb90c01dee9329c68dd74c24ee6bd8eb136d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
56KB

MD5
ac36c85030678eb69a498793a36a81e9

SHA1
a1719053eec7a206bd1d005e1038a1a7ca2eb1a0

SHA256
85a8b155b066d81efb5d4959f5ea59a9ce43d40663cb2aba05ef0e6d01c22c18

SHA512
47f26ed02bedc96b504344ac53418f63b1da4844b6db61d334dd9b09d0481584dbddc166a654c5b553d5609fb8fb90c01dee9329c68dd74c24ee6bd8eb136d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
56KB

MD5
afd73a6c2e1172e4075c8b37816eb391

SHA1
eceaeaca967c9ac3239f65b4d4f75d994dabd7ee

SHA256
ea544793b661304f31f18e9d107a4b4b46bd198d806f6366870746fe52e01df9

SHA512
5c313c81808c664f056ccd64784e607439ed45874fe322afdf690aba6d8dc54c2b54e42f69ce003bd0aefd0ebe5518f102f846aaa96254d3218d62b4f5dc463b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
59KB

MD5
44f9c211701098d36dde44c5cf3afd63

SHA1
c020bb7dfb5932c5cbe19ca5d9feffde05781134

SHA256
d636d29f6019bcc232e62553728871097097aae05a6426bb86af15720de2e0e6

SHA512
b8aa96c4b8861b76f0c5c606f5458cc1e06e6e2ecd684f9ebde9e68a4d5057e84413816d78f88525fef63f4863a4b498c6d8cbc74faf8c555029dde7e34dec5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
61KB

MD5
def5caad8a452d6515bd40df6dd6b51f

SHA1
c26a793ef0a117b9b960caaabf31fef6036576de

SHA256
34df5a253007edd15d14f28a333bac638fe961f0f3941b192d7a6a760c2635fe

SHA512
2f3984f126de1c89cb815e00587d41c9bc32358530d9d2931ef917f6d3a45422a80caf6bcbb1615a61e51d7cb81532795cafefdfc39f9dab7c2f7d70cc22a1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
65KB

MD5
60db6abbe4d4f22d87cd15c9bdae79e7

SHA1
4dc25047507cb28a0855c8c2f5bf11fb0dbf1366

SHA256
10e420d85c6d2905d9ca076681c3b1d648bc1b5b3893c8eb5ff420d2b964f0cb

SHA512
846fc61367cc3fff2c0516c1872f1380e120684853fa9e4a6d077f94c83c99dfdc9f3d2cf7de587fe3988a3224b7ea7e0f27c7a76e11c5a6daaf03ed15864476

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
65KB

MD5
c292f0eacff8f95b789c78907bb52a46

SHA1
497087279afae9c13c5aae642fcbd3f269f31345

SHA256
5ec466d86f7205e7a99985f0be8cacd0494454780c28ac90ff5d4b906b9dc5e5

SHA512
854e9d5554d98fcecd3ad777565988ab363863057818392b56c325df6f613fb8efb501026ba8d081eebbca53d72f081cd13a2e90e42f93d6010ed3865bc33b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\infinst.exe
Filesize
65KB

MD5
c292f0eacff8f95b789c78907bb52a46

SHA1
497087279afae9c13c5aae642fcbd3f269f31345

SHA256
5ec466d86f7205e7a99985f0be8cacd0494454780c28ac90ff5d4b906b9dc5e5

SHA512
854e9d5554d98fcecd3ad777565988ab363863057818392b56c325df6f613fb8efb501026ba8d081eebbca53d72f081cd13a2e90e42f93d6010ed3865bc33b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
2MB

MD5
a73e7421449cca62b0561bad4c8ef23d

SHA1
cf51ca7d28fcdc79c215450fb759ffe9101b6cfe

SHA256
7986e3fbe05418fe5d8425f2f1b76b7a7b09952f3ec560b286dd744bf7178059

SHA512
63d24647ac5d0beb8f1284973927263cb6e05b4c399cda3912178114b42d541dd516c6d67a453ea997d9d0cd9126a1802678062f0951c2547e1b445ba50dfbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
2MB

MD5
a73e7421449cca62b0561bad4c8ef23d

SHA1
cf51ca7d28fcdc79c215450fb759ffe9101b6cfe

SHA256
7986e3fbe05418fe5d8425f2f1b76b7a7b09952f3ec560b286dd744bf7178059

SHA512
63d24647ac5d0beb8f1284973927263cb6e05b4c399cda3912178114b42d541dd516c6d67a453ea997d9d0cd9126a1802678062f0951c2547e1b445ba50dfbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
2MB

MD5
5e2b8b8a5ed016468716b9ff82a1806f

SHA1
f1772121149d87745738cd471d0e504301a9ad0d

SHA256
5b70f0ac40a38c903062a12ff7cd71d907e75238a044ded9b34fb51e9a9a2799

SHA512
4620c9bafb7dfaa8d4351d0d99ae3442ceb2220201f16bd9bab4fbeb1f411fd63d4f0e79abf6e762f4d0e62d42608fbeebd13943ce338eca59ad1080ea6c2728

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
2MB

MD5
5e2b8b8a5ed016468716b9ff82a1806f

SHA1
f1772121149d87745738cd471d0e504301a9ad0d

SHA256
5b70f0ac40a38c903062a12ff7cd71d907e75238a044ded9b34fb51e9a9a2799

SHA512
4620c9bafb7dfaa8d4351d0d99ae3442ceb2220201f16bd9bab4fbeb1f411fd63d4f0e79abf6e762f4d0e62d42608fbeebd13943ce338eca59ad1080ea6c2728

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
550KB

MD5
d3f1922325be8e7e1c72bfd8179454ce

SHA1
89134f43ce2af4adfbc4087392aee6fe56be7ff4

SHA256
8418941d8f1d4c84288e0bf54392378dd3d87b602bb693ff4f8a633022681c12

SHA512
d33f513ff6c199acabe86eca6dc06d56c330ccb78be4d13fb6b1906a3cba3c93afe982b05cb057f2b88f6e6637452f4d99d4a4fe6f3f7c473de9e67a40758bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
550KB

MD5
d3f1922325be8e7e1c72bfd8179454ce

SHA1
89134f43ce2af4adfbc4087392aee6fe56be7ff4

SHA256
8418941d8f1d4c84288e0bf54392378dd3d87b602bb693ff4f8a633022681c12

SHA512
d33f513ff6c199acabe86eca6dc06d56c330ccb78be4d13fb6b1906a3cba3c93afe982b05cb057f2b88f6e6637452f4d99d4a4fe6f3f7c473de9e67a40758bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
554KB

MD5
fb3bc0754921873a65f5fbdca845e6ee

SHA1
67cde5bc8577cd3040e275d290ac021874da9fe8

SHA256
f500c350dd71df7452b92444e19b4644b04283434a6557123f1e4d9fb078c3f8

SHA512
292b8bda44e6ff6449c4b38da9b8317491c0f0da3d1e5f7947741de27cc51bbc078fbf947c89c4be3a0b54f7066f0480990d1de57919edba3414aace77c47635

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
554KB

MD5
fb3bc0754921873a65f5fbdca845e6ee

SHA1
67cde5bc8577cd3040e275d290ac021874da9fe8

SHA256
f500c350dd71df7452b92444e19b4644b04283434a6557123f1e4d9fb078c3f8

SHA512
292b8bda44e6ff6449c4b38da9b8317491c0f0da3d1e5f7947741de27cc51bbc078fbf947c89c4be3a0b54f7066f0480990d1de57919edba3414aace77c47635

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
562KB

MD5
afcf5f50c632f3a5598abc28f196d77c

SHA1
294385693592f9d6320f8b0b18f45bc194d01a4d

SHA256
5e90089e69e4f7e2e42ea4a81fb62005c3710d0a4acdf207b97ed03f5641d013

SHA512
29746ffc665051e13386e452c3e41a593b6339e09a228927929be100cddb3e0e0fd3b54abe02eb7d46a3d97466ecb02bac362398b72fd8e804cbb21c8bc856d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
562KB

MD5
afcf5f50c632f3a5598abc28f196d77c

SHA1
294385693592f9d6320f8b0b18f45bc194d01a4d

SHA256
5e90089e69e4f7e2e42ea4a81fb62005c3710d0a4acdf207b97ed03f5641d013

SHA512
29746ffc665051e13386e452c3e41a593b6339e09a228927929be100cddb3e0e0fd3b54abe02eb7d46a3d97466ecb02bac362398b72fd8e804cbb21c8bc856d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
563KB

MD5
ccd53738df4fa27849b6bb05dd67d10d

SHA1
28126653a3d1b4574fcb0c09176f5fa0ff28ef78

SHA256
c29d337bf7639fbf424b34cc0409d2715762e1b4d82881fb524a2508381c9f62

SHA512
aa3a10504fbe49a4c44151beec7d9b543f4b89a51621fa60810f385bdc8a6821e4bfc37cd46f3688013f6f4facd33ab45bd0deb4a1fe16453e1be8f11f2119c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
563KB

MD5
ccd53738df4fa27849b6bb05dd67d10d

SHA1
28126653a3d1b4574fcb0c09176f5fa0ff28ef78

SHA256
c29d337bf7639fbf424b34cc0409d2715762e1b4d82881fb524a2508381c9f62

SHA512
aa3a10504fbe49a4c44151beec7d9b543f4b89a51621fa60810f385bdc8a6821e4bfc37cd46f3688013f6f4facd33ab45bd0deb4a1fe16453e1be8f11f2119c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
564KB

MD5
43c280c3b15ceb2472ab560d09629664

SHA1
e3a897d7608d03c93b5c2b8aef52703452cf6696

SHA256
bebbc40ca25ef22e9d16b0de1123e0cb0444fe7a78b4f0b4395bdfd81618698c

SHA512
5229eef9153b992684b6dcb4a32b231c63322b5e4b49ef262228c0dcca4760f97cda5d15a7fcdf77d813eb24b359101e716f72988374106ace13473f27e731c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
564KB

MD5
43c280c3b15ceb2472ab560d09629664

SHA1
e3a897d7608d03c93b5c2b8aef52703452cf6696

SHA256
bebbc40ca25ef22e9d16b0de1123e0cb0444fe7a78b4f0b4395bdfd81618698c

SHA512
5229eef9153b992684b6dcb4a32b231c63322b5e4b49ef262228c0dcca4760f97cda5d15a7fcdf77d813eb24b359101e716f72988374106ace13473f27e731c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
564KB

MD5
490807c150b7d8be44bde871f4df8c56

SHA1
69b68a5b8cc3f3e75aa2ba284654ca58bb62f23e

SHA256
36a21fc4f4c8f6ba4ad900613ee1b08ff43f2545585a2601c9fc4cf083d68a77

SHA512
9442e26de55009428cc6e747637c2cb64bd2f008541ccbb37fed4e83ff66845c7cf3874d93542e0ba544e2db61f4864b665b7720568eba284beb095489f3ca64

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
564KB

MD5
490807c150b7d8be44bde871f4df8c56

SHA1
69b68a5b8cc3f3e75aa2ba284654ca58bb62f23e

SHA256
36a21fc4f4c8f6ba4ad900613ee1b08ff43f2545585a2601c9fc4cf083d68a77

SHA512
9442e26de55009428cc6e747637c2cb64bd2f008541ccbb37fed4e83ff66845c7cf3874d93542e0ba544e2db61f4864b665b7720568eba284beb095489f3ca64

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
565KB

MD5
933085360527de1b4947289ca468184e

SHA1
d5ee5e1e3c992c7518b5ce510c627c1564131b12

SHA256
78d85f0e2cb7d7bde534222f4ebfea1c9e06d37ecd3bb7ebd59e35f00b94b11d

SHA512
2e22398d7cdcd6a46daf3dd3478d861bc4012ba1b54862311ae031ebcd3f908352157cbeea528f22ef1824f8924c3f217311feaf1804cf675eafc07a8d3962eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\microsoft.directx.direct3dx.dll
Filesize
565KB

MD5
933085360527de1b4947289ca468184e

SHA1
d5ee5e1e3c992c7518b5ce510c627c1564131b12

SHA256
78d85f0e2cb7d7bde534222f4ebfea1c9e06d37ecd3bb7ebd59e35f00b94b11d

SHA512
2e22398d7cdcd6a46daf3dd3478d861bc4012ba1b54862311ae031ebcd3f908352157cbeea528f22ef1824f8924c3f217311feaf1804cf675eafc07a8d3962eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\x3daudio1_0.dll
Filesize
16KB

MD5
f77d5ab654881e683cff6650916c424e

SHA1
56d8f090755f1ec60b13e748b040069ea8759b5b

SHA256
77cc09cea6de69f12106e6dd9df1c0446a525a54c3953d69d64711b9394cc38f

SHA512
dcd1273673f4088e854057e47484bb363e1e7ce094bc2c98ad7cc9112877892c1d6fd591dd9cfb325d6c451f2d03a4cdcc238af1ffb5382b7153f079cbe13abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBCC9.tmp\xactengine2_0.dll
Filesize
347KB

MD5
ce5753f9a27837259eb52f3f47f39593

SHA1
2eb60f397eff937249521fe0bf5fe89eccee4914

SHA256
a00ad310f3d7b2d4de2f5a4c081359fa443ce0baecc72ebf39d6b30ccf7babce

SHA512
93fa47262f1b1ed9b284337f7225bdc06b6931931f385eeb30faaba25f1ccc483d633a40831471da70077d6a1f6a84c21a909daea059ecf316534b1994467230

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
Filesize
1MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
Filesize
56KB

MD5
7b1fbe9f5f43b2261234b78fe115cf8e

SHA1
dd0f256ae38b4c4771e1d1ec001627017b7bb741

SHA256
762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce

SHA512
d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenIV Setup_0E566883\dxwebsetup.exe
Filesize
285KB

MD5
bcbb7c0cd9696068988953990ec5bd11

SHA1
3c8243734cf43dd7bb2332ba05b58ccacfa4377c

SHA256
34f64699d4830145cae69bd40115b1f326e70fc6a98456cb3df996d947dddca4

SHA512
551a2e3aa5fc7c0e79c3bd7c5333df5f1920ea83fe35b99adbbe865ea926fa772d72709bde2ea8f2685f4914cd96ff7b5b6f894f9b99f1120c2abe89c390a786

Download Submit
C:\Users\Admin\AppData\Local\Temp\OpenIV Setup_0E566883\dxwebsetup.exe
Filesize
285KB

MD5
bcbb7c0cd9696068988953990ec5bd11

SHA1
3c8243734cf43dd7bb2332ba05b58ccacfa4377c

SHA256
34f64699d4830145cae69bd40115b1f326e70fc6a98456cb3df996d947dddca4

SHA512
551a2e3aa5fc7c0e79c3bd7c5333df5f1920ea83fe35b99adbbe865ea926fa772d72709bde2ea8f2685f4914cd96ff7b5b6f894f9b99f1120c2abe89c390a786

Download Submit
C:\Windows\DirectX.log
Filesize
196B

MD5
dbb57fc7b79fbd3ddbb05f76503166f6

SHA1
1f4ad98cd755a843b1694d34f34772cbf6a7694f

SHA256
76f39ed396c622ef7c322757bfb8d814fabde62b604035bec2c8dff9f2a9a96e

SHA512
1bbb7f8d82080240a4a9b0e83a222e400eca25e8bf5b8ebb931253283657314ca353907af41799558c777eb9503323608762b02101c7bfd2da45532cd1fa3e5e

Download Submit
C:\Windows\DirectX.log
Filesize
511B

MD5
04b9f64cfc20281946fba9879836e480

SHA1
7f0214df1a97d277955f05bce306eb2b0111a9ed

SHA256
8f2c999946b11b8f31dbbd4912e17ef824cbf5e7e70983014ce9e2e1ea240714

SHA512
6fe9aeac0f36d01fbad03fe52e36fd1549959144e00492c4eec4076102d0ed6bae863ae6c673f5e305015bf2db6e511a86bf76b6eb15e54c3ecd09d9199055e2

Download Submit
C:\Windows\DirectX.log
Filesize
707B

MD5
e187bc6f041e993659b762cbba747a60

SHA1
2e5eccc17a788be0aeea74a9ef2809310c306c21

SHA256
e6f41057758f7bcec7258374d58cf9b232b5830ccb7018bbe4f2d432a9684857

SHA512
162dc410172b151f57cfe17ae495cf3d62d65cc38e4ab17824886168b5ebf8093081ab5ed41db4172ff254a91d777c73b1f7ebd5ab7a1d015effa747d218c44a

Download Submit
C:\Windows\DirectX.log
Filesize
903B

MD5
9c56441f5bcd0f11e0f2f68a2342f3d1

SHA1
4ae15ade8ae6d33d952fbfaad00340fd77ede450

SHA256
a1e67f4128792424bebc683eda7ca7dbed3d7172c9c8ea1af563b2335b9e7dc1

SHA512
79d2bae43f497b22bab666b8c43f5dacf5c4639b857b456e05b00632b8559a619d9627ae4489c2324a3a8f974b6b143c1357d43794d0aea0a1dca85f8d97fd13

Download Submit
C:\Windows\DirectX.log
Filesize
980B

MD5
3c0839d8935c1491e00c727dc2fb6a6f

SHA1
4d644a0677ef7e49a87787797da70c3ed567e0e3

SHA256
afce053ee76cc6719e41e378153b8991844cc910b5176431cbc2dbdeb709f9e6

SHA512
acfddc1592f81995222890f842e55aa8b3667959d679c1eac1fc8f4ede0e5814378acf229d277236e48de7b1d03d91e0508bd1db4dea285842944efbf576cb8c

Download Submit
C:\Windows\DirectX.log
Filesize
1KB

MD5
262dacea5bb4561f91c10f63d85b3652

SHA1
b75563f2d6b83d33776be35380e785b79f678d07

SHA256
51148c8ebc46dc4ff1d0ce7765905d96e7b4f68581dea83e69f9147664176e13

SHA512
be551b07147709b15cf058e0fae9698609aeed33bcecde881d461a16c6e59250fb41c27d7762ad540039e526171584ee49dad5f313abb341b4a04273b5484cd4

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll
Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
Filesize
1MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Windows\SysWOW64\xactengine2_0.dll
Filesize
224KB

MD5
2112fe0c46662d429347a7d7b49e3ece

SHA1
8cf607547e9c5a10f129a3a8f8f32bd295c0d5b4

SHA256
cfd1c2d34feb7d94f282e97bf762a99bfa7309dc7353d96dfe4aadc187d26c67

SHA512
77f77add8411d418798d643d783752896d3fcac002f15696caeaf45b5396d2d42fe53bfb409d66ad505cdaac0ef0a20a62aa45b50aebe65237d2c44af36bbc34

Download Submit
C:\Windows\SysWOW64\xactengine2_0.dll
Filesize
224KB

MD5
2112fe0c46662d429347a7d7b49e3ece

SHA1
8cf607547e9c5a10f129a3a8f8f32bd295c0d5b4

SHA256
cfd1c2d34feb7d94f282e97bf762a99bfa7309dc7353d96dfe4aadc187d26c67

SHA512
77f77add8411d418798d643d783752896d3fcac002f15696caeaf45b5396d2d42fe53bfb409d66ad505cdaac0ef0a20a62aa45b50aebe65237d2c44af36bbc34

Download Submit
C:\Windows\system32\xactengine2_0.dll
Filesize
347KB

MD5
ce5753f9a27837259eb52f3f47f39593

SHA1
2eb60f397eff937249521fe0bf5fe89eccee4914

SHA256
a00ad310f3d7b2d4de2f5a4c081359fa443ce0baecc72ebf39d6b30ccf7babce

SHA512
93fa47262f1b1ed9b284337f7225bdc06b6931931f385eeb30faaba25f1ccc483d633a40831471da70077d6a1f6a84c21a909daea059ecf316534b1994467230

Download Submit
memory/332-234-0x0000000000000000-mapping.dmp

Download
memory/448-242-0x0000000000000000-mapping.dmp

Download
memory/604-237-0x0000000000000000-mapping.dmp

Download
memory/752-275-0x0000000000000000-mapping.dmp

Download
memory/788-189-0x0000000000000000-mapping.dmp

Download
memory/916-292-0x0000000000000000-mapping.dmp

Download
memory/1332-297-0x0000000000400000-0x0000000002428000-memory.dmp

Filesize
32MB

Download
memory/1332-296-0x0000000011000000-0x0000000011040000-memory.dmp

Filesize
256KB

Download
memory/1332-294-0x0000000000400000-0x0000000002428000-memory.dmp

Filesize
32MB

Download
memory/1404-219-0x0000000000000000-mapping.dmp

Download
memory/1468-288-0x0000000000000000-mapping.dmp

Download
memory/1504-258-0x0000000000000000-mapping.dmp

Download
memory/1612-134-0x0000000000000000-mapping.dmp

Download
memory/1824-203-0x0000000000000000-mapping.dmp

Download
memory/2032-216-0x0000000000000000-mapping.dmp

Download
memory/2136-214-0x0000000000000000-mapping.dmp

Download
memory/2160-220-0x0000000000000000-mapping.dmp

Download
memory/2256-291-0x0000000000000000-mapping.dmp

Download
memory/2268-259-0x0000000000000000-mapping.dmp

Download
memory/2460-169-0x0000000000000000-mapping.dmp

Download
memory/2668-184-0x0000000000000000-mapping.dmp

Download
memory/2684-286-0x0000000000000000-mapping.dmp

Download
memory/2704-224-0x0000000000000000-mapping.dmp

Download
memory/2780-287-0x0000000000000000-mapping.dmp

Download
memory/2828-290-0x0000000000000000-mapping.dmp

Download
memory/2836-194-0x0000000000000000-mapping.dmp

Download
memory/2992-263-0x0000000000000000-mapping.dmp

Download
memory/2992-264-0x0000000002120000-0x0000000002189000-memory.dmp

Filesize
420KB

Download
memory/2992-265-0x0000000002121000-0x000000000217C000-memory.dmp

Filesize
364KB

Download
memory/3012-215-0x0000000000000000-mapping.dmp

Download
memory/3028-211-0x0000000000000000-mapping.dmp

Download
memory/3068-284-0x0000000000000000-mapping.dmp

Download
memory/3112-279-0x0000000000000000-mapping.dmp

Download
memory/3140-272-0x0000000000000000-mapping.dmp

Download
memory/3140-273-0x0000000001EF0000-0x0000000001F59000-memory.dmp

Filesize
420KB

Download
memory/3140-274-0x0000000001EF1000-0x0000000001F4C000-memory.dmp

Filesize
364KB

Download
memory/3172-213-0x0000000000381000-0x00000000003B5000-memory.dmp

Filesize
208KB

Download
memory/3172-253-0x0000000004E51000-0x0000000004E8D000-memory.dmp

Filesize
240KB

Download
memory/3172-236-0x0000000004E51000-0x0000000004E8A000-memory.dmp

Filesize
228KB

Download
memory/3172-261-0x0000000004E51000-0x0000000004E8D000-memory.dmp

Filesize
240KB

Download
memory/3172-212-0x0000000000380000-0x00000000003BD000-memory.dmp

Filesize
244KB

Download
memory/3172-240-0x0000000004E51000-0x0000000004E8A000-memory.dmp

Filesize
228KB

Download
memory/3172-222-0x0000000000380000-0x00000000003BD000-memory.dmp

Filesize
244KB

Download
memory/3172-223-0x0000000000381000-0x00000000003B6000-memory.dmp

Filesize
212KB

Download
memory/3172-218-0x0000000000381000-0x00000000003B5000-memory.dmp

Filesize
208KB

Download
memory/3172-217-0x0000000000380000-0x00000000003BD000-memory.dmp

Filesize
244KB

Download
memory/3172-246-0x0000000004E51000-0x0000000004E8C000-memory.dmp

Filesize
236KB

Download
memory/3172-228-0x0000000000381000-0x00000000003B7000-memory.dmp

Filesize
216KB

Download
memory/3172-270-0x0000000004E51000-0x0000000004E8D000-memory.dmp

Filesize
240KB

Download
memory/3172-137-0x0000000000000000-mapping.dmp

Download
memory/3172-202-0x0000000000381000-0x00000000003B5000-memory.dmp

Filesize
208KB

Download
memory/3172-201-0x0000000000380000-0x00000000003BD000-memory.dmp

Filesize
244KB

Download
memory/3172-227-0x0000000000380000-0x00000000003BD000-memory.dmp

Filesize
244KB

Download
memory/3228-226-0x0000000000000000-mapping.dmp

Download
memory/3288-289-0x0000000000000000-mapping.dmp

Download
memory/3316-249-0x0000000000000000-mapping.dmp

Download
memory/3360-248-0x0000000000000000-mapping.dmp

Download
memory/3368-221-0x0000000000000000-mapping.dmp

Download
memory/3380-283-0x0000000000000000-mapping.dmp

Download
memory/3404-281-0x0000000000000000-mapping.dmp

Download
memory/3504-247-0x0000000000000000-mapping.dmp

Download
memory/3644-267-0x0000000000000000-mapping.dmp

Download
memory/3800-244-0x0000000000000000-mapping.dmp

Download
memory/3940-174-0x0000000000000000-mapping.dmp

Download
memory/4056-271-0x0000000000000000-mapping.dmp

Download
memory/4124-229-0x0000000000000000-mapping.dmp

Download
memory/4192-241-0x0000000000000000-mapping.dmp

Download
memory/4248-280-0x0000000000000000-mapping.dmp

Download
memory/4264-266-0x0000000000000000-mapping.dmp

Download
memory/4276-243-0x0000000000000000-mapping.dmp

Download
memory/4340-277-0x0000000000000000-mapping.dmp

Download
memory/4380-225-0x0000000000000000-mapping.dmp

Download
memory/4448-285-0x0000000000000000-mapping.dmp

Download
memory/4484-250-0x0000000000000000-mapping.dmp

Download
memory/4552-254-0x0000000000000000-mapping.dmp

Download
memory/4572-233-0x0000000000000000-mapping.dmp

Download
memory/4716-282-0x0000000000000000-mapping.dmp

Download
memory/4760-262-0x0000000000000000-mapping.dmp

Download
memory/4764-255-0x0000000000000000-mapping.dmp

Download
memory/4764-256-0x00000000020D0000-0x0000000002139000-memory.dmp

Filesize
420KB

Download
memory/4764-257-0x00000000020D1000-0x000000000212C000-memory.dmp

Filesize
364KB

Download
memory/4780-209-0x0000000000000000-mapping.dmp

Download
memory/4784-276-0x0000000000000000-mapping.dmp

Download
memory/4800-251-0x0000000000000000-mapping.dmp

Download
memory/4864-278-0x0000000000000000-mapping.dmp

Download
memory/4884-132-0x0000000000400000-0x0000000000907000-memory.dmp

Filesize
5MB

Download
memory/4884-144-0x0000000000400000-0x0000000000907000-memory.dmp

Filesize
5MB

Download
memory/4884-293-0x0000000000400000-0x0000000000907000-memory.dmp

Filesize
5MB

Download
memory/4912-179-0x0000000000000000-mapping.dmp

Download
memory/4960-230-0x0000000000000000-mapping.dmp

Download
memory/4960-231-0x0000000000960000-0x00000000009BE000-memory.dmp

Filesize
376KB

Download
memory/4960-232-0x0000000000961000-0x00000000009B2000-memory.dmp

Filesize
324KB

Download
memory/5008-268-0x0000000000000000-mapping.dmp

Download
memory/5068-238-0x0000000000000000-mapping.dmp

Download