ID: 114939 Sample Name: mecway110.msi Cookbook: default.jbs Time: 19:29:50 Date: 06/03/2019 Version: 25.0.0 Tiger's Eye Table of Contents
Table of Contents 2 Analysis Report mecway110.msi 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Spreading: 7 Software Vulnerabilities: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 E-Banking Fraud: 7 System Summary: 7 Data Obfuscation: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 10 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Screenshots 11 Thumbnails 11 Startup 12 Created / dropped Files 12 Domains and IPs 32 Contacted Domains 32 URLs from Memory and Binaries 32 Contacted IPs 32 Static File Info 32 General 32 File Icon 33 Network Behavior 33 Code Manipulations 33 Statistics 33
Copyright Joe Security LLC 2019 Page 2 of 45 Behavior 33 System Behavior 33 Analysis Process: msiexec.exe PID: 3736 Parent PID: 1428 34 General 34 File Activities 34 Registry Activities 34 Analysis Process: msiexec.exe PID: 3344 Parent PID: 2416 34 General 34 Analysis Process: DXSETUP.exe PID: 3224 Parent PID: 2416 34 General 34 File Activities 35 File Created 35 File Written 35 Registry Activities 35 Key Value Created 35 Analysis Process: infinst.exe PID: 4864 Parent PID: 3224 35 General 35 File Activities 36 File Created 36 File Written 36 File Read 36 Analysis Process: infinst.exe PID: 4620 Parent PID: 3224 36 General 36 File Activities 37 File Created 37 File Written 37 File Read 37 Analysis Process: infinst.exe PID: 1480 Parent PID: 3224 37 General 37 File Activities 38 File Created 38 File Written 38 File Read 38 Analysis Process: infinst.exe PID: 3272 Parent PID: 3224 38 General 39 File Activities 39 File Created 39 File Written 39 File Read 39 Analysis Process: infinst.exe PID: 3296 Parent PID: 3224 40 General 40 File Activities 40 File Created 40 File Written 40 File Read 40 Analysis Process: infinst.exe PID: 4352 Parent PID: 3224 41 General 41 File Activities 41 File Created 41 File Written 41 File Read 41 Analysis Process: infinst.exe PID: 1880 Parent PID: 3224 42 General 42 File Activities 42 File Created 42 File Written 42 File Read 43 Analysis Process: infinst.exe PID: 4976 Parent PID: 3224 43 General 43 File Activities 43 File Created 43 File Written 43 File Read 44 Analysis Process: regsvr32.exe PID: 1932 Parent PID: 3224 44 General 44 Registry Activities 44 Disassembly 44 Code Analysis 44
Copyright Joe Security LLC 2019 Page 3 of 45 Analysis Report mecway110.msi
Overview
General Information
Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 114939 Start date: 06.03.2019 Start time: 19:29:50 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 15s Hypervisor based Inspection enabled: false Report type: light Sample file name: mecway110.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 18 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean7.winMSI@21/106@0/0 EGA Information: Successful, ratio: 90% HDC Information: Successful, ratio: 86.5% (good quality ratio 71.7%) Quality average: 62.2% Quality standard deviation: 35.7% HCA Information: Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated
Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: msiexec.exe, DXSETUP.exe
Copyright Joe Security LLC 2019 Page 4 of 45 Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 7 0 - 100 Report FP / FN false
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 1 0 - 5 true
Classification
Copyright Joe Security LLC 2019 Page 5 of 45 Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Replication Windows Winlogon Process Process Input Peripheral Replication Input Capture 1 Data Standard Through Remote Helper DLL Injection 1 Injection 1 Capture 1 Device Through Compressed Cryptographic Removable Management Discovery 1 1 Removable Protocol 1 Media 1 Media 1
Copyright Joe Security LLC 2019 Page 6 of 45 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Replication Service Port Monitors Accessibility Obfuscated Files Network Security Remote Services Data from Exfiltration Over Fallback Through Execution Features or Sniffing Software Removable Other Network Channels Removable Information 2 Discovery 3 1 Media Medium Media Drive-by Windows Accessibility Path Rootkit Input System Windows Data from Automated Custom Compromise Management Features Interception Capture Information Remote Network Shared Exfiltration Cryptographic Instrumentation Discovery 3 3 Management Drive Protocol
Signature Overview
• Spreading • Software Vulnerabilities • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection
Click to jump to signature section
Spreading:
Checks for available system drives (often done to infect USB drives)
Contains functionality to enumerate / list files inside a directory
Software Vulnerabilities:
Found inlined nop instructions (likely shell or obfuscated code)
Networking:
Urls found in memory or binary data
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a DirectInput object (often for capturing keystrokes)
E-Banking Fraud:
Drops certificate files (DER)
System Summary:
Contains functionality to call native functions
Creates files inside the system directory
Creates mutexes
Deletes files inside the Windows folder
Detected potential crypto function
Enables security privileges
Found potential string decryption / allocating functions
Copyright Joe Security LLC 2019 Page 7 of 45 Tries to load missing DLLs
Classification label
Contains functionality for error logging
Creates temporary files
Reads ini files
Reads software policies
Spawns processes
Uses an in-process (OLE) Automation server
Found GUI installer (many successful clicks)
Found graphical window changes (likely an installer)
Found installer window with terms and condition text
Submission file is bigger than most known malware samples
Binary contains paths to debug symbols
Data Obfuscation:
Contains functionality to dynamically determine API calls
Registers a DLL
Uses code obfuscation techniques (call, push, ret)
Persistence and Installation Behavior:
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains functionality to read ini properties file for application configuration
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Checks the free space of harddrives
Contains functionality to read device registry values (via SetupAPI)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Program exit points
Anti Debugging:
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to register its own exception handler
HIPS / PFW / Operating System Protection Evasion:
Creates a process in suspended mode (likely to inject code)
Language, Device and Operating System Detection:
Copyright Joe Security LLC 2019 Page 8 of 45 Contains functionality locales information (e.g. system language)
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Contains functionality to query local / system time
Contains functionality to query windows version
Queries the cryptographic machine GUID
Behavior Graph
Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files Behavior Graph ID: 114939 Sample: mecway110.msi Visual Basic Startdate: 06/03/2019 Architecture: WINDOWS Score: 7 Delphi
started started started Java DXSETUP.exe msiexec.exe msiexec.exe .Net C# or VB.NET 10 111 6
dropped dropped dropped dropped dropped C, C++ or other language
C:\Windows\SysWOW64\SETE8F.tmp, PE32 C:\Windows\SysWOW64\SET855.tmp, PE32 C:\Windows\SysWOW64\SET333F.tmp, PE32 17 other files (none is malicious) started started started C:\Users\user\AppData\Local\...\MSIBA93.tmp, PE32 Is malicious
infinst.exe infinst.exe infinst.exe
6 other processes
5 3 3
dropped dropped dropped dropped dropped dropped dropped dropped
C:\Windows\System32\SET35BF.tmp, PE32+ C:\Windows\System32\SET359F.tmp, PE32+ C:\Windows\System32\SETFD7.tmp, PE32+ C:\Windows\System32\SET1611.tmp, PE32+ C:\Windows\System32\SET9EC.tmp, PE32+ C:\Windows\System32\SET2E1D.tmp, PE32+ C:\Windows\System32\SET2822.tmp, PE32+ 2 other files (none is malicious)
Simulations
Behavior and APIs
No simulations
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link mecway110.msi 0% virustotal Browse
Dropped Files
Copyright Joe Security LLC 2019 Page 9 of 45 Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\dxupdate.dll 0% virustotal Browse C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\dxupdate.dll 0% metadefender Browse
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link www.BetaPlace.comEContinuare 0% Avira URL Cloud safe www.BetaPlace.com. 0% virustotal Browse www.BetaPlace.com. 0% Avira URL Cloud safe www.BetaPlace.com 0% virustotal Browse www.BetaPlace.com 0% Avira URL Cloud safe www.betaplace.com. 0% virustotal Browse www.betaplace.com. 0% Avira URL Cloud safe www.betaplace.com 0% virustotal Browse www.betaplace.com 0% Avira URL Cloud safe www.BetaPlace.com.? 0% virustotal Browse www.BetaPlace.com.? 0% Avira URL Cloud safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
Copyright Joe Security LLC 2019 Page 10 of 45 ASN
No context
JA3 Fingerprints
No context
Dropped Files
Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Windows\SysWOW64\SET2C0A.tmp slepaya_zona[E2ag3].exe Get hash malicious Browse
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2019 Page 11 of 45 Startup
System is w10x64 msiexec.exe (PID: 3736 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\mecway110.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2) msiexec.exe (PID: 3344 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 07352D08995437842A17DA4C34B43353 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2) DXSETUP.exe (PID: 3224 cmdline: 'C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe' /silent MD5: DDCE338BB173B32024679D61FB4F2BA6) infinst.exe (PID: 4864 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe xinput1_3_x64.inf, Install_Driver MD5: 45D4DAC07AA361BCD77AA815D1724A16) infinst.exe (PID: 4620 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe X3DAudio1_7_x64.inf MD5: 730E5493910E5693499485E352381C6A) infinst.exe (PID: 1480 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe D3DX9_43_x64.inf MD5: A7BA8B723B327985DED1152113970819) infinst.exe (PID: 3272 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe d3dx10_43_x64.inf MD5: A7BA8B723B327985DED1152113970819) infinst.exe (PID: 3296 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe d3dx11_43_x64.inf MD5: A7BA8B723B327985DED1152113970819) infinst.exe (PID: 4352 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe d3dcsx_43_x64.inf MD5: A7BA8B723B327985DED1152113970819) infinst.exe (PID: 1880 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe D3DCompiler_43_x64.inf MD5: A7BA8B723B327985DED1152113970819) infinst.exe (PID: 4976 cmdline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe XAudio2_7_x64.inf MD5: A7BA8B723B327985DED1152113970819) regsvr32.exe (PID: 1932 cmdline: C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll MD5: D78B75FC68247E8A63ACBA846182740E) cleanup
Created / dropped Files
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 4632272 Entropy (8bit): 6.436376957727301 Encrypted: false MD5: 2E837D536A6BC42B3704E61A722EF39E SHA1: AA0C16656F99637FADD0121D9E1F99B9380B10D5 SHA-256: 32D5FF7BB6175A8EF8788389CC399BDB54281D8426B26E8203DD63FAFBE206A6 SHA-512: 3B344B0BB9EAD67995AFD295623DD9D3864DDE1A5D1EF0A23EC625D832FC68949594BBF5CA3552C3222CA0CB5 C5E24EA84246B028593B816EC2510ECC5C58485 Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.247934348709326 Encrypted: false MD5: 896761C3D74CD04030AB7E3820105617 SHA1: 5E6B6D7487A2FC808988CDA1870F61BE40892420 SHA-256: 994769AA4D609FB2C6C0CA958E79AD1566677D3B4E66DEF1CD41EB7B7D86009F SHA-512: AC25BA42E9DE4D2833BFC967F9AC5F9C27B7C52FB935559AC19C54AE6A9C0DBB5D8A58C1A16B79409103EB8DC 144B9298DB0D15036332ED7863F543C546714DD Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 683 Entropy (8bit): 5.441416736401643 Encrypted: false MD5: 697E79B036806E36E6FE463DD960A9AE SHA1: D1E624B8C98B509C88CC72BEDB5FCFE3D12F6D16 SHA-256: 112EC71E22F87BF8D54B12836A85E168FABED8DDE3FFE7EDA9EB444AB9FB8348 SHA-512: 168B2DC39C7EE309DB77B53D775E358088E402E712F4FD199E49D023ECC1D5C82503418375DDE0E0EDD6E67BA6 F71FE6B19043B4C9336E43A8123028AF779835 Malicious: false
Copyright Joe Security LLC 2019 Page 12 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43_x64.inf Reputation: low
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 454 Entropy (8bit): 5.16701836695936 Encrypted: false MD5: B94DE1544BE945197415F3A0D4A39CF8 SHA1: BCA9E65A376A6FEABCBDFA7AE84E61BEB2FF1FE1 SHA-256: 8038780A408420A9C44E7736E4C36BE6BB9E5882019E55FC97FC4E4049175FEC SHA-512: AB5340995CE0B028FC905E1A796819FE5B52544C57C640BDE141236FE172D3965CC233D2C57C7C53D2AA2EBCA3 D6C2EAE67CA6F50C30BDA2847096613C61989B Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.242703752909775 Encrypted: false MD5: 11BC389F7A75423CEFA205BF3A404CE2 SHA1: 3883969A816DB884A79E1B1ED8D2EC075D48F985 SHA-256: 32000BAC9D162035751FE9016FC580D0CC0A643563C0F563D86D5FB83329E65F SHA-512: 0AC8F8FE65A449DBE175CA3B5A9269C7FAA65C852BCD41322FB0DA1B2FA2E52B468589399043C05070E57966559 DB6F03D21270DCB26A7BEE0D09B2222905E6E Malicious: false Reputation: low
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 801 Entropy (8bit): 5.488673383707369 Encrypted: false MD5: 90785E792EDCFA7D43DE9DF2D1AC884D SHA1: EA5D8BBBF131343DD0DDB2073DCBB7634E6BCECC SHA-256: 8F68CCDD8CE1ACFAA5C4AFAC6B2E96E23B7B532FBCBE9375709326083A134E85 SHA-512: A2D15DF6148B811AD5658D9692A737924A3CE3AE1007CD86B6AD994922D95D839258DD18D785425609970EFA8A3 9CA79FA61512F7908891CF51CD0EEB6AD2B15 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\D3DCompiler_43_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 572 Entropy (8bit): 5.262759700206673 Encrypted: false MD5: 269EE8EAE0AEB992621E80A3F1B2C501 SHA1: C1F1031B04E243F44C63AD762217D61D1FC41E58 SHA-256: EADF4D9537F17BB65FB811B7FD1C5248D6AE08DB5CF0F17E500F5CF73D685CCC SHA-512: 91003527430C9F15478ECA6FC950ACE7DB9156D38B172484C133601B18D5BF7FEE89F9B36379E723BF408F831B28 60E39A1BC03F48C831615CE53CB521D20A87 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\FEB2010_X3DAudio_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1630 Entropy (8bit): 5.357374101631292 Encrypted: false MD5: 6031190667A819A147209B8B166D08A9 SHA1: 0A5B5DB3B6B6BC61C93C843B2A8911692DF21EC1 SHA-256: C3DE02D3FEFF96360B56209410C7F7B362A630D6841F6C22EC67E494C5312AA6
Copyright Joe Security LLC 2019 Page 13 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\FEB2010_X3DAudio_x64.inf SHA-512: 8AE98FDB60BFC3B62AB19A4C6EF6D35830D43A0271B6B0E5E09E43EF0F2D2CB5C93304D020FB315762AF3EA90 2F88DFDDA07159A5B11C351AF62E3A7093BA677 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\FEB2010_X3DAudio_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 2874 Entropy (8bit): 5.395384184866059 Encrypted: false MD5: A068E3F964ED482C618C36F8B552D8F4 SHA1: C63D84FD9FFC62ABE794E72AAA6DE3D84808EAA6 SHA-256: 5097A6810A29C8034CA708214904365BB9F3020D0C09C1CB8A3FEA8D3F7AB2C5 SHA-512: E91AFBC51B1A792B2C5E0F95604D1A65C35556F072495DF3BABF0B8569536BAE7A737CD8326DF891A58AECE063 B48EF6BA3FE63867A44F7059E9C7B7A64A00E0 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_D3DCompiler_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1660 Entropy (8bit): 5.340714848146744 Encrypted: false MD5: E620FB326D4E68BC6815D1A583A1135A SHA1: F7177415C24B965949375D54210992195DACD670 SHA-256: 33CC8B3CCD477DD4ABB5D641783439F0DB4620C0219C8047836A5285819EAE89 SHA-512: FF02AC452DF8DA567695AAB03BF1A9EC4FDC72533D01BC19BB15CE77F51ED151FC2D5C2A21016778AFC9E2AD5 AE16A804FB042BBD774C3690818922DF1B7E582 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_D3DCompiler_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 3340 Entropy (8bit): 5.353827430841304 Encrypted: false MD5: 79BF82D62A341DE03B94B61CA2F9FE0E SHA1: 1D9DB24D227F271F46C5A629DA82A4C371349489 SHA-256: B28678FEDD782750675E7298BE76FE019C0FA0F9CE7A73F306D4CA252F2E8F68 SHA-512: 1460CF6C20AAD9882EA92729A2BEABE5ECED8FE4735049FA4F5EB6E606A8A4C6895D5B5F656217617CC5F3270D 1B2DC69294DD65ADFF0C6D3CF8373490B68B0C Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_XAudio_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1846 Entropy (8bit): 5.386407875808752 Encrypted: false MD5: 379E10FDEC93F1BFEA898613646899F2 SHA1: 5B5B45C383445F0F8DE1ABC49341E41A48EFBE01 SHA-256: 275A33019F37681A5CDCC2FAD1176BA37399B926C24CBE4847C8DC86BAE7D135 SHA-512: 9E20CEDE9E382583E1D0896A3C32D0B209D3800B2FF513311781D95CDF3AD01B01D8B9D5881A569C26D36CAC40 BA5F35740AAFA8F8643A5B6C89E3588594C85D Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_XAudio_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 3230 Entropy (8bit): 5.419008631624257 Encrypted: false MD5: C20FF8ADAA996380A1E02DF1F659BECD SHA1: E590D11D3E2E77EA31A9BA023A90CEBB3555E8DF SHA-256: 2E571A01FFBE147DFEC8374EBA73038DA1069C99FE7B308ABF6AD25F0357979A
Copyright Joe Security LLC 2019 Page 14 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_XAudio_x86.inf SHA-512: A413ED6CACD8A953A1CF1169355006AB38A9A4FCDC85A0B80C8BC19FC13B1C05D9B15C9EA83FEDB34594443E3 A384AA39DBA92D5628CC0FD1265D54E34B368B2 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dcsx_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1630 Entropy (8bit): 5.330685140293299 Encrypted: false MD5: 2FDE2EAE0783F714EA8A099C49961A06 SHA1: EC8E4432C5EFC65210A072444CEB5042ACD83970 SHA-256: 7F60700D0D1DDA3D8CB6FE2B69D39C6E2DE8DA51176D1E7E1137E7159F7DC41F SHA-512: DCA5F3883388E59542BA58847A29C56B99C8AD9E6EFB6E68ABEE6C7A97B3D39C13D8AF10E7E32FA46CB8CE5D 2B85F6DD1ED1A0ACEE94178E2BD803CEE88C6E8E Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dcsx_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 3270 Entropy (8bit): 5.347501446123384 Encrypted: false MD5: 89FC98300AE98BD8FB931398492BFD9B SHA1: 7C7E341DCD2EF112B1BF10CC4F7A18A2EB2F2BE5 SHA-256: B0D996AF223EB104AC688DF55F1C06CE0E1407FF9CEFBE8689EFB15F99B0CCB5 SHA-512: 4A81F4AD35A76B860E2ECD9A3428BE1F787C47394C445DCBD42D60F67CF594066F061D7CF5263DF538DD832FDA B2A2BAF858E5E161497376D43D689CB7BFD80B Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dx10_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1630 Entropy (8bit): 5.323958601118763 Encrypted: false MD5: 4AA2AF4E607BEEAF1C8FB3F83591D523 SHA1: 887BD1ECF5D0B73737C9B2A189ED03B918C667F0 SHA-256: 5E464ED4C514423DFD73D4D7386169899C19CF33636B0E7F7620A2576BF65645 SHA-512: 74E2727B83EA805EC613A05C6DA1A32E195F018A886204817E9BDB41B662AB565090B950285C134A6E105500FA52 571881C8BCFC3D95778ABB4A37A47BC97E82 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dx10_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 3270 Entropy (8bit): 5.334993389233006 Encrypted: false MD5: F648F7ECEF7CAB25C34D18054AF2C894 SHA1: A518650B167CB1E41B3D86697F43C4191F5D2460 SHA-256: 1BD620116DB6D8319AEACD434817C1FF0EA35ED509CD0F6FBA53321AA3F3C377 SHA-512: 90E96CF227EA663164B13C7945B52996B7D51C43E5C37CB84B1240BE6FC7A3B112C9A2A7C48E26F6E8C853597B2 81BFB7391AE1089284A65612C5A9F3BEDADEA Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dx11_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1630 Entropy (8bit): 5.332420870575745 Encrypted: false MD5: 6218F93C2B63059683E5DD48CBF69F6D SHA1: C43EB757A846F63E784306C29159EA49E83ED2FF SHA-256: F8E3FAA2B9DB6F47C9E3587339430D4107CC01292C33AA660C60A060247278B2
Copyright Joe Security LLC 2019 Page 15 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dx11_43_x64.inf SHA-512: ABEE6D380B52BC483231498568BD8A88AAA6DC14DAEFC3FA5924E982B016F9C82FB94FD0556A776EB0EABDDC 3693436641E8A009E3DCEE531B0E5259FD40B3CE Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dx11_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 3270 Entropy (8bit): 5.3452018288502385 Encrypted: false MD5: E73382E059F156F1C6F76FCE7C690290 SHA1: D5EAACBEEF9B367BFEB489B4532071B0FA7C173C SHA-256: 79C186CB500EDF2DE8833EDBEE2DACEFF4078611B7E11982B0AB33F52708D8F6 SHA-512: AF9AB7936103021575AFA5154148F8A6CB908861FD9ECB9C10A790DE41EE2AB0DE4167D36D1516E5D004C7BC56 83AB71AC3DFC7B1866CD136B20E11FE67652D7 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dx9_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1624 Entropy (8bit): 5.330953887954866 Encrypted: false MD5: 651A6229E9C5AC92BC84317B04F2F2C7 SHA1: E3D3099A20D8F639659F42C0FCDFB463CA139FE6 SHA-256: 211C4A5DD56533302960BFBB42FFE7E8A7E00AFA907D992BA14C13C07E14F283 SHA-512: 95FD579FEBE49AF60C9FACCF81F74D12F00EA2233F10A62728A6695667846CE35C575AF253012335803AA32C2F83 173EF69D20FA6E7C16057E1DB0F8281DB1B6 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\JUN2010_d3dx9_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 3256 Entropy (8bit): 5.386446163735425 Encrypted: false MD5: D709666E882FC2CAF88782221633DAD4 SHA1: AC3F2E08569F16D7DB4A1B61E9FF106498DA30B3 SHA-256: 79B0D02ECBBBAA3BB1A9A2BDD3388AA8D87D2793241F054717DAC6238468EDED SHA-512: 1A19CA3F54B510ADC0C58D45AD283FF8D7EE603DDD32E06791D3174CD97FB2FF11F8C9B555DCD7E7AAF3B858A DCD573E7843533BDB47620CECB67546FE7AEC5C Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 47280 Entropy (8bit): 6.505339675386526 Encrypted: false MD5: 73C6A4256C2474AC1249A87319F4C5ED SHA1: C88820AC069F9D067B0DE56248D058EFE9557F12 SHA-256: A4F3EEA0A8DA7456226DB9E24E29F41B545781001BE7AF4E026DDF7359D3B609 SHA-512: F0D90FCBEBA49F8FEA06CAE5B7244A6B92AC287012E07C6E5307F511B4CCAD4EA7D924D2F25F4351337E8D914 B0A50FCD5AC70D11DC24C1993E221F94ACA6697 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.254941447828044 Encrypted: false MD5: B794B4FC2F5389CC8548085738B15A99 SHA1: 4430105A3CB69CDA917F856227F7F020C55C8810 SHA-256: 4EA030E7DCDC9B8010C95D77096E98D2C0F9C5EA83BCC0EA8A6434E6EFE340FD
Copyright Joe Security LLC 2019 Page 16 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x64.cat SHA-512: 1D9BD2559672BBE9FB915F21D00722BE15E4BDBBEEC226927458FC63618EC46DEB688B4CEA15963B9F771A4E15 8C17F6EA86B147704F9F2A9DBBBACE71A758C9 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 689 Entropy (8bit): 5.445444106252212 Encrypted: false MD5: D2F7A179D3B79547D18A4157F71666EF SHA1: 9B83F1DD7FABF1982CF0F317061D24A52C6FD2F9 SHA-256: 1DA8585EB518801A26CE5A535620AD7BB4177DFCCC8E468C8A003DB064849D04 SHA-512: 5976D6AC22745A61B726426C65768594282AF5B560575F718B588609C8F4FE02B0C1426297B775DF241F4110F2BB1 F37E2DF30E94489A3D957319BC738262CEE Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 463 Entropy (8bit): 5.184214234633132 Encrypted: false MD5: 8E0BF97CE31DE871E64FDDC25AADC77C SHA1: C3AF34AE1B2010B1FF339BB50284C953E90E74DF SHA-256: A412F6C6618DFD34E8BE881A0877F4E6DC2EE27E0354E8A21E6B3E511E783752 SHA-512: 8742B7804E3863DE8CF9605CBC67EC4122EBC9104D3219C1370A1FE26670CD86DC4B27A508D0E43780AB9A267B9 C4AF2B568F1E23B6443545F739614366278A1 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.2492853097048915 Encrypted: false MD5: A7F47A6715A636FF847D711069C0111E SHA1: B9F67A9F7E76266BF58F39365B92D66EE95C1327 SHA-256: 70719D11C1864C0B4A73A052E68A3FF48143F46DA0C42CF0B1B29C28997EB2FD SHA-512: 12AF3141FEC1314BB71BFE719FE09B430B45764B91B43AA9A35D802B9F18A001CCB7C2D12B736C8C6FDEDCC68 A7047468C373CDAAD1398D49CC7F167BEB3CF78 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 803 Entropy (8bit): 5.499017880096025 Encrypted: false MD5: 3D0B9186400510833F9B90E3D38F0A4D SHA1: A210C6C765911BDC3929DB2D14C0DE01542976D3 SHA-256: 87759C44C5487E479D7BD072D3B541EBCF718C35D8E9EDBC1B15E793DC3BEB21 SHA-512: 54F100AD064781BCA7C8D813B0AE554473C8FF0EADD4C30D85459C9A273416BDB6080BCE3072C3EBA555863455 CEFFAF25357E0180D287557251E9BBDE6591A5 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 578 Entropy (8bit): 5.292050253450019 Encrypted: false MD5: 21B0DB3E2635DAA27907B1A00CF39617 SHA1: 0B5B668BE7539E1F4767BDBEEE6046697333FB2D SHA-256: E03F525C3A628A3EC347378030F205769486CCF92B0F91827262441F6B708218
Copyright Joe Security LLC 2019 Page 17 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\X3DAudio1_7_x86_xp.inf SHA-512: 315A6DE74C46BB6DBB8BF209FF83DFEFE09CD8DEC51D7D996A223EE3DEA8A2A5970596F5CF29C31CC9DA2326 3BB237F42B3ADB74F5A05135032C5A6A65365D02 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAPOFX1_5.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 151728 Entropy (8bit): 6.276064619348984 Encrypted: false MD5: 5C961B501819FF0D5CD0A44FFED1F0E0 SHA1: D49A69DE57E5C6C8CAA6DDCE6AADF0FDF85143D4 SHA-256: 1AF2DA522A2218B9A7C2D5B2F2B592A37E591AD09D901327E0425014AEA89F07 SHA-512: C9A09F069AED3732FDDBB6760BB5057BFF67A93F4FD9C19A348C68EC26AFE6E4FD22C1067472F5E12081F6E250 8C3426A18525A4BB5568AD6407CE175286A19A Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 1045680 Entropy (8bit): 6.30807391616334 Encrypted: false MD5: 7E0335DB43AFA1ECCF98D153D34A60D7 SHA1: 5819467F091507F4D9DC4D0412FD3B68F7DEF7F5 SHA-256: 8FBC8F8E7630CE38F863AC82955C9E6FABC7105A446E8520B874EEE42A87FE4F SHA-512: 8432645E6AC4F51DFFDAF89F4B9DA7098C87B113C072CFF7CE69B83BE7CC8A1E5AAD531EA8C88849547B138891 CA91844212AE89CE708B69602099864C67BA13 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 7094 Entropy (8bit): 7.2004155273536545 Encrypted: false MD5: 2E1D35C7952B940C68FEF750F49C96AE SHA1: 78F42831B0310FCD4259759C860906DC56CCFCAC SHA-256: A2869241E175B0BC6BBAE508FD900CA11D5191FD33B379BE1E3ADEA1414DD58C SHA-512: D865D13F605F2ECE39727915011E9D52200719687A7209EB66F92B67194BFAE4AD6C3506F1B8B3C1D20C1F4C9FD 69C2A7E99A956216004A53CFB5458C4EAD1D8 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 755 Entropy (8bit): 5.508069545454283 Encrypted: false MD5: C13A1836C1111052A3F467E53D08AED2 SHA1: F377DABE65CC4B0D85ECDBB0DEB8372524C31395 SHA-256: DE3F252677D45A08DE8A9BD28D49AFD054FECAEC58AA722CA3E2B2BD9DD20B0A SHA-512: E6093C352A431494F066E42D873DC0AA08BC63281BDF2A3A19393EB14A8011BB2006CF059E8A7B057DF932E6FB0 3D71DB222250E2F28E570CE9B42B22921E680 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 531 Entropy (8bit): 5.262823206311182 Encrypted: false MD5: 57B2E82504D63A00F14DEB78DF12E425 SHA1: 06B2E10F91D6B944D7C508D38AED30BB8DE5FA48 SHA-256: 5E7F81FE8DD8E007AE27419518226C1B38EFC7D8CC82BDE6E2107C104CBA885C
Copyright Joe Security LLC 2019 Page 18 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7_x64_xp.inf SHA-512: 7503B27541C6DE24819C2050031629EFA72CDCB6C11A0E643A40E59C7145CD3E4A3FD4215D65873B88575B2D0D6 0F88C4001283E4ED665C1ACFFF553E6CE01CB Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 7094 Entropy (8bit): 7.20398615649721 Encrypted: false MD5: 1BDDAA983634EC02DA160D6C04E8BB11 SHA1: 099B6D1882D3C91FC69A83F87FF9D0975961EAC8 SHA-256: 8E7702D2DB4F49CA09C20E17F4758BC8F59EDD339C86AD8DDF0807A39F201EA9 SHA-512: 250A6093BEC39EC3F26E7364ED5AB742B82FF6737975AB38FED8658542B04A60FCF1AA103303076578DAB1FABD C66E1B6AA21582AE3F324A6048EC99190EE739 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 882 Entropy (8bit): 5.5430135247616334 Encrypted: false MD5: 43C696383F239970837409719508C896 SHA1: E822E14E4700025ACACA0CE6AACF486EB0A9C4AE SHA-256: 1EBD56E5BC5D6442F01AC9FAF333CB513EBC6397945E7F577A5970778CC636EE SHA-512: E77EED171399F58D59A586593904D2451E884A49FD9BBFDE10EE1A09F1BD54C5396AFF5E58625E0FE1C4F2A87C 69366644190518826596D6547860106E8A4C95 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\XAudio2_7_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.349500144802367 Encrypted: false MD5: 4F8D1D18D65F0474E42BAB58F77BA0DB SHA1: A313B4CD04BE4CE58EBBC68015BB168B00BA9A22 SHA-256: 220700CE5A5F3B73F587EECBFAAA2B5CAF3726B9E98528760FD22AE84EC412D9 SHA-512: 258CFD1E414EA449714D60B4FCE51ED57F6F9FD2D80F57055F52363E74E7A982D0EB7C61A1872D5180951D8145E 915BCD7258609038DF3D3B1F466B5C125FC6E Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\apr2007_xinput_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1720 Entropy (8bit): 5.359460009610513 Encrypted: false MD5: 7641D62AD76C199D1E8FD64864504A7D SHA1: F3D5FF2FB2F2587E083D08BC3E4CB9A2870E0A2D SHA-256: 01C625376779A72D648AFBAE79BDE475F4783C22BA33D7528F8FE8327E5BA7EA SHA-512: 550590343F35BC1EE0277AB2656E967B6BBCBC54559CDB5E240EBAF74AE9F92F420C51BAF11E65FD3722DB2F79 4578DCE707CCE8A8A6BA525BAE1CDE68356173 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\apr2007_xinput_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 2862 Entropy (8bit): 5.359559696538983 Encrypted: false MD5: D25D386B48E917FF965E3FDFD403FBA1 SHA1: 228185BF9B6BC314CFE1833C3763741A5B366B00 SHA-256: BDBBFCEF22CFC1293386B27C750591EB032B6CED604C49F944A665E4686EB142
Copyright Joe Security LLC 2019 Page 19 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\apr2007_xinput_x86.inf SHA-512: 71C3056C533C52AF78C84C885CB7164EEBB36AAC942806CAED281E93E5C95D0C9D306D1584B2F26131BFB5EFC B73AEB90CC115B3B327D2DFE0C1E7D90547AD2F Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 3775680 Entropy (8bit): 6.255235075891529 Encrypted: false MD5: F16102776850CCE311CFB8D93B2DD4D0 SHA1: F51F6159A59D92B2FFA349D3729E1D28E060D6A0 SHA-256: 0F596AC9F351A4D0C2F24059254B0F304BF285E09FA82B0F09D672DE52CEE718 SHA-512: 08DFB81FB626ECE4F59F51425C7F09FD9EAC428FFCEB34761D4ECA7E3A2048DEFD1B71C87ACEFEB64BB0B558 EFC35376363F7F679B69ACF73285F3CF5FFE1512 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.248922065147702 Encrypted: false MD5: 867CB96F358DB37EE7B40848AB0CB6A1 SHA1: C009101601D383FC6CE19F010A0343D48F1D6BAF SHA-256: FC52B1A9B4D47E82290EC7F47599D35A16F69B22CA74E55DA858A59F9C041F90 SHA-512: 2C6BCF5B76C82257455AC72638B4EC2D66EB34FDE9444ECF359F726E56CF6D09AEC93119A1AA7121ED1E2A11B F6703B134DA24010FD290998E47E43D799E200A Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 663 Entropy (8bit): 5.455184141081128 Encrypted: false MD5: 11F8FDB8CAAF90F60830F7E83AC8F915 SHA1: A38E9AD249646104F781C1992065DD2BF3056CB7 SHA-256: 8A623BAC05C6508042DD01FCCD53F2771306CBB9B339404B91FE106C3C7DBAF2 SHA-512: DE7906AD80E80A55F92E45D7D36C3CED5EBF5D5D51D8D02587F27928D5F129F96CD36E96585C1648A7CEF63062 F05B79A1DFDCEB16C0849CEBBEAF46CC6295F1 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 439 Entropy (8bit): 5.167843266606336 Encrypted: false MD5: FD1504A6270A851DA75038EF89AC0275 SHA1: C17D015511541AD1AC378BA7D130E4B2BACC5FD0 SHA-256: 8033061B47A277711E96D41BDC918619DEAB22EC46E43BA7FC177FC2E9047DC6 SHA-512: 48A864405E58DE0BB56EBA3D7DC5FB8E1D32A638F3DC7F61B330AC137C65904E44645827AB90E24B7EE3C8C2A 0216C536FAB07F5185691C4B31B0835AAAC23C9 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.257834337832179 Encrypted: false MD5: AAED60FCF2BCF700D8F17500DAD6DC95 SHA1: DAC96B0992E12298F17067DD9FA8C50EDCBC2297 SHA-256: 7F8A33984E71CFD932417DD3081C71B798B31A57DEC96CA2D5982584A0B69728
Copyright Joe Security LLC 2019 Page 20 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43_x86.cat SHA-512: 13B8F5BD490D51F22A8234D089A9913756AD00AECD3A25E1C1CBE220B341FF65148B8ADC37EF64DEE203883E72 7CA3840E12D589E17F4A4ADEE728BA9CE2F1D7 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 776 Entropy (8bit): 5.483347321437731 Encrypted: false MD5: DDBFC2923DF1263BD87AC1BDBA534D4A SHA1: FF329698074965493128E627F770B9B3E444F813 SHA-256: 48EC353B9C9FBF9EC8692C5D6462C7E4FDB726E7A0B0ABD734F33F9E5F0ACE56 SHA-512: F10220C3F33CF1DA56C4FF580DA322923B5CDAC25BD1C8D0B4F8F0BF456397A4DD32A21E7B731306ED5E01A2B8 32ACEC7044D7337911E7F4649CDB6F6D37F603 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dcsx_43_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 552 Entropy (8bit): 5.261658761807364 Encrypted: false MD5: 0AE2ECCF1418E98849B2973C4225AEB5 SHA1: 78C4661DCC0DA0C7DFC6B67A50F11E54CFE72B78 SHA-256: 2CA1181A9E4D4610557C4203C513D1EBD26D8EC9E0C2366271816044E3CDCAB6 SHA-512: 4CED16CD9A097F19DE3C3E0E58B2F83EC2EA7D88E5A3AA6867AAC3168D3A176D6645B74FE76135E8A5F294256 E0F72F7E537563327F47FA91CB95B90B5F78FFB Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 982208 Entropy (8bit): 6.7043405747747595 Encrypted: false MD5: 997640C6DD26ADD9FF058C4B085EF881 SHA1: 6C9897E4A8689B4A46F7B9893C03A6552713AB22 SHA-256: CA92572D10700FCCC8E06892A6FE4129399FB87F685A65A107CAA40418AABF33 SHA-512: D44E77DF6DD5615B91080FBB1590C866A338C2D968CB339C04862A77F10AB8B193B0F992456221DFAEE291975AE 68E2C6B1804508E7783067444ED1E574A1F9E Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.252031434613229 Encrypted: false MD5: 84A88DA0BF7CC8ED5BD686B99E749091 SHA1: 2170698C30D3A84D67AC0D1DBED5064BE153840A SHA-256: BADFCD873E5604613A7520199A4122A59C40049AA0B0DAD51B26F7DBC83673E4 SHA-512: 5D1B0DFF561077FDDC13F1DE3852075314AC030BA6A86D2A93B5F6773947C3A242C01C9F7E5473430655ACE6F96 85D43CC22F79C7E2AC7B89994D4389B6C8092 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 663 Entropy (8bit): 5.470362859364708 Encrypted: false MD5: 4F948E2A08B497B0AA470BAA849F9746 SHA1: 7A144E39849592F84BEAAAAE6FDEEFED09A8E43D SHA-256: E36537B28026F4BF193788FE45605E9B5715117CBE4F638A9384AA3964768855
Copyright Joe Security LLC 2019 Page 21 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43_x64.inf SHA-512: D93C0CD53140351F295BDDBB258B1C2646B14980827C6697FB68B5F9811F604F0A1028ABD08441BFF93C0F15778B 60B09AEDD49BE9DE60CE70ADFDF047A95F58 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 439 Entropy (8bit): 5.182648324114666 Encrypted: false MD5: B949C8EA5B79E3392DDAC589581EB8EC SHA1: 744E63950B0F216C9BDAB3D3480EBDF3B5179C61 SHA-256: 081D843D955E09A8C0477AB20A04CB6FFEA844E91E28E4AAE6503354C5C3B92B SHA-512: D7AB08916B4D36A37B267B416DB3F0565C5BD6ECDB0104E2930E6DDAFF64D8A417D70A84D92DB0995EE951F057 0F4CA6F7D090943CC0F556007524B652CAB309 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.254765641833245 Encrypted: false MD5: 4B9EDAB17511C7AD0D4753E215160C0A SHA1: DBCE3E783F5C24A611D3025155381264D840CAE3 SHA-256: EB374DB35DF2DE925C71B3AFFA8D9248D68E6005B2015BACC6A6E5A13EE4B046 SHA-512: D8B97FBEEAE38FE80439CD7589C574FA7FFB81C94494CA507ECDE3F7F5DA948EB54DCA63FD0A633B966494E00 B7B8EE3C4F7826F681768C735E04EF97907D6BF Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 776 Entropy (8bit): 5.486519677108282 Encrypted: false MD5: 24338A297E69E534524A71CD5AD543C3 SHA1: 69870C91E59B0EACC4E88BD2D4F95E7561F630FE SHA-256: ED1429A15B15A28F2E6A92DA669A205594D09625CBFCDBF0159516A813A6F5D4 SHA-512: 8BB4AE9C72909C6B8BEB6CA675C007317903869BA56F549D9C2FF48A1FB50923B98B6F748E99BFD56B4B068E14 C8773E9BF4DCDF5EB6CCB8B0EDD6A0B16DECC0 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx10_43_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 552 Entropy (8bit): 5.278909977985311 Encrypted: false MD5: C6F443FD35C24CFCD2E9E906CA19B6B6 SHA1: 2B74782DDDDFE4878319AF93B03CC5DB35EFDF83 SHA-256: 74F3CC9F80A479FCB4954813DF9AC71085BF407E7B8B447B7ACE3C30E08E6F85 SHA-512: 9C529C7DCA0A4F1C18B394AB4D7AA956B3B154889485C2D9F0D65C4CD45A2F040237512AF2BF61EF155724E0D7 401BE4B09CBA96614A493DEFB738028637797D Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 525504 Entropy (8bit): 6.5711180311344135 Encrypted: false MD5: ADB5006F07D151A6BA344294B2D7C1CC SHA1: 7DDDC80CA4CD214AEE52050ED6CF3A4A9566C8FB SHA-256: 8EEF7D8099210EE27F527834B14BFC1A517A907DF054FC72886F53FA57070275
Copyright Joe Security LLC 2019 Page 22 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43.dll SHA-512: 1946BE9DA1AE6D061013186B2C8C4E7B8ED9FC7C67C7A8B5C7A16835A4C2FA9842235FBA031E6DDED22FCCA17 4F886869CC462F2E3BACD6475B12CAA1AD864C2 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.24779625139697 Encrypted: false MD5: FAA80C6EC284A58745629336CBAD2147 SHA1: 02EE293D9A8E1D38322BFEE48F1B5CAA739311D0 SHA-256: 2BB84F288A6D9785FE9CE9C3B15EE854C554BDBA4E037730785EC8ADE60308FB SHA-512: 13C734432E386C51E0957B480C29DF191A0AC8D0497117230137DA99E3FD8C84C138D744510AF53C28B15D23EBF B7B0D6C24A5EDE3AB34A41402C2F70B6D26F5 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 663 Entropy (8bit): 5.468773182183563 Encrypted: false MD5: D29C07BD1C7B9BE7791554CAD4D6D667 SHA1: 49B2CD13650FA05DAFAB919E5BA1D37D137313CF SHA-256: 8572AA222C39FA63C22354DA8114D95D06FB1F0C6A91BFBB489105DEEABD6A83 SHA-512: 0D16ABB12B064F792CE504A69697817C2C7E54FB63FEB3406F4F2028CDD19207ADFA3147597C3BE41D5E196FCC 6F7C133D4D32E77E3263461683B2366BED18EF Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 439 Entropy (8bit): 5.181654070832974 Encrypted: false MD5: AB48BAAC1837352E814C8BA668FA8B6F SHA1: F08656494B8864C9BF5036379DF3658783051E2F SHA-256: AF8458A7392681A377F0798DBEFD235ADE01C98678E4AD66B24000E1BF313064 SHA-512: CA3091099DBDB4678AA922E9051A802D0E7DAB7F3EDA03A4D62607668E42EE0E2DB253168F105B397FA20C17D2 F32A47D05390FF76B6C99647C75B8D4E5716BA Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.252886544623485 Encrypted: false MD5: 8731DC141C5F490C84DE170F78D122C7 SHA1: 99D83EA9BDDDB7636E926811700973FDBAC501CA SHA-256: ACA973753DACD00F19A10733F900CD4A0CE6F6A202B4CD82B02A06D6EA8D92F8 SHA-512: CC1F2F0C8DF1AA87D01D86946AA1312D7A737790A2ACC1A3770F8066D9B34B6CD492EA8B5DA16D68ED2F8E6DA 190E7B64AC4C65AC88C1B45D9660BE5F78C1649 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 776 Entropy (8bit): 5.5085250435289606 Encrypted: false MD5: 5F043E62B5CC2F3D578E8F58AAA09FBA SHA1: 2E3F0422E88D6DBEAF8211D7DCE7B38D3048C433 SHA-256: 025CFD736326445F5D98D8DFC8584189F8EEBB2D5F3E3CD25A6F386BC2496958
Copyright Joe Security LLC 2019 Page 23 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43_x86.inf SHA-512: D1AF12375E5169525464DD17DEC6F6EC437B6A35DB6C425D508FA694B506F302B8A72E3F2222467E2CD98346F01 7A83B5149B80FC8C06B06320EC9E265280680 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx11_43_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 552 Entropy (8bit): 5.277146898626137 Encrypted: false MD5: 6984C5F943AF5FCE6FD432A4F4F74259 SHA1: A785B65C7E0E1166A5E43DE4AEB13E5441E8898B SHA-256: F2DBCB36E32847488C27792CD391E3E17DEBA31FF1F0FEB002A2E9A7EDBA6376 SHA-512: 61C79578BEEB811F744C6EF97DDC2B8D357956AA16F2E5F0ABC1271A65390B160135B105756836B528F1C0EF16A B4B106B064B7C7A71E1C0F30CC42FC4477904 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 4399280 Entropy (8bit): 6.764241447464634 Encrypted: false MD5: 9AED24A2620BA8B4298150DCC77AC1CA SHA1: 7D35896FC53D57FEF1FBE74F40A34D59AB05D32D SHA-256: 00E80409C8E5DC65F0F3FE212055EE3F51F14F8B5A3B9906396EC5548CEFC639 SHA-512: 30EBAD31FE7C2D09C4CBB4D12E190F13B79E02AEB1D51D789247B7A5E67700AFF821EE891D267B22E91428797C 173FFAFEA7F6888C9154BFA6FEFF29CFBEF9C3 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.2405837465521925 Encrypted: false MD5: 2FEE464E300BFFB0138D09ED065AFD3D SHA1: 920276B1F8111EC5B4557C45DB5027180F8FF447 SHA-256: 10241B98D145DA870E153A3776250AD6EA3207111CE43E0F21BF4CC82C51CF08 SHA-512: 4557EE847EBF34DC6665DEDFDAA132D6AD7007585D7F14D5F1B9849781641E4B4A9131E342A3BC185931EBCBE9 26DE7268ACD6186C546DFF6591743627D3C64B Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 667 Entropy (8bit): 5.458157560023403 Encrypted: false MD5: 654EC3755DD6FF76C3E200C445EE4956 SHA1: 916A8A1419BF59C19913B74E053E9BD8FFD9197D SHA-256: 71BD128262424567380C63C9C23EB819212222317026AD44E965ECAC2224B848 SHA-512: 65EEBB20E9FB3CCA1BDCE2041F306FD9AE53727B298FBA202722217C49C58682871513F0A0714A246F1F9E75870 C8C7CCF9A77B7B1D33314EA168BCC747D5F58 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 444 Entropy (8bit): 5.16344192018049 Encrypted: false MD5: E7AFFE3AF8199FD7AF239D5348954C2B SHA1: DC231E5CCBB5087D43E3D714E9E447F33D820E30 SHA-256: 9092F1DEEA3C1B5B440A1DACF1E908B844749870C7F7D96D851BBA972D431E2F
Copyright Joe Security LLC 2019 Page 24 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43_x64_xp.inf SHA-512: 4D0BA06CA67C4C943EA1F8E925DF5A748CFD8FF29182D248AD1EA1C139FB54A8E9035B52E3D50D9EA06DDD1DF 7AC80E4FB45FF07BFB17C501E410B8CFCDF9C1F Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 6796 Entropy (8bit): 7.245057725985383 Encrypted: false MD5: 21E12A2C0D4955795CAF30E93AAEF9C5 SHA1: 0F0DE021F3A28D781C408BAF94A197299C79E466 SHA-256: 70DCB8F80D45D878003CE58C438EAD8C97BB5C5D93B94F6DBD0116B8B8A73CE4 SHA-512: 9B4B8FA1E98A060BDAA543DFBABEE0DA60A9122CB99893101B574E53E85ADB8EDA35B6F49CA044742B00BDC4 B20637AB1C20F6A58A6D9A28CEE0DD934B2986F8 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 779 Entropy (8bit): 5.490665055003897 Encrypted: false MD5: 9141FA8DB790807373411EE033A9129E SHA1: 9DC55E8C8F65F136D930B10F09247789B6719BF7 SHA-256: D125F988976274CBBE55A4C5933DD78346654D91066DD97ECED75AA4BE53A85E SHA-512: 9F2B2603E8E9EAC8F5479C005367981C8728EE715C376EBDEF7E535D39A1EF830218465234294E588F81E608C2C FC85304E6C4CAFB11C8472BC09B9BE6E88618 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\d3dx9_43_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 556 Entropy (8bit): 5.261884034391713 Encrypted: false MD5: F369960B66F8967C4A0BA15FE0A8122A SHA1: B41D9D06D372A0F0180C83BC0B4A6DC573645FE6 SHA-256: 673C70AC772C9D0A9AEC86EFCA3C761C1B082295AC1DF07A3507D8AC819657F7 SHA-512: 7872AF2E9588F1FC45528119999037D2EF70AFD7F8F68524BC02818017615B71ED3D042588683B1E7B9DF7F5901B0 62317614FD6A938C86159A20DE8DA1048DB Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\dxdllreg_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1448 Entropy (8bit): 5.288710487977935 Encrypted: false MD5: A0E663C1FB36D26B42A4E4D1D2A83E99 SHA1: CCA6D15DF0A62079D2A2DC9B3F799E396E832852 SHA-256: 845AFB65A8A19CFB5D1F7D6C23E6116F1F05023028C281C85C778590C2AB050A SHA-512: 4CFCD823CBC01F6EC1BDF87432F59D91D2AAD44F3D4DA44787D946E80C33F73861C6BD34E76CD4274415122728 DA6D179037665F1AA4A6A18079649D779B23A3 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\dxupdate.cif Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 66865 Entropy (8bit): 5.567626982635727 Encrypted: false MD5: B36D3F105D18E55534AD605CBF061A92 SHA1: 788EF2DE1DEA6C8FE1D23A2E1007542F7321ED79 SHA-256: C6C5E877E92D387E977C135765075B7610DF2500E21C16E106A225216E6442AE
Copyright Joe Security LLC 2019 Page 25 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\dxupdate.cif SHA-512: 35AE00DA025FD578205337A018B35176095A876CD3C3CF67A3E8A8E69CD750A4CCC34CE240F11FAE3418E5E93C AF5082C987F0C63F9D953ED7CB8D9271E03B62 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\dxupdate.dll
Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 172032 Entropy (8bit): 6.483865450864726 Encrypted: false MD5: 94202F25810812F72953938552255FB8 SHA1: C1E88F196935D8AFFC1783CCF8B8954D7F2BFB62 SHA-256: 6DCAD858CC3FF78D58C1DAE5E93CAF7D8BACB4F2FCF9E71BCCB250BF32C7F564 SHA-512: 65B66D07EF68E0D1E79F236A4800C857E991EE3FF80ECE4CFDD0B5F6083EA16F8A52D351C3AF721CB05C06394E C91B4B5E3CFA4B0F0879F7549F3E3ED035E79E Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\dxupdate.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 12848 Entropy (8bit): 5.071095411173453 Encrypted: false MD5: E6A74342F328AFA559D5B0544E113571 SHA1: A08B053DFD061391942D359C70F9DD406A968B7D SHA-256: 93F5589499EE4EE2812D73C0D8FEACBBCFE8C47B6D98572486BC0EFF3C5906CA SHA-512: 1E35E5BDFF1D551DA6C1220A1A228C657A56A70DEDF5BE2D9273FC540F9C9F0BB73469595309EA1FF561BE7480 EE92D16F7ACBBD597136F4FC5F9B8B65ECDFAD Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 643432 Entropy (8bit): 6.0314652019736 Encrypted: false MD5: 63030D515193BB569ADABF665F174FBE SHA1: 1888860408E200029294F783C141850A63B50A63 SHA-256: E9B21A822821021BA19B2E4BD7B88DD585EC463968D514563BE1E340E50EA2DC SHA-512: 52C4F4231B7505BB3AFE440978B5689F7D5D6296985F17DE15700D244AD202CACB6AC25C311116F2E4F6D871C8A C88ACE76E50701DACFA82B2CCB9389347FFCD Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3.dll Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 189136 Entropy (8bit): 6.301714505400067 Encrypted: false MD5: 280E4DDB6AB8A90B3FF8E9BBD09297AE SHA1: 4F455FFCFAFFE4A13EE96DD4E2C8F9437C922848 SHA-256: 20F0BB3C433D10EBF4387DCCBEB40DA3CF40993A5EE7E926EA7DDC075DCFE220 SHA-512: 594644E239F852F6C0679DD059CF30AA51276518418FCAE8B9B2989696828334E35343DDD3F7FE754EB757AC3970 1EE296A90857D927D7B4B9D281AD4D49F965 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x64.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 10392 Entropy (8bit): 7.310182781621774 Encrypted: false MD5: CEBE3D6E47AB85624EBF561C69C73260 SHA1: 0F347828D6FF978CB82E83C26C023A28424D3D84
Copyright Joe Security LLC 2019 Page 26 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x64.cat SHA-256: 3C21371BED285644D9732A1CD3B365DA8E68C810C9306CAD0A5D9F731A4BB181 SHA-512: 0A8DBAC94E59A804154F3E9B63AEC2AB604B2903D7C727B4E337CA3D307E0DBB91A02438E70D0B27F6E533AF0 A87B576048A31C9DF962B39EA3BFFB85C8DD222 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x64.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 669 Entropy (8bit): 5.4670771017663835 Encrypted: false MD5: C9635B7617D68D95F9113282472218C9 SHA1: E3DA3F2600A0F5CD0E28722EE313E04FC29DFC60 SHA-256: 0D411D9424128F19FED2DAA95A2983B4B29197F022A754F59D0C7740AD654CCA SHA-512: 0481E008619D3B3A45D0A90825B576E4C03F27668B0792762CB9165B15955645667392F23EAC5E5C4EB8A7FE6FA4 7CAE4C319323B02225289AF0CFFAF1CA8C83 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x64_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 445 Entropy (8bit): 5.178504944393491 Encrypted: false MD5: 975293467DDBE757F32E3FE04743D8D1 SHA1: 50E01AFF1073EA5B4E9FBFABC7902A24A89216B7 SHA-256: 1D3DE640065E0BCFAA69991835A6BD80B2B8D984056D895F90B9AA6EEDE693BB SHA-512: BAA92034F4A892A00683FF6F6FB95033FC892737632EC0CD799FC214C156DA97DC710914739C2C5CA346F1EA1F8 8A001E55121BAC64655D207BA2A29A442E6F0 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x86.cat Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: data Size (bytes): 10392 Entropy (8bit): 7.308938023050865 Encrypted: false MD5: D0C1F2FB476CDDA4CCE9DEB7856500DA SHA1: 05365C782FCA083F03C5714C5067ADA547B44CAC SHA-256: 784FC9D9F071130803E34792755CA68B5D0CA3F509F265B109A533EBE0E5314A SHA-512: CB7F47DE766ADD6FA3C37F738BB562B352CB7EF89EB637417FDDD8235D86C503D7037713B0B5AF0C82A6BF4EC 816CDE28A90418DC7ECB1E731B64EEE839B8AE4 Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x86.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 783 Entropy (8bit): 5.506417721060717 Encrypted: false MD5: E16C94EDC4B577B7ABE7B06E31376884 SHA1: E86CF530FE00C0FA2A107684A198B37E97B9CE76 SHA-256: BA212AA1514DF6509474A46C7B2FA07C210D249B524BF7D47D058461009A75C1 SHA-512: 5405F6936E05E1260A3778D86D76145D2853A345AFA156BA6E0A7CF4BC9267CD4CBB5CD32878ADDA3C61307212 18FB899FC896BF823CD63C32C7086B18CFE9DB Malicious: false
C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x86_xp.inf Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 559 Entropy (8bit): 5.278451695211352 Encrypted: false MD5: 1B4A9360253BBBF4FF2DC1F8F3C0005C SHA1: BC639A35D965C579A7DDA8D60748D7482F737F66 SHA-256: 576AD2F8CC0F371D0E061F4A407153BD90E48841FCE7A8F7EF1FF3FDD4138C99
Copyright Joe Security LLC 2019 Page 27 of 45 C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\xinput1_3_x86_xp.inf SHA-512: C0390CAB5DB06A5930EE563055C29EA10B6751049A77B33C9DD89F4016A3887D4D49670CF66D1F395EDC00A3E1 27864129EC57CBB4AF21B0D67ED6855950EDE3 Malicious: false
C:\Users\user\AppData\Local\Temp\MSIBA93.tmp Process: C:\Windows\SysWOW64\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 66048 Entropy (8bit): 6.242149800003254 Encrypted: false MD5: 5EA7455A71A9B481D0D9402C4E4E19D7 SHA1: 4630E3D9788C445812AE7F3A5436B809C6CDA09E SHA-256: 428C16FAD8A8190A6090FA940C2EF2D5C13168F721D958750A874FF8C13C5A85 SHA-512: 124B8CC4590EB31FBD336031FF4DC86987CA320A768CF8D6350F1D1628761D4099E8F4BAF5B25BB9587AFB903A4 911EFA950C15DCDAE3AEDFDD56B7AC2199370 Malicious: false
C:\Windows\DirectX.log Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 198 Entropy (8bit): 5.161708917029636 Encrypted: false MD5: 158F6109EC2B6281E1981707506A79F9 SHA1: 44BD336A6EF532CF196A08D0D2BF9D2FB785070F SHA-256: 4ED6AAF22CEF68B925BA3F9BF47D4297A7D23E4688C350B0CE02260AB286915A SHA-512: E96F8DA6EAFCDAD5A1CDE0B0C0884F32DD737E6412A42E0293D10D270A67C5B4349368959B4F6BFF55EB628CD E5ACBFCC8060035658D661D1D801876DA619505 Malicious: false
C:\Windows\Logs\DirectX.log Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 276 Entropy (8bit): 5.195661773558809 Encrypted: false MD5: EDD26CBDAD23A7C657A2AD7DEE71394D SHA1: 20FA602302FFF0E1CCA38A57A2DCC76622C6F9E4 SHA-256: 3BBAD92985FBCB290A841C93C1775F2735814A299547EB668453BD370FF742B6 SHA-512: 0DA296C2D2C2B7681504F97079197BDB094E8034BD34C25834FA0E4684CDD8EF21270DE26DA6C9C1E6F06F0D39 079FA30FCBD818143AF6510BC9BAAC4F0951EE Malicious: false
C:\Windows\SysWOW64\SET13A0.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 1998168 Entropy (8bit): 6.7631254131269465 Encrypted: false MD5: 86E39E9161C3D930D93822F1563C280D SHA1: F5944DF4142983714A6D9955E6E393D9876C1E11 SHA-256: 0B28546BE22C71834501F7D7185EDE5D79742457331C7EE09EFC14490DD64F5F SHA-512: 0A3E311C4FD5C2194A8807469E47156AF35502E10AEB8A3F64A01FF802CD8669C7E668CC87B593B182FD830A126 D002B5D5D7B6C77991158BFFDB0B5B997F6B3 Malicious: false
C:\Windows\SysWOW64\SET1A86.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 470880 Entropy (8bit): 6.715347536118646 Encrypted: false MD5: 20C835843FCEC4DEDFCD7BFFA3B91641 SHA1: 5DD1D5B42A0B58D708D112694394A9A23691C283 SHA-256: 56FCD13650FD1F075743154E8C48465DD68A236AB8960667D75373139D2631BF
Copyright Joe Security LLC 2019 Page 28 of 45 C:\Windows\SysWOW64\SET1A86.tmp SHA-512: 561EB2BB3A7E562BAB0DE6372E824F65B310D96D840CDAA3C391969018AF6AFBA225665D07139FC938DCFF03F4 F8DAE7F19DE61C9A0EAE7C658A32800DC9D123 Malicious: false
C:\Windows\SysWOW64\SET2014.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 248672 Entropy (8bit): 6.540646534165038 Encrypted: false MD5: 8E0BB968FF41D80E5F2C747C04DB79AE SHA1: 69B332D78020177A9B3F60CB672EC47578003C0D SHA-256: 492E960CB3CCFC8C25FC83F7C464BA77C86A20411347A1A9B3E5D3E8C9180A8D SHA-512: 7D71CB5411F239696E77FE57A272C675FE15D32456CE7BEFB0C2CF3FC567DCE5D38A45F4B004577E3DEC283904F 42AE17A290105D8AB8EF6B70BAD4E15C9D506 Malicious: false
C:\Windows\SysWOW64\SET25D0.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 1868128 Entropy (8bit): 6.25014757191993 Encrypted: false MD5: 83EBA442F07AAB8D6375D2EEC945C46C SHA1: C29C20DA6BB30BE7D9DDA40241CA48F069123BD9 SHA-256: B46A44B6FCE8F141C9E02798645DB2EE0DA5C69EA71195E29F83A91A355FA2CA SHA-512: 288906C8AA8EB4D62440FE84DEAA25E7F362DC3644DAFC1227E45A71F6D915ACF885314531DB4757A9BF2E6CB1 2EAF43B54E9FF0F6A7E3239CABB697B07C25EA Malicious: false
C:\Windows\SysWOW64\SET2C0A.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 2106216 Entropy (8bit): 6.4563314852745375 Encrypted: false MD5: 1C9B45E87528B8BB8CFA884EA0099A85 SHA1: 98BE17E1D324790A5B206E1EA1CC4E64FBE21240 SHA-256: 2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C SHA-512: B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126 309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34 Malicious: false Joe Sandbox View: Filename: slepaya_zona[E2ag3].exe, Detection: malicious, Browse
C:\Windows\SysWOW64\SET32B1.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 527192 Entropy (8bit): 6.250746524265983 Encrypted: false MD5: 81DFDDFB401D663BA7E6AD1C80364216 SHA1: C32D682767DF128CD8E819CB5571ED89AB734961 SHA-256: D1690B602CB317F7F1E1E13E3FC5819AD8B5B38A92D812078AFB1B408CCC4B69 SHA-512: 7267DB764F23AD67E9F171CF07FF919C70681F3BF365331AE29D979164392C6BC6723441B04B98AB99C7724274B2 70557E75B814FB12C421188FB164B8CA837C Malicious: false
C:\Windows\SysWOW64\SET333F.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 74072 Entropy (8bit): 6.272128744654575 Encrypted: false MD5: 8A4CEBF34370D689E198E6673C1F2C40 SHA1: B7E3D60F62D8655A68E2FAF26C0C04394C214F20 SHA-256: BECFDCD6B16523573CB52DF87AA7D993F1B345BA903D0618C3B36535C3800197
Copyright Joe Security LLC 2019 Page 29 of 45 C:\Windows\SysWOW64\SET333F.tmp SHA-512: D612E2D8A164408AB2D6B962F1B6D3531AED8A0B1ABA73291FA5155A6022D078B353512FB3F6FFF97EE369918B1 802A6103B31316B03DB4FA3010B1BF31F35FB Malicious: false
C:\Windows\SysWOW64\SET855.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 81768 Entropy (8bit): 6.4167890753768395 Encrypted: false MD5: 77F595DEE5FFACEA72B135B1FCE1312E SHA1: D2A710B332DE3EF7A576E0AED27B0AE66892B7E9 SHA-256: 8D540D484EA41E374FD0107D55D253F87DED4CE780D515D8FD59BBE8C98970A7 SHA-512: A8683050D7758C248052C11AC6A46C9A0B3B3773902CCA478C1961B6D9D2D57C75A8C925BA5AF4499989C0F44B3 4EAF57ABAFAFA26506C31E5E4769FB3439746 Malicious: false
C:\Windows\SysWOW64\SETE8F.tmp Process: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Size (bytes): 22360 Entropy (8bit): 6.535690674515476 Encrypted: false MD5: C811E70C8804CFFF719038250A43B464 SHA1: EC48DA45888CCEA388DA1425D5322F5EE9285282 SHA-256: 288C701BDEDF1D45C63DD0B7D424A752F8819F90FEB5088C582F76BC98970BA3 SHA-512: 09F2F4D412485EF69ACEACC90637C90FAD25874F534433811C5ED88225285559DB1D981A3AB7BC3A20336E96FB4 3B4801B4B48A3668C64C21436EE3EA3C32F45 Malicious: false
C:\Windows\System32\SET1611.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 2401112 Entropy (8bit): 6.538294475491196 Encrypted: false MD5: 7160FC226391C0B50C85571FA1A546E5 SHA1: 2BF450850A522A09E8D1CE0F1E443D86D934F4AD SHA-256: 84B900DBD7FA978D6E0CAEE26FC54F2F61D92C9C75D10B35F00E3E82CD1D67B4 SHA-512: DFAB0EAAB8C40FB80369E150CD36FF2224F3A6BAF713044F47182961CD501FE4222007F9A93753AC757F64513C70 7C68A5CF4AE914E23FECAA4656A68DF8349B Malicious: false
C:\Windows\System32\SET1C5A.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 511328 Entropy (8bit): 6.456790698595849 Encrypted: false MD5: AD7FA9485059F4DC53C98B49CAB13F0B SHA1: EECC2F4B2FE17D9D8B9E3ABD7160503D10C0D14C SHA-256: 9BFFA1EA073D79E9954CB398FC91B93ED9DC79ED2205995D4B949F1CC2AD3BD1 SHA-512: AD703A57490A01F4E92201FAFAEEFA8BC60748AEB18BE8C527AC0918B2A35F2A7884C9FBC4B23A3DA03AD6695 4653F3E4314399AE1D9DD4509EFCE9B355E212B Malicious: false
C:\Windows\System32\SET21D9.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 276832 Entropy (8bit): 6.40234529517212 Encrypted: false MD5: 9D6429F410597750B2DC2579B2347303 SHA1: E35ACB15EA52F6CD0587B4CA8DA0486B859FD048 SHA-256: 981E42629DF751217406E7150477CDDC853B79ABD6A8568A1566298ED8F7BD59
Copyright Joe Security LLC 2019 Page 30 of 45 C:\Windows\System32\SET21D9.tmp SHA-512: 46CBFB1E22C3F469BDC80515560448F6F83607FD6974BB68B9C7F86CA10C69878F1312B32C81C0F57B931C43BAD 80BD46BDF26AB4FFB999ABB0B73DE27AD7C56 Malicious: false
C:\Windows\System32\SET2822.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 1907552 Entropy (8bit): 6.255634431779929 Encrypted: false MD5: 5F1DA86286A2DFB01C4FED55C2DD1D61 SHA1: C28525D941F1DB5169CD56839559A3E9C0BB0C13 SHA-256: 3C9E1B87F2763F58402B5104D21E0D9D5DB352FCCCF7801EAA4CD1F5DBC20945 SHA-512: 9099FADED2FC4909CE43DFE1AC804EAA97BAB747889B7F437B69C1624D78F59EE3575ED2849CB75B707EB00B67 75C4780B96D856023C498309ACD690B0BCD8A7 Malicious: false
C:\Windows\System32\SET2E1D.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 2526056 Entropy (8bit): 6.326395907728081 Encrypted: false MD5: ADA0C39D4EACDC81FD84163A95D62079 SHA1: 207321F1B449985B2D06ED50B989FA6259E4EB8E SHA-256: 44C3A7E330B54A35A9EFA015831392593AA02E7DA1460BE429D17C3644850E8A SHA-512: 1AFC63DB5D2030B76ABC19094FC9FEF28CC6250BD265294647E65DB81F13749C867722924460F7A6021C739F4057 F95501F0322CDEC28A2101BF94164557A1A5 Malicious: false
C:\Windows\System32\SET359F.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 518488 Entropy (8bit): 6.248630001225441 Encrypted: false MD5: 4F7513FF4DE6303088DB28DCBCEF372C SHA1: A4113B07DE75A83CF1481EA92A3B98E7C1778783 SHA-256: F8636CCC37BBFC84107992B60E4226EB7237417112267ED64B08F72983AC4314 SHA-512: 2CF5EA114546236F55B9CBB49643F719D892EBA8649343BC3E72FE08C998E88E26C010232CA27BCA255629AE7D0 D1E068D6ED1DBD76096B1ED09362F65F5401D Malicious: false
C:\Windows\System32\SET35BF.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 77656 Entropy (8bit): 6.185320617682872 Encrypted: false MD5: E9739AE8B2FA28DCD6F2EF5525DA8827 SHA1: 6EDF107E02BF7DB7193D1D724CFD2EA5BEB3FA8C SHA-256: E47DCF74D50403B376C562E4121E359E5886E42FCC60B3FA8BA53E6826854C49 SHA-512: A6D4C71EBA226539A692FC36355A279D97A1AA5F4CAAA643981653B8D1F3172B52BFAA3942A48B0AF71AC39F2B DCE568E4686AC8DB423FF9EDD2F3928A90A6DF Malicious: false
C:\Windows\System32\SET9EC.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 107368 Entropy (8bit): 6.07006129517064 Encrypted: false MD5: BFB3091B167550EC6E6454813D3DB244 SHA1: 87E86A7C783F607697A4880E7E063AB87BF63034 SHA-256: 756CAD002E1553CFA1A91EBE8C1B9380FFABE0B4B1916C4A4DB802396DDFBEF8
Copyright Joe Security LLC 2019 Page 31 of 45 C:\Windows\System32\SET9EC.tmp SHA-512: CE2EAD2480A3942081AF4DF4BAEE32DE18862B5F0288169B9E8135CC710EB128F9A2B8A36BDA87212C53FD4317 359349C94D38B5DA082638230DCB5669EFEDE9 Malicious: false
C:\Windows\System32\SETFD7.tmp Process: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows Size (bytes): 24920 Entropy (8bit): 6.41812328871132 Encrypted: false MD5: B4FF2A39685C1A6D43F0E56EB350AF3A SHA1: 466F80BE26352F8331900A6DA5B0A18DC7B39C0E SHA-256: 9460709339701AD471A5CABE6365355F4D586DC4FCB86507C1331839DC555446 SHA-512: CEF31793E1B1714826AA95D256EBBEC457E8CF9003767DB46909BF879AF86F954F475AC84E1EE8CCCF1DCFE4A 52624E3D7E8BFAFF5F567E97CAB19207DB7F913 Malicious: false
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation www.BetaPlace.comEContinuare DXSETUP.exe, 00000005.00000000 false Avira URL Cloud: safe unknown .5180249595.00000000008E7000.0 0000002.sdmp www.BetaPlace.com. DXSETUP.exe, 00000005.00000000 false 0%, virustotal, Browse low .5180249595.00000000008E7000.0 Avira URL Cloud: safe 0000002.sdmp www.BetaPlace.com DXSETUP.exe, 00000005.00000000 false 0%, virustotal, Browse low .5180249595.00000000008E7000.0 Avira URL Cloud: safe 0000002.sdmp www.betaplace.com. DXSETUP.exe, 00000005.00000000 false 0%, virustotal, Browse low .5180249595.00000000008E7000.0 Avira URL Cloud: safe 0000002.sdmp www.betaplace.com DXSETUP.exe, 00000005.00000000 false 0%, virustotal, Browse low .5180249595.00000000008E7000.0 Avira URL Cloud: safe 0000002.sdmp www.BetaPlace.com.? DXSETUP.exe, 00000005.00000000 false 0%, virustotal, Browse low .5180249595.00000000008E7000.0 Avira URL Cloud: safe 0000002.sdmp
Contacted IPs
No contacted IP infos
Static File Info
General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Mecway, Aut hor: Mecway Limited, Keywords: Installer, Comments: This installer database contains the logic and data required to install Mecway 11.0., Template: x64;1033, Revision Number: {385B7F30-FDF1-4439-85D5- CEB7EC0DDE01}, Create Time/Date: Sat Feb 16 19:28:12 2019, Last Saved Time/Date: Sat Feb 16 19:28:12 2019, Number of Pages: 300, Number of W ords: 2, Name of Creating Application: Windows Ins taller XML (3.0.5419.0), Security: 2 Entropy (8bit): 7.996344144573776
Copyright Joe Security LLC 2019 Page 32 of 45 General TrID: Microsoft Windows Installer (638509/1) 93.34% ClickyMouse macro set (36024/1) 5.27% Generic OLE2 / Multistream Compound File (8008/1) 1.17% Java Script embedded in Visual Basic Script (1500/0) 0.22% File name: mecway110.msi File size: 72568832 MD5: ec33a97da8591ced4eb10942f8412e15 SHA1: c1ac4f99f496c5c14a76d6648b5e03ca41d4c4f7 SHA256: 77310b65f1769462c2ee176e9b0d0a1d89b68f662cb4903 f7350e48a880d31a5 SHA512: 19ffc1a1c622e9f14e5edbfe04e7b5f4b6eb4ad10bba25aa ffed6dadeeada7b044b9c55b5f4d8325ba92a098ed38137 a3e5f4fc7f9afbccd395ad5b96553f0c5 SSDEEP: 1572864:g+pljWTBU/yoRZzTf+XzV7V9r7F+rh7BndavN QPi4JXYhh2go:g+p1W1ToRl+79Yrh7B+NClJXYD2g File Content Preview: ...... >...... $...(...,...0...4...8...<[email protected]......
File Icon
Icon Hash: a2a0b496b2caca72
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• msiexec.exe • msiexec.exe • DXSETUP.exe • infinst.exe • infinst.exe • infinst.exe • infinst.exe • infinst.exe • infinst.exe • infinst.exe • infinst.exe • regsvr32.exe
Click to jump to process
System Behavior
Copyright Joe Security LLC 2019 Page 33 of 45 Analysis Process: msiexec.exe PID: 3736 Parent PID: 1428
General
Start time: 19:30:43 Start date: 06/03/2019 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\mecway110.msi' Imagebase: 0xce0000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: msiexec.exe PID: 3344 Parent PID: 2416
General
Start time: 19:30:59 Start date: 06/03/2019 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding 07352D08995437842A17DA4C34B43353 C Imagebase: 0xce0000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: DXSETUP.exe PID: 3224 Parent PID: 2416
General
Start time: 19:31:11 Start date: 06/03/2019 Path: C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe Wow64 process (32bit): true Commandline: 'C:\Program Files\Mecway\Mecway11\DXRedist\DXSETUP.exe' /silent
Copyright Joe Security LLC 2019 Page 34 of 45 Imagebase: 0x8d0000 File size: 537432 bytes MD5 hash: DDCE338BB173B32024679D61FB4F2BA6 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 8D44D2 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Windows\Logs\DirectX.log read attributes | normal synchronous io success or wait 1 8DF51B CreateFileA synchronize | non alert | non generic read | directory file generic write
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 50 30 33 2f 30 36 2f 31 39 03/06/19 19:31:11: success or wait 1 8DE2EC WriteFile 20 31 39 3a 33 31 3a DXSetup: Co 31 31 3a 20 44 58 53 mmandLine: /silent.. 65 74 75 70 3a 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 2f 73 69 6c 65 6e 74 0d 0a
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\WO command dword 0 success or wait 1 8D4D82 RegSetValueExA W6432Node\Microsoft\DirectX HKEY_LOCAL_MACHINE\SOFTWARE\WO DXSetup dword 0 success or wait 1 8D4DA7 RegSetValueExA W6432Node\Microsoft\DirectX
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: infinst.exe PID: 4864 Parent PID: 3224
General
Start time: 19:31:19 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Wow64 process (32bit): false
Copyright Joe Security LLC 2019 Page 35 of 45 Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe xinput1_3_x64.inf, Install_Driver Imagebase: 0x100000000 File size: 69992 bytes MD5 hash: 45D4DAC07AA361BCD77AA815D1724A16 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\DirectX.log read attributes | normal synchronous io success or wait 1 10000AD97 CreateFileA synchronize | non alert | non generic read | directory file generic write
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\DirectX.log unknown 120 30 33 2f 30 36 2f 31 03/06/19 19:31:20: infinst: success or wait 1 10000A2F7 WriteFile 39 20 31 39 3a 33 31 Installing 3a 32 30 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp\ 49 6e 73 74 61 6c 6c xinput1_3_x64.inf 69 6e 67 20 43 3a 5c [Install_Driver].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 78 69 6e 70 75 74 31 5f 33 5f 78 36 34 2e 69 6e 66 20 5b 49 6e 73 74 61 6c 6c 5f 44 72 69 76 65 72 5d 0d 0a C:\Windows\DirectX.log unknown 78 30 33 2f 30 36 2f 31 03/06/19 19:31:20: infinst: success or wait 1 10000A2F7 WriteFile 39 20 31 39 3a 33 31 Installed file 3a 32 30 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\xinput1_3.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 78 69 6e 70 75 74 31 5f 33 2e 64 6c 6c 0d 0a
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\DirectX.log unknown 1 success or wait 1 10000BC50 ReadFile
Analysis Process: infinst.exe PID: 4620 Parent PID: 3224
General
Start time: 19:31:21 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe
Copyright Joe Security LLC 2019 Page 36 of 45 Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe X3DAudio1_7_x64.inf Imagebase: 0x7ff752010000 File size: 75776 bytes MD5 hash: 730E5493910E5693499485E352381C6A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 7FF752013374 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 122 30 33 2f 30 36 2f 31 03/06/19 19:31:21: infinst: success or wait 1 7FF75201B7D8 WriteFile 39 20 31 39 3a 33 31 Installing 3a 32 31 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp\ 49 6e 73 74 61 6c 6c X3DAudio1_7_x64.inf 69 6e 67 20 43 3a 5c [DefaultInstall].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 58 33 44 41 75 64 69 6f 31 5f 37 5f 78 36 34 2e 69 6e 66 20 5b 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c 5d 0d 0a C:\Windows\Logs\DirectX.log unknown 80 30 33 2f 30 36 2f 31 03/06/19 19:31:21: infinst: success or wait 1 7FF75201B7D8 WriteFile 39 20 31 39 3a 33 31 Installed file 3a 32 31 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\X3DAudio1_7.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 58 33 44 41 75 64 69 6f 31 5f 37 2e 64 6c 6c 0d 0a
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF75201EA73 ReadFile C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF75201EA73 ReadFile
Analysis Process: infinst.exe PID: 1480 Parent PID: 3224
General
Copyright Joe Security LLC 2019 Page 37 of 45 Start time: 19:31:23 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe D3DX9_43_x64.inf Imagebase: 0x7ff77ad30000 File size: 82944 bytes MD5 hash: A7BA8B723B327985DED1152113970819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 7FF77AD347A4 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 119 30 33 2f 30 36 2f 31 03/06/19 19:31:23: infinst: success or wait 1 7FF77AD3CEAD WriteFile 39 20 31 39 3a 33 31 Installing 3a 32 33 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp 49 6e 73 74 61 6c 6c \D3DX9_43_x64.inf 69 6e 67 20 43 3a 5c [DefaultInstall].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 44 33 44 58 39 5f 34 33 5f 78 36 34 2e 69 6e 66 20 5b 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c 5d 0d 0a C:\Windows\Logs\DirectX.log unknown 77 30 33 2f 30 36 2f 31 03/06/19 19:31:23: infinst: success or wait 1 7FF77AD3CEAD WriteFile 39 20 31 39 3a 33 31 Installed file 3a 32 33 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\D3DX9_43.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 44 33 44 58 39 5f 34 33 2e 64 6c 6c 0d 0a
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF77AD4007D ReadFile C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF77AD4007D ReadFile
Analysis Process: infinst.exe PID: 3272 Parent PID: 3224
Copyright Joe Security LLC 2019 Page 38 of 45 General
Start time: 19:31:24 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe d3dx10_43_x64.inf Imagebase: 0x7ff789fe0000 File size: 82944 bytes MD5 hash: A7BA8B723B327985DED1152113970819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 7FF789FE47A4 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 120 30 33 2f 30 36 2f 31 03/06/19 19:31:24: infinst: success or wait 1 7FF789FECEAD WriteFile 39 20 31 39 3a 33 31 Installing 3a 32 34 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp 49 6e 73 74 61 6c 6c \d3dx10_43_x64.inf 69 6e 67 20 43 3a 5c [DefaultInstall].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 64 33 64 78 31 30 5f 34 33 5f 78 36 34 2e 69 6e 66 20 5b 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c 5d 0d 0a C:\Windows\Logs\DirectX.log unknown 78 30 33 2f 30 36 2f 31 03/06/19 19:31:24: infinst: success or wait 1 7FF789FECEAD WriteFile 39 20 31 39 3a 33 31 Installed file 3a 32 34 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\d3dx10_43.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 64 33 64 78 31 30 5f 34 33 2e 64 6c 6c 0d 0a
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF789FF007D ReadFile C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF789FF007D ReadFile
Copyright Joe Security LLC 2019 Page 39 of 45 Analysis Process: infinst.exe PID: 3296 Parent PID: 3224
General
Start time: 19:31:26 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe d3dx11_43_x64.inf Imagebase: 0x7ff75fda0000 File size: 82944 bytes MD5 hash: A7BA8B723B327985DED1152113970819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 7FF75FDA47A4 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
File Path Offset Length Value Ascii Completion Count Source Address Symbol C:\Windows\Logs\DirectX.log unknown 120 30 33 2f 30 36 2f 31 03/06/19 19:31:26: infinst: success or wait 1 7FF75FDACEAD WriteFile 39 20 31 39 3a 33 31 Installing 3a 32 36 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp 49 6e 73 74 61 6c 6c \d3dx11_43_x64.inf 69 6e 67 20 43 3a 5c [DefaultInstall].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 64 33 64 78 31 31 5f 34 33 5f 78 36 34 2e 69 6e 66 20 5b 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c 5d 0d 0a C:\Windows\Logs\DirectX.log unknown 78 30 33 2f 30 36 2f 31 03/06/19 19:31:26: infinst: success or wait 1 7FF75FDACEAD WriteFile 39 20 31 39 3a 33 31 Installed file 3a 32 36 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\d3dx11_43.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 64 33 64 78 31 31 5f 34 33 2e 64 6c 6c 0d 0a
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF75FDB007D ReadFile C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF75FDB007D ReadFile
Copyright Joe Security LLC 2019 Page 40 of 45 Analysis Process: infinst.exe PID: 4352 Parent PID: 3224
General
Start time: 19:31:27 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe d3dcsx_43_x64.inf Imagebase: 0x7ff651d60000 File size: 82944 bytes MD5 hash: A7BA8B723B327985DED1152113970819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 7FF651D647A4 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 120 30 33 2f 30 36 2f 31 03/06/19 19:31:27: infinst: success or wait 1 7FF651D6CEAD WriteFile 39 20 31 39 3a 33 31 Installing 3a 32 37 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp 49 6e 73 74 61 6c 6c \d3dcsx_43_x64.inf 69 6e 67 20 43 3a 5c [DefaultInstall].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 64 33 64 63 73 78 5f 34 33 5f 78 36 34 2e 69 6e 66 20 5b 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c 5d 0d 0a C:\Windows\Logs\DirectX.log unknown 78 30 33 2f 30 36 2f 31 03/06/19 19:31:27: infinst: success or wait 1 7FF651D6CEAD WriteFile 39 20 31 39 3a 33 31 Installed file 3a 32 37 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\d3dcsx_43.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 64 33 64 63 73 78 5f 34 33 2e 64 6c 6c 0d 0a
File Read
Copyright Joe Security LLC 2019 Page 41 of 45 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF651D7007D ReadFile C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF651D7007D ReadFile
Analysis Process: infinst.exe PID: 1880 Parent PID: 3224
General
Start time: 19:31:29 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe D3DCompiler_43_x64.inf Imagebase: 0x7ff78a150000 File size: 82944 bytes MD5 hash: A7BA8B723B327985DED1152113970819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 7FF78A1547A4 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 125 30 33 2f 30 36 2f 31 03/06/19 19:31:29: infinst: success or wait 1 7FF78A15CEAD WriteFile 39 20 31 39 3a 33 31 Installing 3a 32 39 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp 49 6e 73 74 61 6c 6c \D3DCompiler_43_x64.inf 69 6e 67 20 43 3a 5c [DefaultInstall].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 44 33 44 43 6f 6d 70 69 6c 65 72 5f 34 33 5f 78 36 34 2e 69 6e 66 20 5b 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c 5d 0d 0a C:\Windows\Logs\DirectX.log unknown 83 30 33 2f 30 36 2f 31 03/06/19 19:31:29: infinst: success or wait 1 7FF78A15CEAD WriteFile 39 20 31 39 3a 33 31 Installed file 3a 32 39 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\D3DCompiler_43.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 44 33 44 43 6f 6d 70 69 6c 65 72 5f 34 33 2e 64 6c 6c 0d 0a Copyright Joe Security LLC 2019 Page 42 of 45 Source File Path Offset Length Value Ascii Completion Count Address Symbol
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF78A16007D ReadFile C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF78A16007D ReadFile
Analysis Process: infinst.exe PID: 4976 Parent PID: 3224
General
Start time: 19:31:31 Start date: 06/03/2019 Path: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe Wow64 process (32bit): false Commandline: C:\Users\user\AppData\Local\Temp\DXEDE8.tmp\infinst.exe XAudio2_7_x64.inf Imagebase: 0x7ff758710000 File size: 82944 bytes MD5 hash: A7BA8B723B327985DED1152113970819 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Windows\Logs read data or list normal directory file | object name collision 1 7FF7587147A4 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Copyright Joe Security LLC 2019 Page 43 of 45 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 120 30 33 2f 30 36 2f 31 03/06/19 19:31:31: infinst: success or wait 1 7FF75871CEAD WriteFile 39 20 31 39 3a 33 31 Installing 3a 33 31 3a 20 69 6e C:\Users\user\AppData 66 69 6e 73 74 3a 20 \Local\Temp\DXEDE8.tmp\ 49 6e 73 74 61 6c 6c XAudio2_7_x64.inf 69 6e 67 20 43 3a 5c [DefaultInstall].. 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 44 58 45 44 45 38 2e 74 6d 70 5c 58 41 75 64 69 6f 32 5f 37 5f 78 36 34 2e 69 6e 66 20 5b 44 65 66 61 75 6c 74 49 6e 73 74 61 6c 6c 5d 0d 0a C:\Windows\Logs\DirectX.log unknown 78 30 33 2f 30 36 2f 31 03/06/19 19:31:31: infinst: success or wait 2 7FF75871CEAD WriteFile 39 20 31 39 3a 33 31 Installed file 3a 33 31 3a 20 69 6e C:\Windows\system 66 69 6e 73 74 3a 20 32\XAudio2_7.dll.. 49 6e 73 74 61 6c 6c 65 64 20 66 69 6c 65 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 58 41 75 64 69 6f 32 5f 37 2e 64 6c 6c 0d 0a
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Logs\DirectX.log unknown 1 success or wait 1 7FF75872007D ReadFile C:\Windows\Logs\DirectX.log unknown 1 success or wait 2 7FF75872007D ReadFile
Analysis Process: regsvr32.exe PID: 1932 Parent PID: 3224
General
Start time: 19:31:31 Start date: 06/03/2019 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll Imagebase: 0x7ff613130000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Disassembly
Code Analysis Copyright Joe Security LLC 2019 Page 44 of 45 Code Analysis
Copyright Joe Security LLC 2019 Page 45 of 45