Malware Analysis Report

2025-01-18 22:21

Sample ID 240501-z5hycaag88
Target wlsetup-all.exe
SHA256 072424c82f942f2b43b68b9154e1f3e0c61b7ee39a08372048ed34e09bd2554a
Tags
adware persistence stealer privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

072424c82f942f2b43b68b9154e1f3e0c61b7ee39a08372048ed34e09bd2554a

Threat Level: Known bad

The file wlsetup-all.exe was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer privateloader loader

PrivateLoader

Sets file execution options in registry

Executes dropped EXE

Registers COM server for autorun

Loads dropped DLL

Drops desktop.ini file(s)

Installs/modifies Browser Helper Object

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-01 21:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 21:17

Reported

2024-05-01 21:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\wo0fjwif.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\rbqe3gfm.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\di7e0ahy.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\184zj9ia.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\mu6qmonn.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\jxv65irx.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\tu5u6c20.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\mjw0cvj2.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\2icsjonv.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\5dzjneqf.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\qfpvjqjx.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\l10ovy3z.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uvkxe7br\nvj6sl4x.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hb8ochof\2sr3323w.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ibob14bn\jpus6ap5.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hdwgc46e\s6a67sxc.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m75ycokg\sy2191tc.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6c71nvb4\alow1p1y.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\cdezu1l5\pfpy743u.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\cr14axp4\dqx5vas5.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\whqje3rs\rl6x4n1l.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\emsdakm7\i7dxptx7.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\7sxh4hao\c1xpt3eu.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nundsn1a\tbkkujb9.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe N/A
N/A N/A C:\Windows\Installer\MSIF21F.tmp N/A
N/A N/A C:\Windows\Installer\MSIF260.tmp N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX233A.tmp\infinst.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX360E.tmp\infinst.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDCREDPROV.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79FD7442-008F-42D9-ADFA-377C441D2DB1}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\InprocServer32 C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WindowsLiveLogin.dll" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDPROV.DLL" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79FD7442-008F-42D9-ADFA-377C441D2DB1}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32\ = "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE -s" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72BFEB11-2681-490D-874B-652FC1D75ED8}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\wlidcli.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72BFEB11-2681-490D-874B-652FC1D75ED8}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79FD7442-008F-42D9-ADFA-377C441D2DB1}\InProcServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\wlidcli.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\InprocServer32 C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WindowsLiveLogin.dll" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72BFEB11-2681-490D-874B-652FC1D75ED8}\InprocServer32 C:\Windows\system32\msiexec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\DXTempFolder = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\DXB4CE.tmp\\\"" C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Windows\system32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\NoExplorer = "1" C:\Windows\system32\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SETCA61.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\d3dx10_42.dll C:\Users\Admin\AppData\Local\Temp\DX360E.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET3765.tmp C:\Users\Admin\AppData\Local\Temp\DX360E.tmp\infinst.exe N/A
File created C:\Windows\system32\SET3765.tmp C:\Users\Admin\AppData\Local\Temp\DX360E.tmp\infinst.exe N/A
File created C:\Windows\system32\SET25AA.tmp C:\Users\Admin\AppData\Local\Temp\DX233A.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\SETB876.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx9_32.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SETDD83.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SETDD83.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx11_43.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe N/A
File created C:\Windows\system32\LIVESSP.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\d3dx10_41.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\SETB876.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SETCA61.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx10_42.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\D3DCompiler_41.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\d3dx9_32.dll C:\Users\Admin\AppData\Local\Temp\DX233A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET25AA.tmp C:\Users\Admin\AppData\Local\Temp\DX233A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\LIVESSP.DLL C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\msidcrl40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\startuplang.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\wlsres.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxcore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\en\wlsres.dll.mui C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\Jun2010_XAudio_x86.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\sqmapi.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\Jun2010_XAudio_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDRES.DLL C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\langselectorhc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\Jun2010_d3dx11_43_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\LangSelectorLang.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\wldcore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2e902f001da9c0d0b\soxe.core.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\SQMAPI.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2cda32001da9c0d05\crt110.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\wlarp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\conproxy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DSETUP.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2f2162e01da9c0d0e\d3dx10-x86.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLive48x48.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\wlidcli.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\defmgr.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\dxupdate.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DEC2006_d3dx9_32_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DSETUP.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3112e2401da9c0d11\SQLServerCE31-EN.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\msidcrl40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\wlsettingslang.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2eaa5e201da9c0d0c\Contacts.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\LangSelectorRes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\SOXE\wlsoxe.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Shared\sqmapi.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\32ec93e01da9c0d14\MovieMaker.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache\2d02a9601da9c0d06\crt110_amd64.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache\wlc365F.tmp C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\30ac87201da9c0d10\PhotoCommon.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\34e9fa201da9c0d18\MovieMakerLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDPROV.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\abssm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\lmcdata.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\wlidux.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxctlloc.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\wlsettingsres.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DEC2006_d3dx9_32_x86.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\wlidcli.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\wlupdate.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\wlarp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2d23fca01da9c0d07\wllogin_wlx-x64.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\2dabab001da9c0d08\WLXSuite.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\condb.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\en\startuplang.dll.mui C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\settingshc.thm C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Shared\wlbici.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\33c531001da9c0d15\WLXSuiteLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_atl110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76df96.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI341E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212055588.0\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI78F6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211933500.0\8.0.50727.42.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dfb3.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76dfb1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240501212101406.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76df86.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240501211921863.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212055588.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212055634.0\9.0.30729.4148.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5937.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e002.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e006.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211921863.0\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vcomp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76df9e.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76df9f.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211933329.0\msvcr80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211933329.0\msvcp80.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5E9A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212101406.0\msvcp80.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211921052.1\9.0.30729.4148.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76df8f.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dfaa.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240501212055634.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Windows\Installer\f76df8f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240501212101484.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212102732.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e020.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dfaf.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dfbb.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dfc4.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212100158.0\msvcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212101406.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212101406.0\msvcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501212102748.0\8.0.50727.42.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240501211921052.1 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dfa7.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI28EF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e01e.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e021.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e000.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76df8e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF2CF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1084.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI76A2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dfaf.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dff1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dff4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI55EA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e016.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DXError.log C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\ = "Windows Live Contact Database" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppName = "wlcomm.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppName = "wlstartup.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Contacts\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Installer\\" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3E C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3F\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\40 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\4A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\42 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C8BD9F007D5674D4BAF56F89EE8385D0\UXPlatformEngine C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE9495E7-76C2-487A-85C0-2F7127CF359E}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8CDD41E806AE81E43B3E917301D4B5AD\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38604C20-4F74-42EE-B3D3-F1E71F6AC7A3}\NumMethods\ = "4" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B5DD65CE-E26E-4AA0-B42F-87F023C4AD8F}\ProxyStubClsid32\ = "{35C08979-C203-494E-A780-A5ADC524204D}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{FACA22DC-24BB-4510-A331-D00BF666E93A}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\80316C14DFC645D4BAA61763DE801AE8\Version = "268701128" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C18BC956E45B1FD46B813F757793A345\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C16-EA68-4A02-AC07-7C64D64B6E7F}\ = "ILiveIdentityCollection" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{833C2961-83F0-4C4D-B823-8A1C6A124E06}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{CE9495E7-76C2-487A-85C0-2F7127CF359E}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54C41A85-7052-45F0-98DF-85026B42DBEB}\ = "ILiveSocialNewsLayoutStyle" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FB58AE3-5A90-4A37-A042-A96326CBF9F5}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C01-EA68-4A02-AC07-7C64D64B6E7F}\ = "ILiveObjectCapabilities" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\00BA1CDCFF107CF418A6616CF790320C\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6E098B5-BA1D-4889-AFD6-81B2240718B6}\ProxyStubClsid32\ = "{79FD7442-008F-42D9-ADFA-377C441D2DB1}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\80316C14DFC645D4BAA61763DE801AE8\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67AE970E-C42D-49B8-AB99-95AC0E15CAB9}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A70EA5C4-E28B-428A-B1BD-B0D62885791D}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Contacts\\condb.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{600FA301-4E2D-4C85-989D-5CA19A41D121} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5EF4EFFC-F4FE-4713-A1A3-DBE27FBA933C}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5EF4EFFC-F4FE-4713-A1A3-DBE27FBA933C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDBHO.IDBrowserExtension\CLSID\ = "{9030D464-4C02-4ABF-8ECC-5164760863C6}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2963CA54-9E17-4CBC-9740-0B1FB98BDE0A}\TypeLib\ = "{79AA1567-79A4-43C5-BED0-F330F8325673}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{600FA322-4E2D-4C85-989D-5CA19A41D121} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C05-EA68-4A02-AC07-7C64D64B6E7F} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDBHO.IDBrowserExtension.1\CLSID\ = "{9030D464-4C02-4ABF-8ECC-5164760863C6}" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A98858BE-062E-41FD-B46A-E1BA5F61794B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{03D3195D-E2BA-4E45-968D-77D1331F32E6}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA53D40C-1BFF-4851-9A72-C9415FA608BE}\TypeLib\ = "{79AA1567-79A4-43C5-BED0-F330F8325673}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB2B9D05-3D33-4560-905A-A75CBBBC923C}\ = "ILiveUniversityEntry" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB2B9D05-3D33-4560-905A-A75CBBBC923C}\NumMethods\ = "15" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{223B3D1D-5A22-49C7-BE2F-D951BF48E563}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8851A32-AE00-43E6-ACA1-A146384C18B0}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{03D3195D-E2BA-4E45-968D-77D1331F32E6} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{CE9495E2-76C2-487A-85C0-2F7127CF359E}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BD4C90EC03660F46A13E87A329932FA\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\D9185B6607EDEB244BF079F8AB2154E2\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3519154C-227E-47F3-9CC9-12C3F05817F1}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{041AA786-8E0C-44A0-A705-8E150930EE0C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{A5FA3C05-EA68-4A02-AC07-7C64D64B6E7F}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{121932AD-6881-46E4-BCA8-9155A87E77F9}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\wlidcli.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34CD8C45-56A0-4200-933F-38035ED7F7FC}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Contacts\\conmigrate.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{600FA308-4E2D-4C85-989D-5CA19A41D121} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C12-EA68-4A02-AC07-7C64D64B6E7F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{600FA307-4E2D-4C85-989D-5CA19A41D121}\ = "ILiveWebsiteEntry" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{60EC79B1-4742-4665-93CB-32F8FD795185}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3D17-EA68-4A02-AC07-7C64D64B6E7F}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C17-EA68-4A02-AC07-7C64D64B6E7F} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FC85C9A-E172-4383-93AD-193BE997B279}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\000021599B0090400100000000F01FEC\SourceList\Net\1 = "C:\\Program Files (x86)\\Common Files\\Windows Live\\.cache\\2e35bac01da9c0d09\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\000021599B0090400100000000F01FEC\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Common Files\\Windows Live\\.cache\\2e35bac01da9c0d09\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{041AA786-8E0C-44A0-A705-8E150930EE0C}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9C0117DA-D42A-4E43-92A9-C3D0ADD63BFE} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{600FA302-4E2D-4C85-989D-5CA19A41D121}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0F97DCA-FFA8-48DE-AB20-7782040C67A9}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{6126F664-B01E-4E86-AD3A-98990F902B63}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD609BF1-0E01-403F-8F20-EA238F5CDCC3}\1.0\FLAGS\ = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A931F6C-2846-46D9-B7E0-9235D57C87B8}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{A5FA3C18-EA68-4A02-AC07-7C64D64B6E7F}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{49B4E48B-4FE9-4C0A-AF58-946EB29A1E13}\TypeLib\ = "{A5FA3C00-EA68-4A02-AC07-7C64D64B6E7F}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\InprocServer32 C:\Windows\system32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A98858BE-062E-41FD-B46A-E1BA5F61794B}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{1FB58AE3-5A90-4A37-A042-A96326CBF9F5}\InprocServer32 C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\7F8E8604ABE7983D5FCD32E1F388CAD3A699585D\Blob = 0300000001000000140000007f8e8604abe7983d5fcd32e1f388cad3a699585d2000000001000000200300003082031c308202dca003020102020900ab3e152c24c9e721300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3131303531373231303534315a170d3136303531353231303534315a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b83082012c06072a8648ce3804013082011f02818100fabeebcbad8d8a07e339cbec6804e7cfcd7b7bc8c6590a4182ad7801510a1b8bc676d72eb0c83dd38e53378ff1eba7caec1a6334bc6aa7b71c6d024c81ac7eec5f7dec2d9ab0b3449fad6756f376d670dd880e97795305084b207fda38eaf7a126f3463a18aa7c9a6c2954a31471d3303a9ad01eeebe4424abceb8203b64a24b021500d431c3ef6780b96e0f2947eadcecb1d613635e7502818100df0d23c50ff45163d2320f6943b2c479c030c68b73455c6c63f42ba020c45e758148e639dbcfb57aab0f5a902f924b7c5de649c479300021fb2bee4fc3d773c06935a99a27f681f5f1750c46160312c13b5225ff30f9f69efe84cbbfffb929d24111a41ceaa62d46dd32309a72a0209e82b06de38c3bc32993d141cd2d1790f00381850002818100f9b0f1cf36bddfca9847b4f6af93caa66a0c03d6f1f7b48d431a31c9655b7a7eb6553b16bb3d40e83ff0526b24bc24b9adc10b9d805ca920fed465127922f0e0cf946a32e4d7141ca3ae56c8bce58df0fb848c8db9904390da74ec92bea5ac61c77c179d07a380501d9d5acc0d416b06c5fdd861b78e648ba03f4145ed39778fa38198308195301d0603551d0e041604146884a8968565915fcfe091a48141a38338eb552030530603551d23044c304a80146884a8968565915fcfe091a48141a38338eb5520a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900ab3e152c24c9e72130120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c02142b3e13b30a01482a3ac4cd33b53882477cab460a02140cbacb849f1a2844cb5e5a0fe8b4e556f4ecf821 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\EFF588CF6F8EA3434E8EC3ECD31D11D9A3805421\Blob = 030000000100000014000000eff588cf6f8ea3434e8ec3ecd31d11d9a38054212000000001000000200300003082031c308202dba003020102020900d8e9f71464f4b781300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3038303730393032303931345a170d3133303730383032303931345a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b73082012b06072a8648ce3804013082011e02818100b4b4ca5c74226505250710a306600f517f531b63c227d8981fa1134febef3bb2fa65977410c3f8ab9cb0f116982fd836a688e1a7cf9850e27b719f3ac84b9327317fe89b19d4d321d989a9f3310d7ccdc3671ecbf86f121c3ff132a52ba824f32b990d35f3ad6ef042fad7d9e0ae50bbe5808e367bc89bc070e366c565c533d9021500f998b616779da552b83162782400451be24e74ff0281802092e5ef0cedb0d4a8bb8a200ce6e530f4f167ecff6c4c5597927e7cd6f0a74018e37766478ce455c5c9fd738a1b96624fc3fa8999a03aac37b849a68dafc388f708a0ef07a69317951c4c6edd285d16fc0fae19c54551b63d1d40546f80b426a68481c09c4e7682087d55d5290de5400f94061ad0c27b97ad894f231b4f3e0c0381850002818100aa0bb040d7968a48941dc0a39b6c223df1a9879adffff1af6452409ef9e933d0bcf8b29db66ecc7d8f168d1249177f3d436999aeb91c7d951613a259eea227ce11ca177931d670d04e67e0f53b28451671fb4d74780ab34c7d07c54d7565fe1b5ad4ef63229922c79791ce285eab021645f0e1a524ddc475de33b5d89165f553a38198308195301d0603551d0e041604149046b506bf3542f9f0c64e4b842f7ca629522fc830530603551d23044c304a80149046b506bf3542f9f0c64e4b842f7ca629522fc8a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900d8e9f71464f4b78130120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403033000302d021500ae1432cdbf8f7a98f358c3995165ebdc8e241d7a02141f102cd6a29ff5b907bd0d9e4bf3bbd74e062271 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\7F8E8604ABE7983D5FCD32E1F388CAD3A699585D C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\EFF588CF6F8EA3434E8EC3ECD31D11D9A3805421 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\wo0fjwif.exe
PID 1756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\wo0fjwif.exe
PID 1756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\wo0fjwif.exe
PID 1756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\wo0fjwif.exe
PID 1756 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\rbqe3gfm.exe
PID 1756 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\rbqe3gfm.exe
PID 1756 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\rbqe3gfm.exe
PID 1756 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\rbqe3gfm.exe
PID 1756 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\di7e0ahy.exe
PID 1756 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\di7e0ahy.exe
PID 1756 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\di7e0ahy.exe
PID 1756 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\di7e0ahy.exe
PID 1756 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\184zj9ia.exe
PID 1756 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\184zj9ia.exe
PID 1756 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\184zj9ia.exe
PID 1756 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\184zj9ia.exe
PID 1756 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\mu6qmonn.exe
PID 1756 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\mu6qmonn.exe
PID 1756 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\mu6qmonn.exe
PID 1756 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\mu6qmonn.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\jxv65irx.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\jxv65irx.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\jxv65irx.exe
PID 1756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\jxv65irx.exe
PID 1756 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\tu5u6c20.exe
PID 1756 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\tu5u6c20.exe
PID 1756 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\tu5u6c20.exe
PID 1756 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\tu5u6c20.exe
PID 1756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\mjw0cvj2.exe
PID 1756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\mjw0cvj2.exe
PID 1756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\mjw0cvj2.exe
PID 1756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\mjw0cvj2.exe
PID 1756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\2icsjonv.exe
PID 1756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\2icsjonv.exe
PID 1756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\2icsjonv.exe
PID 1756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\2icsjonv.exe
PID 1756 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\5dzjneqf.exe
PID 1756 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\5dzjneqf.exe
PID 1756 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\5dzjneqf.exe
PID 1756 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\5dzjneqf.exe
PID 1756 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\qfpvjqjx.exe
PID 1756 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\qfpvjqjx.exe
PID 1756 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\qfpvjqjx.exe
PID 1756 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\qfpvjqjx.exe
PID 1756 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\l10ovy3z.exe
PID 1756 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\l10ovy3z.exe
PID 1756 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\l10ovy3z.exe
PID 1756 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\l10ovy3z.exe
PID 1756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uvkxe7br\nvj6sl4x.exe
PID 1756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uvkxe7br\nvj6sl4x.exe
PID 1756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uvkxe7br\nvj6sl4x.exe
PID 1756 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uvkxe7br\nvj6sl4x.exe
PID 1756 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hb8ochof\2sr3323w.exe
PID 1756 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hb8ochof\2sr3323w.exe
PID 1756 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hb8ochof\2sr3323w.exe
PID 1756 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hb8ochof\2sr3323w.exe
PID 1756 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ibob14bn\jpus6ap5.exe
PID 1756 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ibob14bn\jpus6ap5.exe
PID 1756 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ibob14bn\jpus6ap5.exe
PID 1756 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ibob14bn\jpus6ap5.exe
PID 1756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hdwgc46e\s6a67sxc.exe
PID 1756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hdwgc46e\s6a67sxc.exe
PID 1756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hdwgc46e\s6a67sxc.exe
PID 1756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hdwgc46e\s6a67sxc.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\wo0fjwif.exe

wo0fjwif.exe 9ebbqp46.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\rbqe3gfm.exe

rbqe3gfm.exe p6sq8e49.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\di7e0ahy.exe

di7e0ahy.exe df0b55sb.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\184zj9ia.exe

184zj9ia.exe 0izv4oqs.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\mu6qmonn.exe

mu6qmonn.exe 4g9meetl.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\jxv65irx.exe

jxv65irx.exe 98jfsklz.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\tu5u6c20.exe

tu5u6c20.exe 9b1i0452.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\mjw0cvj2.exe

mjw0cvj2.exe dm7263hs.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\2icsjonv.exe

2icsjonv.exe qksplpbg.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\5dzjneqf.exe

5dzjneqf.exe hqjhuf46.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\qfpvjqjx.exe

qfpvjqjx.exe sepefsmr.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\l10ovy3z.exe

l10ovy3z.exe 5dm2tpwf.tmp

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000398" "00000000000002FC"

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uvkxe7br\nvj6sl4x.exe

nvj6sl4x.exe ei0ypx8y.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hb8ochof\2sr3323w.exe

2sr3323w.exe zfdmeo1b.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ibob14bn\jpus6ap5.exe

jpus6ap5.exe asaox2s0.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hdwgc46e\s6a67sxc.exe

s6a67sxc.exe iz1s8syw.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m75ycokg\sy2191tc.exe

sy2191tc.exe 6jeinh8s.tmp

C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe" /silent

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6c71nvb4\alow1p1y.exe

alow1p1y.exe idbci02g.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\cdezu1l5\pfpy743u.exe

pfpy743u.exe jogj9l3y.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\cr14axp4\dqx5vas5.exe

dqx5vas5.exe vub3v8bo.tmp

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000004D4" "0000000000000060"

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\whqje3rs\rl6x4n1l.exe

rl6x4n1l.exe qx7p78ir.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\emsdakm7\i7dxptx7.exe

i7dxptx7.exe yydjnl1p.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\7sxh4hao\c1xpt3eu.exe

c1xpt3eu.exe b0ubw4u5.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nundsn1a\tbkkujb9.exe

tbkkujb9.exe ys6l735q.tmp

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe" /silent

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "0000000000000000" "0000000000000398" "0000000000000060"

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe" /silent

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "0000000000000000" "00000000000002FC" "00000000000005AC"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

C:\Windows\system32\MsiExec.exe

"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

C:\Windows\Installer\MSIF21F.tmp

"C:\Windows\Installer\MSIF21F.tmp" reg.exe add "HKLM\SOFTWARE\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 57B2CEE94271DD91C17185B663318659 M Global\MSI0000

C:\Windows\Installer\MSIF260.tmp

"C:\Windows\Installer\MSIF260.tmp" reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDPROV.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDPROV.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDPROV.DLL"

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

WLIDSvcM.exe 3056

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Windows\system32\LIVESSP.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Windows\SysWOW64\LIVESSP.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\SysWOW64\LIVESSP.DLL"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot23" "" "" "631c88d3b" "0000000000000000" "000000000000059C" "00000000000005EC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AE2DA83CD0DCD4C45E81B62297517417

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 18C7461CD3BA385E53DF037B25551734

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7D27A476D9A605C9DB2732209033E1F8 M Global\MSI0000

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /Create /tn "Microsoft\Windows Live\SOXE\Extractor Definitions Update Task" /xml "C:\ProgramData\Microsoft\Windows Live\SOXE\updaterTask.xml" /F

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot24" "" "" "6cdcd25f3" "0000000000000000" "00000000000004C8" "00000000000005B0"

C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe" /silent

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot25" "" "" "669d1bea7" "0000000000000000" "00000000000005CC" "00000000000003F8"

C:\Users\Admin\AppData\Local\Temp\DX233A.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX233A.tmp\infinst.exe d3dx9_32_x64.inf

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\2c03f6401da9c0d02\DXSETUP.exe" /silent

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot26" "" "" "605d6575f" "0000000000000000" "00000000000004C8" "000000000000054C"

C:\Users\Admin\AppData\Local\Temp\DX360E.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX360E.tmp\infinst.exe d3dx10_42_x64.inf

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe" /silent

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot27" "" "" "6a1daf017" "0000000000000000" "00000000000005B0" "000000000000054C"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EDF3A7FC0EC724E1DCDEC212A78129DB

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 891047FD0FC295568177BDE41B183FE7

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F796735C152BA458F1A1A398D3CC8502 M Global\MSI0000

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5C24A50E00747180B783A7A8A85100B7

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding AD12D0B37060EC2799972D1E5459C0D0

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E184D060635EEEF5EE298E17CF41B4DC M Global\MSI0000

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 42246E9404D2C286FCCC4D4E1CBB2EF9

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding C18E2BE400811EC5E95FAD310D2F1719

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 122E887EF4C53E053ACBBDD9B963CDA4 M Global\MSI0000

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C5A0F98D1E3CC0C0B2A06A5145D7BBF4 M Global\MSI0000

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /Create /tn "Microsoft\Windows Live\SOXE\Extractor Definitions Update Task" /xml "C:\ProgramData\Microsoft\Windows Live\SOXE\updaterTask.xml" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp
IE 68.219.88.225:80 g.live.com tcp
US 8.8.8.8:53 www.msn.com udp
US 204.79.197.203:80 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.190.71:80 crl.microsoft.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\050121~1\tmp3478.tmp

MD5 8274c233094ab59f40135619f32848cc
SHA1 cb588154fc7e951e0199d2a56dc494010e7a994f
SHA256 ac1a5b92fc478ed69aec3d94c6c0ba328789bb4e44a9c56598a4f961edfcb09c
SHA512 08434975e41233ac9efe507d87743fa3962321b2b556b1066514745d9a885f62ceab2d0bb6eb8d045186e5b9d1efee561851a7fdd5726495658ebf4d7693d105

C:\PROGRA~3\MICROS~1\WLSetup\wlt35E1.tmp

MD5 cbf9a63a3faccbb98f8056b9ee1118e3
SHA1 2a1404023097cdfc07a578e0a8b5b5abe4db7b90
SHA256 21679dca7b22f90fb864b4a30d7ef032710804b04bfd9c369305f50d8ad6e81c
SHA512 b20458b6c80503e62a282c872dfa4fb40b53bbc079ab43ce721f47910b72cc7e5cb77123b5da8e4b72fb0a2b87b4151bd5467ef7fa2f7424ed49762b25184d47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar38A8.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 6bba5a7ea205b00474d9073b1a75f67e
SHA1 6f501f39be35fd6e29753a7e648d1f040e733bcf
SHA256 e63258d9621253183e15b4ae01438f85cd94f2391493d127134e3b4d4e00f0b7
SHA512 95d23a109c61bac6ca1ca7d6c77ba26d6221f078548353d0c62bf4e9897b3ab7bc3ea3eafe5e2458852f37ab733dc92a9bb4101eee01a67bf6c8f67c761158e7

C:\PROGRA~3\MICROS~1\WLSetup\wlt77DC.tmp

MD5 6df4dd5ef40cdb035d1851ecb495d498
SHA1 5c8752da038c7218d6d3bb2d0217f1a40a2a2da3
SHA256 cd4a58a31dd7dbabffbff3a16f1771e500480b6054581ab9f5c6c029807931df
SHA512 8f6ed579df5822869c9f16f579ffb32be3c2218b7b898b97976d1f9099fc47d6703740fc9e6894328eda42c8f141b579c8ea3f074214a5b73a3284d67279a75e

\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\wo0fjwif.exe

MD5 b3695953f17eb4ef1c67422007304546
SHA1 a4915419b346f11d304f337f4e9bb627be5171ea
SHA256 650b8d8737e5565709c740508b41b187720eaa32edd12f8b66bacc27f2270953
SHA512 73b5aab985ca473b88d2efb3386a0c22eec12c035bf6f89e23905d58e6e5cd83d71ecf2909e06d661011da4987badc1b5a071613980260c5bc75a9e48ee93db2

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\9ebbqp46.tmp

MD5 a6bcdb8f4c2995fdd878db23f9d800f1
SHA1 3d58e01f26811095e7ab09ef7ca117ffbb831276
SHA256 ef36704ed00de8491b983b191968fbb8a06d17af675de19dcf0506edee8f26be
SHA512 5f6fcf82275b567b56b59f1e9485102a6c7fa94b63d3b1f72501f498d82802b5d9d1f8650cd82e489d0616573a58ce808e1c9021ac01b2e9b8f9ec5d3e567812

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fitwt5p9\D3DX9.cab

MD5 692b02ad89ed82727a47247556320ea8
SHA1 cfb54a9792ca16d8fb8c35513015abd5ae996ea0
SHA256 ada3f11e2be0f1e9faf4634de6cf5f95eebb65d24ec6b9220b479b70fe584be2
SHA512 1a9165fe1001671ab3d3f8bc9eb7532b95848c7b0582e3aad8bad53ed90dbbca0a6df1fa154afac9f4d18184a51422ca72131e92cb977ec3e25d2d860814229a

C:\PROGRA~3\MICROS~1\WLSetup\wlt7ADB.tmp

MD5 02136a305a5fcbc5b31373cb489a1a34
SHA1 c6d9d7390c781ddce4d972bc92f57a00952f32b4
SHA256 0de72fad2d446e5a49da3e8f2193dd20eedc5efc15de5f628b6f84cb58d7b00f
SHA512 1bc2e54b11e6eeca047804d77eb7f7ec9f0f3dd539e5a8ae2b7dced5653c985dcc25eec9f0f65153935f06b8d4b36f21d00c53cdaf32773e93a4bb3e244e36f5

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\p6sq8e49.tmp

MD5 0edc6461b2b7af6dcec4a152c6d12797
SHA1 0c0f0df6223a061e7661d772761020ac2e2e06a2
SHA256 5a754fc90bfa2f60b3a0fbf45e9ff7658f77daa08debb2bdb6ca6c26304bd627
SHA512 54a540e6e410fc7740317e494f60c8b12b2b824fe5ede4d5339e79c0cde4ff8db09f1c9c4350cf175cd6898a77e74e8efe5973dc526e3d990380940c01e0a99f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sjs6u1ka\D3DX10_42.cab

MD5 0a1d01413e017982e2d9d819e94b6a11
SHA1 9fa93226a928772754a0e30e8872d961a013a7d9
SHA256 b77ba929b68ba8fdd40209ddf39ad6443b0513b7be639c87f69d8afba90173c7
SHA512 881b22755fb56f38cef0d668ef23df14e3ee0e85218cfd485add3d102da25eec5aa00931dea3ff6934077e03d8eb4f93e688518a37ecc7b308c23d443e47253f

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 1da8316d695f9006d0784cec421964b9
SHA1 d798224e820cb18a31ec8a7d43950148cdf1be9c
SHA256 67ea91a08497fa0db4f5587c9a13d367a255d5e4d060c1114595a4780208c7bb
SHA512 edb8d537e3c0cf1ffd109c78390d7c13129492e9c4473650ba21ce7ac038f4162eb26d02248a081be485849a128977862e5e8e7da66ce2269caa926cec0375b4

C:\PROGRA~3\MICROS~1\WLSetup\wlt7BD6.tmp

MD5 5fb8878a81b4814ccbaa4c9c1a8b5702
SHA1 f53bcf0dba7960a7e085a4283d8aac8488459e15
SHA256 4cbac23a4d6e893d1038bdbe33775924ed9c48ebb6c1e43e70074c8d8b571c21
SHA512 9fa503ca6682db982e0138f81972dcf700c7264a6c3f280c68860b10aba68132a9d5a6b60f195e40b971572dbdb0e52b391cd70120c326f2ab7a6ab1c671d43b

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\df0b55sb.tmp

MD5 46869c11974313746173fa325517d5d5
SHA1 ee07cc2700fd628cd55a9083b440efd394803172
SHA256 967c62f26e6556453e5a38ec192f02fd25bbb983fdd2c9ccab012528b9001dd7
SHA512 f273ac7affd55675711335e3d948d94aeb86ef8a06db0b972017f2d08ee6d3efe9ffa5ae0c10d4c3acd32a13895a4b4753a457c11f2a0ac59c1bd49eab528b29

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ee9haizg\D3DX11_43.cab

MD5 169d9f118ff7ddc6fd8388e673c0b72d
SHA1 23c5bcfdc3e8ea04951805bcf8736f4dfd9b11ae
SHA256 82670e1c9092db7e00b9c91cf73c7b12251e4714ec66926f3bf616b2ce8df98c
SHA512 31b02fb847c0c9ac1fd01ff8e802f61d83a9e3197813f181395c7fe53d2e7096be6617ca169af1c827be97fc44c080f2b23d4a4f78e026a6d785ec4552af2ef0

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DSETUP.dll

MD5 9e0711bed229b60a853bcc5d10deaafc
SHA1 2bea53988bd35c5df5c9edcef0bc234c37289477
SHA256 def6f245762be36cf18b435ba8b7ebc224b9c21d1a1db606a8e8fafdaa97bba0
SHA512 c0b31872e52c8f4270d991c70d1a1c9ef9a4bbee4807c54c05a449cd1607506ab16ff1e74b378651b36e3276322c86cd843565c8a1aa33a49c47322ef4df0185

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\dsetup32.dll

MD5 0f58ccd58a29827b5d406874360e4c08
SHA1 ba804292580be6186774e7f92e6dfb104e46bf25
SHA256 642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb
SHA512 3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\DXSETUP.exe

MD5 ddce338bb173b32024679d61fb4f2ba6
SHA1 50e51f7c8802559dd9787b0aebc85f192b7e2563
SHA256 046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de
SHA512 7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

C:\Program Files (x86)\Common Files\Windows Live\.cache\2c2a0c401da9c0d03\dxupdate.cab

MD5 8adf5a3c4bd187052bfa92b34220f4e7
SHA1 b52be74c4489159bd343d3c647f28da1fd13d9b9
SHA256 13393a91201e69e70a9f68d21428453fff3951535dec88f879270269cfe54d6f
SHA512 3e2f2fe4b5742a4cf6ee2f6b8c0ca734fd0b3c5431dff112c907231846dd3eebee7b9b8117f0256119614282cc7a4896474a199563078481d48a1204ca96f92d

C:\PROGRA~3\MICROS~1\WLSetup\wlt7EF4.tmp

MD5 c70d9646c09c2f27ee53b5788419d7f3
SHA1 f143de048873e4dba0eecb2a34a98ed5998d12c1
SHA256 21f718f04df5a024b8db72f5995fd53a7aec14198977d7b418925040af233a0d
SHA512 6ef9e829118880a9c1c77a36302b8f5305635fe738edd36134fb136c242580fe7a7a3532880364342caf8ce36d0cd17ee97f2de387faac197ce0cd37d5de4ecf

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\0izv4oqs.tmp

MD5 4ed866061580d42f96f09c16987462c7
SHA1 ee69d20909acec25024fdb8680a9dda03ad51d2c
SHA256 225a26cf9670ab0344b052474fe5ff576c808b53eed275d66efc51d16a149804
SHA512 4f9c871a138729e8af4970f7259ee44375de6a949452d0a768938d263b095fd76ebcb4354ce437d96c6c84d0562ff08cb2dd4fa5ace3fa497fb039113dd76e90

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\upcq8e52\crt90.cab

MD5 575a2172466e1a8b0f17bb3d64f0fc94
SHA1 86778234f14757b95f475dd6cb7fec32ff179cd8
SHA256 a2ae8965a8502654e7e8458c301dc0225d893a55d3c71b1cbbf6e9c0f3204a8a
SHA512 a79a9e7e2f101487d80de9ab6e4990502fffc932abd41549894bda32ac5707574e9b5ffe9f40f9f075915bb6a4c7d2215c28d461c1cdf45246f202c1121b6cee

C:\Program Files (x86)\Common Files\Windows Live\.cache\2ca372601da9c0d04\crt90.msi

MD5 1c26a77f50bfca590760bdac24e84e03
SHA1 856b931bb34ef8aabdc924c0e017a18c78430aa7
SHA256 184f0e66df21a08c25afc6b7243d1f38feb19b5a45d2b2bd5963037c4fb908b7
SHA512 638573cbb2c260e9ee8a79e39bb095fb43be9d31641fc7f4ce906378811e6c2d77175c6b39c3ff9a877236bddf5a42b1000adf8acfe95d0248e8b2a2cd263bf2

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 39b234d016c1c090c6c039af0532effd
SHA1 c9e2eb0d02053f354818bcd4703178a039c97870
SHA256 9fd7f5fa77575add42a5a9a768bf467d867015ad9340fc11ac153f95fedf90fc
SHA512 0b8907461355b3f2dd1029331bd8b0725193ae12f6a0dae4f17de6801f6e3ce59c1bbe63680942346889411e770331e9f859ee98e5a54a6595d41338639e4cb5

C:\PROGRA~3\MICROS~1\WLSetup\wlt805D.tmp

MD5 447ecd02b6dd7367994fdaf6ad40f1a2
SHA1 41e5ad502ac8f903ffd143fa6626ad332b9e38d1
SHA256 c840030ca34878f7205ef9ff19ac1a3bc904f46ca31db8606fb04f81d986e8bd
SHA512 10971224c4b9263ba22c4bf62dee73fc51e9c7d787ff02d0cd02ad3adb598acf79f6130e48131ecc1032d01deae35e889db45c1b39ad2e6b6875bbf86a5f325f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\4g9meetl.tmp

MD5 6971afaa9cc2552c74fdb965c2fb76d0
SHA1 2a384297c92a41f12d467642adc72b9b585374e5
SHA256 0dd513040077b5c7e1a869f1e1e1f709cc669d21105650e6515ceab34627d468
SHA512 af3a47a32f0c5f01623c1d280159995ae6102f986ff4c7b475b7235cddbf32296e726f2be4203de293095fdd18a5065c9d6855f1e4d072142ac793152f318055

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k08fh1uh\crt110.cab

MD5 d119aaf4bf4085612e9af0518bef08e2
SHA1 06a029c35d3161aeaeb7189f3cb27fa855c6fbf6
SHA256 d7161a6d9176ed76ecb13b0931bdef32cb3239e9559c875ebd9cd485a2e31d39
SHA512 015b19f5894c09df2a553f56ae3151a2ea0671020379dd818d1a7c1b9fe69772d67daed4e6c6afef5faf1aa9994a061345f816ad191ca0e20988c67b9c02ef58

C:\Program Files (x86)\Common Files\Windows Live\.cache\2cda32001da9c0d05\crt110.msi

MD5 b6874af023443ad4bff84ddd4a219aa7
SHA1 358e1c9245cd0e916712586e459d038e3e6807fa
SHA256 e66c187e6633b82bcb64201600bbe6eade67e40bc23aaecab71c0c130d3a4c30
SHA512 b1588d6f69b2537090eaaa198ca46ba697c0c704ad2a2c81d56040095840e21860a0f714abe37ace67b08d4251b27240bc183a62a11e3ae7a6c091377cce7689

C:\PROGRA~3\MICROS~1\WLSetup\wlt8168.tmp

MD5 222a19d7053676738a56fd3705303200
SHA1 10756e87ed956adbc8b3a73e3b4b1a0f62c06545
SHA256 430dd49b0fead20b222985ededc24686e254f171c4d7abd3a009d725f3666681
SHA512 3f125562f99a200aae441414d5d248550715cf1421fb0dbfe0f9052f0ba70482004596aa0532037d5d605472be722dde1181b7ba5e0b3e416bb1437d7a74f58f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\98jfsklz.tmp

MD5 3ffdc68017839bba5212426593646e16
SHA1 d159eab8ad10eb07cf15f55c52220748fe1d30ed
SHA256 cc40009fe1e528af8bb5f24687324999d36e948d69197b88761b0e93d704eb0b
SHA512 7cebe2dfe1384bee8dbbe0afef02b11b0c70fb612eed85ce3d53228a629338b250922fb93f503195734106fc83aa7a35961c1caf0a12d41e92e068c79afa10b6

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fz93q79p\crt110_amd64.cab

MD5 52eeeca22f1c4f393702ab75ca4a0c7f
SHA1 188c56555be4bfddabc1bdfbee827e47ec6b64b9
SHA256 bc1671181fb9179dbf6e326b23030e0ffc19c9a2b084c7c28ad80152b40569a3
SHA512 cd6feb5535807253b64923029d6d4ea4c2a7464eee1ec2ce07af5c224ee3a714f537ba7327f105b223fddec08b1297b0a61150537222b19b061ed06fa2abb624

C:\PROGRA~3\MICROS~1\WLSetup\wlt8225.tmp

MD5 c80ee4f5af72ae6b9a8cf8877cf3ee21
SHA1 74794a20b914729567d4408df29376ada4316856
SHA256 ad417868f6a0be672ab9b11b8990966e6352d6d1e101da4876593f0be8bd84cc
SHA512 fad28903b69db8919ec69e04896f8aaf710df0685c6b24d7a33f4e917bcdec726b122bdae49ab3567e974ce0db46c0a65ff9296c90d552f9fb8dd88f87ca1efd

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\9b1i0452.tmp

MD5 4e2166010c0793733922ab8dd0f8f1c1
SHA1 d35948d1869ef3b73be4184799d1a908e4956514
SHA256 3e4c40aad7b54cf59eba3eae173265486ee4db7f3a292ddb87989e015be3b11d
SHA512 936f6989ccc62690ed0def395a07d737dd148d2d1cf42c8774c765bf07a73fdfd6da9e68e1ccf1521ce3ede299255c6a81bb66f3bee29f0503f83defcfd1d809

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ufv5c77y\wllogin_wlx-x64.cab

MD5 6735bd2af3d4b0ef75ed45d1cb4c31ba
SHA1 267ffe13f5757adf59ebad967c5bab6dd8f44341
SHA256 720979be43764f2064931977636c6400a7afa8e59ca497acd9a71310fc55c574
SHA512 4dcb2b1834c1c443da79f017b8b584436658fa1bb13d04c00f56b4bba671a76995c482689b00e89f430df2476bb095d2dfaa826ab880e70aba8a86890009e64e

C:\Program Files (x86)\Common Files\Windows Live\.cache\2d23fca01da9c0d07\wllogin_wlx-x64.msi

MD5 de8505467f1a7f2e6179a9c12cd5bfca
SHA1 013e8ebac87d67bfcb885535f8e3ab196ced7c91
SHA256 1d6109c4468d8780cf739f3c7b14953c1286e35350ef59519398684a6240ac43
SHA512 a84ca8781b320812e0827da6dc0acc4c5dcc48fa406092ecee4e6814780cc8b96c4f2124f771462de1675ea00647f8a58a5747d0adb1705555a7cd4d89725815

C:\PROGRA~3\MICROS~1\WLSetup\wlt8591.tmp

MD5 fd61bf6ae58ec3aa09157fed71f14492
SHA1 eed13224b402129767d24ed82d09d8473eb5e806
SHA256 08d2e9ee6fe16a67242176d218b6423a1be21fd81c1ee60d45cbf0651647fb70
SHA512 20a2c4f5c19b931c1367a095ab65e50deb16fbd4bd4e98f9ba1ebf6d7c776d975dc6bd4a57ff9f9952569c43c01bf2f8f100202e4aae0ae7d61d2ae22a4aafea

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\dm7263hs.tmp

MD5 6b0e1c4a026558ebd9b7adf2478256b4
SHA1 09d4806b572891dec18f8ea36fc783ae3fa2f333
SHA256 f4d56250a6ad6ebe6d16444e7bb65daf8cadc94e12be7d7f4a156acbb52f1059
SHA512 a8e8f71b202a4ae1bdecdd7ac1b96e791d6663aa731def39bb561c89d350a1029c41a7aaee133bb8c8d68502a45ca4fef16d2192df6592db711011a9523150e0

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kfsgzlok\WLXSuite.cab

MD5 dd4976b6bbde52aceed41ea0e619c7cd
SHA1 eb0d5db7445bfcd5254c0b1e95cd60aa0f16105e
SHA256 2e14e58be3fa84b292bd49be75a053340c878956c5f7eb76bf1d68464e0b9648
SHA512 a7502c2e40a99aa508731c0cfb0fe6317c64381816ad6fc0a3524f7540559d762261e0a957235bbf128ab75adabcd8dbbc425e71d577376e859712084593af2e

C:\Program Files (x86)\Common Files\Windows Live\.cache\2dabab001da9c0d08\WLXSuite.msi

MD5 9f91bd1204abad23916cea89e0a6502b
SHA1 9b23bcadaee6fc61d02ae5b0aad060cdeec61023
SHA256 f213e44352caa38ae3b443b76377d62a686a6697dd55fd3120e0b86cdd571c87
SHA512 95b313aa1e7bc71d13f82f3219f7e03f076d08cb8f5cdc31b1858af1791b745fa7cae6bd2513ef8614abd186fa9f3f8401d882e5d1d9331259910fb2f3c679fc

C:\PROGRA~3\MICROS~1\WLSetup\wlt891B.tmp

MD5 f9f7f6c1ee64179ac24c2797097d5706
SHA1 8c17d7f8efbf19b76d3d843a2a2e8a7828cf314f
SHA256 696f86945af7fcc7ed0fef9c95c7343e44db8c61c14ffeb5f35381664f1f5191
SHA512 2c3fd69f1db6ef20c115febb912dadfa9e7048743837f1dc5fffadff42efdb9a751fdd99390ce0e2cb54c1519f9183c8ded6fba4cea5433933cd73a023304e50

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\qksplpbg.tmp

MD5 a6b1bf5479520ded28fa779a66c14dad
SHA1 1e14710a9e9c58ce227b9d4b2c960997a5577815
SHA256 b0cd17b8c87e89a17743c8f1c75e401984b4ba2a8127f38aaef62c83cfdd4df3
SHA512 28063d56c23123c38d0bbbf8a9ba5b5dd2630c379ad8592973bf84139a91b392a8b32f8a9ec4fa82adc6426192c85b9c15860b87880a4bcb459cb3cdcb063758

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2rzhuhws\Watson-x64.cab

MD5 abc26cf06709db3146c92e0c8377a8b1
SHA1 2125a3554005ece8524b919815fdd9cc1037a66b
SHA256 cebe84014bfea44543c3c956d665b2d3d30c0308b80ca90a831b9c7d846356cf
SHA512 48906552f9a7b90ac76a242601739e3533859117125b912f02c40a38a756a9099bcc291cdbe98e1a9bc832bd734dbad610d9994223624127c8a28cfe0829c9d9

C:\Program Files (x86)\Common Files\Windows Live\.cache\2e35bac01da9c0d09\dw20sharedamd64.msi

MD5 2459308b46fde807b05e541ed484af4f
SHA1 6d6732af93fce1f5f4bb8f9e41cab2c70c1b7bf8
SHA256 46a2b00e630d478780bc0db5c312811ed0e194f0680ecb1df769cd3103bcd422
SHA512 ceffece9a3d10f88194846d463c95880b2af203d65d1077415f433c3e657b501cefad07410ce650ce534485a6bd756e8937151b67714045b528bc88979864a87

C:\PROGRA~3\MICROS~1\WLSetup\wlt8AD2.tmp

MD5 10b8dd1e4ee0a05ec2e1e31510b37d61
SHA1 672c7950d93f23e7b100a2fc5bc8797adcec95ee
SHA256 a94259c2dfd6f0422a31494bc0474189605883ca10bfd2a8b9317b6381c170d7
SHA512 d08d34098d321847c330ba132181d2ede1c8a5d8aa845c7bebdabab1596beaf1a92889c5824f48b370e2c3471dace1b6ba92c85b6715d284d0c4ae27bfecb4a4

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\hqjhuf46.tmp

MD5 7b68481c3758c89baf84408ca6a516a9
SHA1 50bfcb68317aa5c41bf163b1e1d6b9a3e1b50d45
SHA256 7a6ad74823dacf11e46e4b9d720bb610ddf0b0653963d616671e926748133e0e
SHA512 ad4b42ec85c977f31ee552bb51287e46333ce163e2652f3d640d87431e059cd8e5426241e34c37ac3d23806ecac05b042311db5ebb1b0553016c4353b7baca1e

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g384t7qt\soxe.definitions.cab

MD5 3bd00551de772995f7671a6ba45d65ab
SHA1 8249b2c28c73cd3a0bae4067e5cbd8c0e65d6923
SHA256 23c26ddeb0a3576c50d7ebae995a807163c63fdd5e8319aa071d13fa9a0a6496
SHA512 4e40ad0e7a414911b578ec515666475f9ab981723760fb6aa0b697e417a004cbae725f1ab295ac3026d22323dddab9db7f298d2cfebba854a1f2bf5ff5a6b6eb

C:\PROGRA~3\MICROS~1\WLSetup\wlt8B70.tmp

MD5 5ac50acb23e095fc4a3b3754b7e67e29
SHA1 c5f5157c33924313787f007a1f54406d2cba16b8
SHA256 83a4fc7db344ce7e7225e92ee0a3b8df86549a0ae43d3d536acb90ffdebd9ba3
SHA512 e5daea306d18b2b6ffc0f2554ff3bd2fcb1119b693125965fc780c7d89d47355f041b0747d133eb2e7ee82b1a60a7f0549005fb972161222c8821a01ba862d00

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\sepefsmr.tmp

MD5 6fee869fb755bace369d1ab411e7b378
SHA1 c7f5a525cab44441e30de2fcd2b17d60c099d40f
SHA256 ea894ba961f35cbd34f63a5569a8fc9642bf82ed5d6cf2df2618d84e7328feff
SHA512 c6175007077dab80a11e2bf4606735fc382d602f60c2ab26e90e221ae1aaeca9e782c8698e589e0e4299b43e02b1c68b59297737ce820f870742dbf141560107

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\k5nk10c0\soxe.core.cab

MD5 22ca63e33ab582842692359e8178ef1f
SHA1 da6d9d58e849cafed8a58a331ef1ffd17ee085a4
SHA256 48f7e9437dc980c37c284e3157f5651663725cbae5e4341f70e6672972cb87fe
SHA512 caebfa50b3c1f8b64bcd08b08d6f3b41ed6e4683767b5764ae2b636bcd67bbe845aa38747c0bd6bc9f552d24dc89a00e43cdc2668d1645ea7b4540768be702a8

C:\PROGRA~3\MICROS~1\WLSetup\wlt8C4D.tmp

MD5 7fa4c347edd4745f69e50e04d6c759fd
SHA1 4d65e4997b62bacbfb881437fe69bcc11c868ad3
SHA256 474ac624b9291612f7d3870ae1b972dd2cff6b4e58d36e68fe57e4c9dbf1d4fd
SHA512 fdc6bd74509d8f7264bc2afda8da88fcbc899cce1d27772121dfc43d3166f105adcde311fbf279235e2e0bdf0debf8eff1be593226673acfbfb522bee4423d0a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\5dm2tpwf.tmp

MD5 34983f6eb1552b4805a6766c9461cef3
SHA1 7f52a185a5c10c1291be7907731d1e990f8a4a90
SHA256 c4d4ce3d9a3a8c881281858045075997747a4ce8ea953a1f5f301e60a09093b1
SHA512 9f8e41f3b79cbf9b56b737abb779a6c4ab95aec07e9961240fb08efd1ed78fa677be9a9e841bc2bdd185631ecb986ad8820fb6ff098fe7866f7ce74f3d5ef6a6

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\ik2mrzyh\Contacts.cab

MD5 5f26b195ce2d0e31cee1efc7005eec86
SHA1 d7b8aa59ee38748d843033c066c6b61da57ccf64
SHA256 35debf728fc1abcbc96048e4d386b81c12bbe7ad1558e4ccee0002edd6b7da09
SHA512 55b037584949ba68993646c3fc49938890cc08c4a98766ee3d9e53d651db3dd2cb5a6399709690dc042ae1c9236aa26113ea416c333eb50b1218cb194615ef38

C:\PROGRA~3\MICROS~1\WLSetup\wlt8E42.tmp

MD5 35cac173c2b8032543c5977e34277238
SHA1 28930a5c72f00723d1f471004f4b2a4bcdd63573
SHA256 b2ad5d9c9d9df2d9aaec5e00bd8adceb36de0d3fe66c23fe6567c084a7107ad4
SHA512 aeb83d0d8e293c90ffcdb2157431c6566c8c69487067e96755d17de4383d0d752760f66b8a1c666175317b3c7260f1291503504c08fed910f5b0969e50b1716a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uvkxe7br\ei0ypx8y.tmp

MD5 ee3ac9d9b218516b43d3a2b8f2a24508
SHA1 8f0e3f8edc39a816f2c8edd171a7738c45bfb6bb
SHA256 98f6006ffb554539cf1cf6be46795e7e6b9b1592ae42a97f780a467badb07ada
SHA512 0048ffd26aad92b1545414c99c5825315f8538a34d46017629be49e9ebe817cb5a5bfa3aa699afe4316f886bb2791d84609cc7e10b589a2e2584be51788e28c4

C:\PROGRA~3\MICROS~1\WLSetup\wlt8F47.tmp

MD5 6733a81b51871a2a23b55a3701647aed
SHA1 1d954976870df0085660db7333a70e5c7badf54e
SHA256 071ab4216d435c8e1b65e7c7193067a3ab02b70b2b5eff1c2a0eb505b86f1129
SHA512 541131798086fa172be0810adde06c5a4a94449e0c222fd40070c570f409c8a11b342c6e243bf295221e868a53fa77c09e25c45d5ba69d59ae88e4806e154ef7

C:\Program Files (x86)\Common Files\Windows Live\.cache\2f2162e01da9c0d0e\d3dx10-x86.msi

MD5 141021890289016535d5d12741a0cbec
SHA1 67cd42ff9e9cf6433b16eb638fb08d6d77c9fb3b
SHA256 66dfe4c288e800d098e8ee5c02c7fb8d8279ace5e105a946f2517877ef550fe0
SHA512 393af5d625ef751a986ed2b90a4edcd5ae7b842d228dbc5e41ecbc5d7ecb4d176264f80ac951ad1b698c1b49b435befa5117e77778aec5696f031db85349992e

C:\PROGRA~3\MICROS~1\WLSetup\wlt9089.tmp

MD5 81a7886ba27f04ce9d4905c57df4963f
SHA1 7cbc155539038abcdab731aa7afb8843ff504fa6
SHA256 2973ea30120ad3475971e4f96cc73f32176ce29204deb1f1e62eadbfb5f7576f
SHA512 861a73c358a74d985cff144cee7370dce97bfc1de182431d7d0acea6f7161acc1b7a32abccc881511819d6b06acf59fe12a427a56f057506565010e5a8c64289

C:\PROGRA~3\MICROS~1\WLSetup\wlt99A2.tmp

MD5 68aefb6ed3bf7aa1d1993ecda73b05aa
SHA1 34daa72e1a210d7366560deed0ff06ab4d01bab7
SHA256 23c33b9cca2501a9dade1827fea716ccfc2ceff590b7aaa5d58e4a44d4e79d12
SHA512 23a21ad23edfe3fd1f52893bb427180d6e97b43821391519b522c7b6c75cb10b505bf5dc033e8694102094ebb972c16dfa19788d3e02f714d74fe04cd2e86b8a

C:\Program Files (x86)\Common Files\Windows Live\.cache\30ac87201da9c0d10\PhotoCommon.msi

MD5 ff2a751d2b5e41a1451d2fb6bdfd13e9
SHA1 8c625401a9b1ef7a5143c704dce8c24b7c888bbb
SHA256 02a76e8a58daf828e774c1c78206db50bbcc24a735b0fd26de4a9c99cce5486d
SHA512 beba30d47a25b573751df37431a4397e3506671709a571bf62cf6bc20fdfa0bb410f463d9f87affade4a9e98964e6a67221341aae79c496ec8474938bc67c880

C:\PROGRA~3\MICROS~1\WLSetup\wlt9C14.tmp

MD5 a1ca671aaacab805e8f2abcb395ff9e6
SHA1 c76bf6223557be1b66a315dca5689f1b52c35fcd
SHA256 6a4f1cedad70d61082136d23ec223e0dd8d8ce0ced4fce5865411e73ff6be43e
SHA512 e765f1c9638239fbed86ba40b16c0b58639a58ca4133fe78600ccbfc7e7e2946a7c156fee455285b7c0e0f0cd170c54b790645b023a010801557cfa84d7d8f3b

C:\Program Files (x86)\Common Files\Windows Live\.cache\3112e2401da9c0d11\SQLServerCE31-EN.msi

MD5 54854bac91e616bf8f71184c05ad0355
SHA1 73b893c66a58b3b581bbdb50cf069f9e44c7e657
SHA256 f14f64c25cbdc7e06f2ea7f08170305a5990fa0449d9371056ec59441e24476d
SHA512 7cf8114350b2d6e6e4c7940601f6b3da28f8f5397895033f2d82c97d2fc8c6ba71bc46b12abe254be521906fae0422b1084567cb70332103b29d851803b46c99

C:\Program Files (x86)\Common Files\Windows Live\.cache\2b9415a01da9c0d01\DXSETUP.exe

MD5 f5443547caac20aa334a88817579270f
SHA1 3bf8b321c2e43af72307508df417a154c3f1afd5
SHA256 cdfdc371a373cd0f0daa00db46bae7e19258dd8ef7e521e57be96cbacdbb242f
SHA512 106c9181bd98bfd82a3247267043b71d269d1ea7503ad12ef0fa2f395378205c274d11393752d21450a56a70f8c16b740901d433cf334bea4f1f7691c08ce38e

C:\Windows\Logs\DirectX.log

MD5 a5ac423ef4bf7a9f8beec4a53798d1a7
SHA1 0001a98862d0fdcc78fa06a0cda8bf3c9c3722e1
SHA256 b7386633bfa874caecbde417c8bc04e1ff385bf74e89b22abc3f8d74fbad2b0f
SHA512 80b839e3ace852e8f8727b7a3a54e550d5f7d53104ca42ad4d7a5334d81415c1ba95476489d3a11949e5187f1caba2a33ca451804c555455ec10f35734f81f96

C:\PROGRA~3\MICROS~1\WLSetup\wlt9D8D.tmp

MD5 d1f5aaf5952b8ab8bc00c2050b0f7b17
SHA1 6ddf870ac98ef74628b843fd1d55826469ecb15a
SHA256 f134e280ad2376d8ab260663f4411d2c5795aa1d46d61bb70b241223c1ffa07b
SHA512 5ce822e3040204f41a546979134155d4f3f51365b83c412d320e9e022d7db4282f3d29875a70a8f05f4e9f25ef8ae4e5f3cabb3f4a83e09832ebee4dcaf98d1b

C:\Program Files (x86)\Common Files\Windows Live\.cache\3157ea201da9c0d12\PhotoLibrary.msi

MD5 3e04cec983eaed85e81bf35de71f8bf7
SHA1 3f38e49179b4a5fd9e7704fbb29ead21e139cbfc
SHA256 22a0a57db76c1a2409760d4c9ee59b7ce1ee1a9d0208267cbdfa67579b31b63e
SHA512 789f361e89f292962aad8b2e54146ce252be2434adcae6f093fad66a403e5292916d923610266b76ecadd47f59d878226603c68b03d682b867994ac70af6b31c

C:\PROGRA~3\MICROS~1\WLSetup\wltA74F.tmp

MD5 44623495b671a344259bb39829452204
SHA1 333a5196dca06c815d930e225637db95a8d3197a
SHA256 28af1144633453ec668884b1513d0f5bdfde61333e183b5187634c59d60bbbfd
SHA512 7d4362c833fd4dd3180a7b5f0772f68ddc93659564350e63bf659cccec9507d6ace15d230d0a2965c260325dd1f7bfecec9963ed4b08d7cddb37df2d1e9959a9

C:\PROGRA~3\MICROS~1\WLSetup\wltA85A.tmp

MD5 89cd9901db2cad003e71b38f4d8e1091
SHA1 1ab795681f702456c0c9e1681dd796e4455208f7
SHA256 18f354f3bde3411c90d948e02e60de5e11faa131ce04da242925dd0f004cd4d9
SHA512 14f0152eab4ec8fdd57dfbe9fb690ae9d0770feb7826224adc2b44bf826d7498a329757ba4a338c92c226cbe8ad3e14dc671d9767a3e13f87606e43af13c5bb1

C:\Program Files (x86)\Common Files\Windows Live\.cache\32ec93e01da9c0d14\MovieMaker.msi

MD5 33cfb91ec616a06b8af75e772e966433
SHA1 69ccfa871359a84467d243f280dfc813b428d5c2
SHA256 00c89e20a23be3aa005bc2eb75cc4a6c6fb89b6623cfec017282a6e547ad9790
SHA512 61dcf628e1595169a2d9abd8113cb77ecc0606d083f90f57f964f46abab7949c0083b7d268a3c662510ca4cf3c4a561c89d41f07ca46e0ce8c7080097f6d2fd1

C:\PROGRA~3\MICROS~1\WLSetup\wltADF7.tmp

MD5 96aec171dd6a4eb4e4ef59b1dc287fbf
SHA1 7675f8808b74f66714ea778774f9b37f5a8fb8fc
SHA256 d4fada7f0157e181127d56799ad85152a500d484f16a2d31058285801ee0fc9c
SHA512 bb9d7769b0a202133a5e635fb185b53593eeffbe1f84e58755bbe14adea77c8a90fd114846aa574c3c78efc119420e573d2fbd2006928b749000f4619678389a

C:\PROGRA~3\MICROS~1\WLSetup\wltAED3.tmp

MD5 e03b80e674707a949f63897fd4cd2a97
SHA1 a593fb96e478076ee3e8aa32677a58255fc5a944
SHA256 9048360b66c7acd4d4cfb84a7498421ab6e3fee8db8b41c2b913695ec70dbf78
SHA512 d1921db4517a7ceb210874871b7b2e26dde5102dd9002c46de6be05f98842a5e147741a78ad22c6930efac5ac0e344e6d45629e035567462df946895d9f48408

C:\PROGRA~3\MICROS~1\WLSetup\wltB02D.tmp

MD5 65394a7bdab03c429522cdd490a134a0
SHA1 afe2564e539027cb1e2cf2154e5aedf609cf0bcb
SHA256 7daa30526128109b67310a3581f37c2b112d6e66e74ee2b6b74512378fda30ec
SHA512 579016091d455f75ee0f25dae7eb1a69e1c4fa6773dc739b3954ce7575dff82ca328276e648c0042f16e959502ff5aa24630bdfaf37168ebb15303bc8dbb7032

C:\PROGRA~3\MICROS~1\WLSetup\wltB57C.tmp

MD5 9971f5592ec6f9f159cd1210da51921d
SHA1 90035e88438350a128773ad22c8a4140a1e4036e
SHA256 5790818fcead57808d9d43ae94ad8c0ef44c7d2e3e89aca2152ffcf3a1cf4c25
SHA512 b0724fb4375e2cf9ca5433f78317cf6a055760165b2caf29b2213427baf5918fedc7e2dc327cee91ccecc1b95c4448a4ecca6f38094e44a49c0b19088decf4ac

C:\Users\Admin\AppData\Local\Temp\DXB4CE.tmp\dxupdate.inf

MD5 8c281fcb5546d1ed3cdaf6e3f7303139
SHA1 de342a17f2df0386f6584e2f55ae43c558ceb6c4
SHA256 7530c6e18dbb522c5f4fbf6714962c185ea318f9eab7aeb833b0cc07cd2fe656
SHA512 344ea0a375c8851fcf413f441a1cac3013b3748d1630a4d677da72e98f41823bf9427d896de7e1fe35bf868279538cf3b8322aa6ef20025bff48a6bb7f8c42d3

C:\Windows\Logs\DirectX.log

MD5 71464f0238699a1838213bcab53b141e
SHA1 5d70c81908a6d7274dcd1d4ec2d3f35d4caf2ea1
SHA256 2742a06f4fcf883b8766d97815f27ef5565adcda0fd2571979f001a9517cf216
SHA512 9ed053207cd8e1d5c6f529a46ff9b84d6b2bf05aa24fa55a9fa92af182d0c0d5901775e582c6f612b557a85a5d38e60c6dcc2f3f44d9a3cad9968cc1150db673

C:\Users\Admin\AppData\Local\Temp\DXB4CE.tmp\dec2006_d3dx9_32_x86.inf

MD5 c28f4fd1644e2a20b1c897438e197e1a
SHA1 5178534444ed7dec8c63f02defe7bdb864c47123
SHA256 ef09d783bf5cff2cfba99946e5e71fda577b196a49c88bed1c51b5fd29cecf94
SHA512 7cf93260efb1d794a17ba25b1fa02ba03b0ceeed8131d274b805155072a9a2b92a899471a8b23add8bf46c6a5a3cda63499043eaa754001bb43cafd882c8e708

C:\Users\Admin\AppData\Local\Temp\DXB4CE.tmp\dec2006_d3dx9_32_x64.inf

MD5 39929631df326b944470256c4f9cbbf3
SHA1 932de27abf59c889c02ed747f0ac04f5e494492a
SHA256 ff00313af4a90f426492d72969f5efc6c56a17f2dd91f20cb5c0a38d9f1f2b6b
SHA512 8dd2755a2b2fb90c6880cbbde65d127f55d12df2bab4560ddf86d6793b2cd4733929d97efef5fd8eeb417731a571888c893188df0361ee57eb4437fab331cb13

C:\Users\Admin\AppData\Local\Temp\DXB4CE.tmp\d3dx9_32.dll

MD5 26af232140c88b42d92a88f2198edf6a
SHA1 b62aed3f71d8963227e5021c2222192873ce753b
SHA256 e96693794daa05a75a83c11df2e7b42f2de61567c6ad0b69e353b50f6c88119f
SHA512 54a6a235af4dc3f3c693fba5ac2d487d96c9d7a2bb7deeab35d5a252e723e597226ec84e953625c8808546f91fbcfc42add85076846a63925fd9eabc09dbf935

C:\Windows\Logs\DXError.log

MD5 14965ad5897f119e777e73ce59046c74
SHA1 64a3fc1ee15783bdc1cc8e0edddb35017010cd6f
SHA256 51544a46c570a4c2c709cd35a0212df5f0197d12089ac356d53f465412b565d9
SHA512 4ecd1210ee45e8d3853dc0c41d3da6be996a4a5f2406d88960dc3727d801a14086fd9d26bd0132af20ac06f56969d855dd9533200a9faa5830d37f74406fe50f

C:\Windows\Logs\DXError.log

MD5 dd0f1c189d58ce2fbd2d595d0a75e3f6
SHA1 42265ee714eb601fde6132046652291319aa8c3a
SHA256 1b9017da4b61c45568037d15eb7f2eb7c9c0dda552e5aaedea7671000a16ebb3
SHA512 a5bc332f1b7f38e48a0c5c3f59d450c06fb3404109aad519298445b7acbc4a2705472c0260d32a0c028407464551d52c60308e68f0844fd18874b7b24139e11f

C:\Users\Admin\AppData\Local\Temp\DXC967.tmp\AUG2009_d3dx10_42_x86.inf

MD5 b3a2e761e5da007cc6036c5703e12eed
SHA1 447e852f9bdc357b00864d4dccc7486f1313918b
SHA256 a80a00464775da82c02f628c5bc13cab0d0643ec2a44b28d2acf7c77d467becf
SHA512 28a106886578fb38f144602d2b29c72a906bb24a50b16ea7d3f71f8bd7f194fc0d7c8451dd1c3e9ecc59be3a866c07a23dd394a17d39eb7b55cde7b347bed3a1

C:\Users\Admin\AppData\Local\Temp\DXC967.tmp\AUG2009_d3dx10_42_x64.inf

MD5 8d272f58bf5ce42962d7d9835e9b489e
SHA1 7e0969289f839b5dfe606f6ce6ed106460f97682
SHA256 2bfdd3d3bf485439013045b3a08942f457385bb89ab76d9479fbdd85f09e9d96
SHA512 0554257a41df07860233f26330020a45e2dab2613a6028f79914aec7552d5c54525b137e450202db1283b602c3d95908acbf9f1eed20dd79c21fda5963fc2b5e

C:\Windows\Logs\DXError.log

MD5 21ec20b0682fd64489fecc35b5eb4c6e
SHA1 195ffe0006083a17eb393f92c398ec7eb332a249
SHA256 8f59bbedb036633f531d37af4b49fd98a132516e2054f5f16ae3b99214ca5780
SHA512 35907827b58beadc9373a9c49ed81f40a7778363204d865e7e09beddc71981adc620685bc6b2506dae1098d7abe4290c060f7e10a6a6e5ae20ac0fa04d8a39c7

C:\Users\Admin\AppData\Local\Temp\DXC967.tmp\d3dx10_42.dll

MD5 501ac862517c5445742bee8a2b88414e
SHA1 49f3f2df66d357aa84a5e7a0eb368ea595b7d95a
SHA256 46429c4affe041b08a7acfda0e9162ba42de966acb2cbcaf09ef976232073b51
SHA512 08dc13d5ad0a0d2aaca9d3dbfb53304216111da73bf48810df2982650d580757c10c8b9bf80ae5191e06ebaa44b2bf9c244ae141308748c3e7fb9ef6088900ad

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\dxupdate.dll

MD5 94202f25810812f72953938552255fb8
SHA1 c1e88f196935d8affc1783ccf8b8954d7f2bfb62
SHA256 6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564
SHA512 65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\JUN2010_d3dx11_43_x86.inf

MD5 fb5d27c88b52dcbdbc226f66f0537573
SHA1 2cbf1012fbdcbbd17643f7466f986ecd3ce2688a
SHA256 3925c924eb4ec4f5a643b2d14d2eda603341fbbd22118cdd8ae04aaa96f443c0
SHA512 8aa2200f91eca91d7ee3221bc7c8f2a9c8d913a5d633aa00835d5fb243d9cb8afa60fe34a4c3daa0731a21914bc52266d05d6b80bfc30b2a255d7acdf0d18eb5

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\JUN2010_D3DCompiler_43_x86.inf

MD5 1a86443fc4e07e0945904da7efe2149d
SHA1 37a6627dbf3b43aca104eb55f9f37e14947838ce
SHA256 5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf
SHA512 c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\JUN2010_d3dx11_43_x64.inf

MD5 590fe1ea1837b4bfb80dc8cb09e7815f
SHA1 792b5b0521c34c6b723a379dd6b3acf82f8afb1f
SHA256 2c4cf75b76203cba6378693668c8c00b564871c8bfd7fbda01e1e841477b2a3b
SHA512 80bee8f1ad5bfaba6b3ac5a39302a1427dbaa5919d76c89b279dc753170ec443924eadf454746ce331a6682ee729ab79bd390a5d3b55db8d08fd6f4869101f53

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\JUN2010_D3DCompiler_43_x64.inf

MD5 6494a3b568760c8248b42d2b6e4df657
SHA1 700f27ee4c74e9b9914f80b067079e09ec7c6a7f
SHA256 3e779533a273e3395109c7efac13ba1c804c01b3ddb16938406fbdf90d851216
SHA512 2bf68b123d7823ad7182e132d9e55f8de7580229e8e1b3b40030da50bb9bdeaf67bb9727ce2171fa83b7f804c24d9728ffabb44cb5017b16b771bb19e62b1b42

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\JUN2010_XAudio_x86.inf

MD5 31d8732ac2f0a5c053b279adc025619f
SHA1 c8d6d2e88b13581b6638002e6f7f0c3a165fff3c
SHA256 d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da
SHA512 abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\JUN2010_XAudio_x64.inf

MD5 dd987135dcbe7f21c973077787b1f4f8
SHA1 ed8c2426c46c4516e37b5f9aac30549916360f7e
SHA256 1a0f1b929724f8b71d5ce922f19b9d539d2d804c89af947d5927b049ef0fd3d8
SHA512 f0469c94219b4df99d7b9b693161a736fa8eec88a3f6c7f2cf92fab2ade048dfe61fcde3a4cf4f7a2aaf841d079a46b17259dea22cfb02831983f55bd7f61899

C:\Windows\Logs\DXError.log

MD5 8b3ceefb22fa20f17f906717205f1d65
SHA1 3530266c78a70f8b0a3d3e9c0d78fe8387cb2aa8
SHA256 6754ada11cd9d6247cab5035539fd5d5485c3199fb8a57f59bfacbecd02bcf9b
SHA512 253e66a5d1e13e742d86f8f2e8f686d3bd902b4b4de830984cacea4f46a81f7098c5502c00e44a851a98034b5c254bf864a826969bab1f9549a0ea4cbfc1c8f7

C:\Users\Admin\AppData\Local\Temp\DXDC4B.tmp\d3dx11_43.dll

MD5 8e0bb968ff41d80e5f2c747c04db79ae
SHA1 69b332d78020177a9b3f60cb672ec47578003c0d
SHA256 492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d
SHA512 7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

C:\Config.Msi\f76df94.rbs

MD5 3ae39ea8d487c12e5937d3aa18bc76f4
SHA1 ab3bcb46d934dde547fd3126708cdf3ded5ebdcb
SHA256 60e88302baa47f8a241d8ee4b718a46e96e0aef68b9f2e21015d49e7fbbbd565
SHA512 f734f94d2e61ae78e51170ed98d7d768900001e348a4d5f1b0f580e5c0d32893560e939ca18b2d70b4acad16b8a629277574ccadee58da5cad6bf0dca6c2de80

C:\Config.Msi\f76df98.rbs

MD5 7036b0531ea129e317dda84188b37b22
SHA1 39bdd679f9b02faf9c218ccf6c78fcb9c8f540ad
SHA256 6ad6d27d6c7f1c2e5dfa41c534c1d7492d8b5f367732b0bbc6fd719e31ca45b9
SHA512 834a61326c18af2e399ce5f43cd10b5c04c8c0e1f5fb51e94ec2afc4e44b75b0bdc2e15127758d519b0e185801f01b04f04602253ec22c9c8d0e8a3880888e43

C:\Windows\Installer\MSIF260.tmp

MD5 154426e66361ce1b0f9a52eee18f1576
SHA1 15ada007dbf6e47710c05a8006020ca5f1c53ba2
SHA256 827af890fcc70f86db1bd0394b2fe6c76bb9df201fb7df05067358a6f349cf6f
SHA512 7ee4002fbc226df072247544dffa582df9eae25cde6e2d9841fc7d565b25e71c6b4d1626e87e5c6a406c3dfddbb401be1d0996ac4ba3fbc705ea211df9fc7bfb

C:\Windows\Installer\MSIF2CF.tmp

MD5 c7375273a093747bf28851cb7359d9b9
SHA1 3691bbea99ea1b50cc7690fb111f1fdf9de15e53
SHA256 74f518d88b03d77897eea20b2f701ac146b88795ceffdca6cf632186ccf33f53
SHA512 2beed7eb43abf259d663bc0c2b9518bc65274d6ff8a05d566ea91ec23d5ced068cc9e658435ff7fd134aa08d685c21a7f63f91a89d54ff077ecd187f0fe2f56a

C:\Config.Msi\f76df9c.rbs

MD5 db2fea0f981d335c08f8734a7e96cbed
SHA1 4fd41a12fa611fce571ab0e0186ced29fe610212
SHA256 afd7af3fe49113400655956c308f279b00267de841123a582d030dacd03d9c8e
SHA512 8518781192ad89c3e41a96c651247cd4e9e76a42644fd1402d0b0111e85735b94d75c96499fc2dc469b536ad2b625b2011118f5c9c5ab962d332a7cb7fde9bdb

C:\Config.Msi\f76dfa0.rbs

MD5 c3f41b449e0cce1846f21c0da0e0974d
SHA1 b9ed1056b34e0c2d2cc127dd98f2c0e69f238c9d
SHA256 8c25f7f6b574b3861976e585cd7821fe5f88ffb5e1821ebd00a5cafef91e95cf
SHA512 b306e1c94f7660ea1d821b07c15d23eec1991bfd6de7b26c3a073b9be8a3cb96bd388f2965ad7ead7b2c7eef1d2090a6620905c2f1b33e4fa73792db4f771974

C:\Windows\Installer\MSI1B1F.tmp

MD5 afa2262aaada580a74e1dddaeb03bc58
SHA1 5738eb9ba190361390d97725f90a71c6bb5bf5b0
SHA256 1deffb4fd70c9c346e1c5121b5069f758198ce12cdec5c2151127658bf12e460
SHA512 86099269378b31483480c36107f357f06d27e4c9e4892ee184438f7a3730f67853b5d44bf0bb7049242ad9ae262d08b07052bcd9f9f72175e754185725787f99

C:\Windows\Installer\MSI28EF.tmp

MD5 331caf579a41951fb7462bc8523de15b
SHA1 74a0cd632915e55028a398223dccb91050368258
SHA256 bedbfb71cba5a06ae38b38eb84da2e1a8ae99000d2cfeb49ee80e114a5e5f34c
SHA512 fec47b6087d38bedbb7000cb733cf9fbcb4adceadb088da5f6d4b8a325a458264c45e00580f3d15259874f79d395cad31fa6590117b738838804cbee3972415f

C:\Config.Msi\f76dfcb.rbf

MD5 21438ef4b9ad4fc266b6129a2f60de29
SHA1 5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA256 13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA512 37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_vcomp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 f9cae234ef87430c809addeda386b609
SHA1 80976f9bc0fdaa9d405f8d3a4d857db8e3e3b93a
SHA256 d65c6324e62585e92d2098d2abc9bb23597c3a86ff52fcf509ffa58b1650ef10
SHA512 93b7b5f7d299b0565aa4294d67399a39b8387faa2e888dc0e857cc16b187e90b624063d36590e0d3d6c2a58a94fcc920404f0fa84f4e618a6ec27cfdb3e8a32a

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 f660cf07ec1d5704aba37ece8e17f0e6
SHA1 2b99e853911e7e32d920d035d89a044ee367e67c
SHA256 64e47a6aba8b14975236cd0219dd3b853fbccb5a2c044c8b94ee5ac586800385
SHA512 eb8b8e9fb5b53baee4b71ef851393e32cfe0d875efefe0309bd237f489e262d5ead5840244bafe0f6391251b1758b73d8f067b3dd0008f9ee5f4aedf2d2ae4a9

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 80e987dbe08677e2ec09615cd4358607
SHA1 d2109b7a238ae75545c7a43f863ead710b00b323
SHA256 8a06500612ce1bb0aecf052dcccce619c85be7732cbaeac4d6b26b6ae2cc7f7b
SHA512 cb876bcddb2abd97d247efca8fa602d9edf0b63fad12ebb1f4f3426e227b0a35f35db19cba2a51f4f8124df435fdcf8844728dc883ebf3662b20393958345a45

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 ab09ce954c647f3c2b4328b57d519996
SHA1 63f3de90362bba6f106367bac56566f952666d39
SHA256 0de1e28796f709d24758ddc6bc2c779f6ff4b20c51b163e2ba77fa7e52942070
SHA512 7c55060f782552d239500b9300c79c95726498fa7cf73250d22ae95ec0db1086b3012e19e066e3b0e9b22ae86bb5a8bb4ec2ed5cf2c03f2734bf2e58bef67fb4

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_atl110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 b80876dc9ed199aae1ecca79fe268aef
SHA1 0247f430077691b06635396605635cf768992e26
SHA256 4d7a75b644b307abe1667b7e5def00cd61690ed2b780d1a263a9323f4cd34041
SHA512 0efdfa08f9daca1e197456b5a834edc7b5dc69eea454cb2eb197eb6844742d316fdfc992a9f4b6a6d573a67a466379745d7936ec0c56f9ef15cf6bfc80ec43a3

C:\Config.Msi\f76dfc5.rbs

MD5 3114aef8ca237ebda161005f22fe2a29
SHA1 b3daf110900b19c9b4ca063fc9b7673ad96d7393
SHA256 18ea5cf5f5c2673111dd852bc3bbb10ee616d6ba7e935ff0de56bfecda360edd
SHA512 6e091f105b1fd20faf242a9a84036852bba514a96ca0fcd4ccf1aa5e0787cb6c43bc45583affad1b673fe4e5712f8943a6b2dff927d9731d543698a14cf9e3bf

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vcomp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 a24611da798edd02242ae618050c4ef4
SHA1 28b29814033d3921939cbc96f8aec6234401f8d2
SHA256 f48c9f347c0fba69247f1c85569a21e0d6282ac02469366c79588f896d57b277
SHA512 ce86a35f2e29b130cf4ad4312c3f920758a2a4837d8e725f7d95ededcc8156387576b3a782c4603b6f229b403d0d1929b43e384fe95a3eb6c799d350b2a5a223

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 ca969d6fa6c19758d48c664b2d1ce08d
SHA1 3eaf3564b5957329c7c84e217fbc26ce5f8e938a
SHA256 9e76c5a9e8358589cbdd06efa426ed0f0fa95b65377b976ff7d056d21a0f1f89
SHA512 edeffe548003147c37464fa687680a8f1751835aba070d118c2152fc616e06e8b1733e7f0f7d7947889a6cb46938e254a71d915dba4eadf142ff4788523147fa

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 c72abc6b7b90a61364b6dd889b5435f3
SHA1 dfe74e40da0bb442aeec448b2b3e447067d610bb
SHA256 0cbbd9691f08434da3617874f99c6dd87538cbd65b5d8bc39fce378d4ed29eed
SHA512 f91b1eb81af15812311542c663a4af976003a522f0ceed056e7e3732988efba8e03d4502c3d59e1cd71e01ff5014fe95fbe3eb4996fb3811a68413626feccb8f

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 349b1d5d8d1b5a7b10bcd01470bd5f64
SHA1 cd6f2f507f9481803d6d808cef09546a44f96e21
SHA256 f0502e3d58713044f62f539b8738694e4ce9c619c665515f5ed2500c843c0c46
SHA512 f7d1bd3f661bf09e2ba84488b617a8dab61983854a2689e0fa7e5abc121eef784c13c8e1bac8ee6d3067486220730bf3bccb619de0ee93fc158f0f59b71553c3

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_atl110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 3a72fa7ad0289cd0bcd1f4e3613766e9
SHA1 ea6c5cd5a2a17514b9f066e48e19b07df524508a
SHA256 0773677d1a9ad31e3f1bec74030ab1c867c627ab2f67e519e0243c02dcc12d45
SHA512 b65540e99969cd2a0d22ac7788615dfb13b0826f5afe87836a01d5df544c473c57d95003ca688b45f361629dc0507e5551106473813f6c9b1825321a3539e80c

C:\Config.Msi\f76dfcf.rbs

MD5 31fd8673b51928e535d13cc87a8202e0
SHA1 0997b0a095f84b8057858282c129b5b8b4b8093c
SHA256 9944b580a0092d9fb06359bddacd0c062c771521641e68af9dcbab7afd544588
SHA512 11bbf1f51cafa88591296c6186492d68ca783078ae0e48aa4df0fe9855f94cef6c7358a59d4a5a13968b14f1982e8b61c2c4952aa3533c34a831c867a832cc97

C:\Config.Msi\f76dfda.rbf

MD5 19c334982160e2e9b65f65fee9fb2f1b
SHA1 8d28c230fd4c29569a721ecee64f87795b9891b3
SHA256 716f505e8dbdc2ef87ee40df85cee2e4df1321404960d4502f4c59095c0b25f4
SHA512 657a0e828bda7c457e81ab7d5c1effd867f5047e323fc197aa1de4587e8b51dbf9a99e9064f086d00dbc9c777fdb1b668612b5c0704220a38c6e8c7c009f511a

C:\Config.Msi\f76dfdb.rbf

MD5 f8fabde2101eb374d55299062a1956f3
SHA1 b064168929d67805cc7346b8f3a0fbca23e69b5c
SHA256 06d44d51aecb6d43911d1b8d23ce08a796dc85407ae46f68f00d8e433054d37f
SHA512 463efa2ec2f7d30ca285ce468b2910a98e39ee67ea0eaaa6f4d772f390207178377c8f42b455fea563e5ec51ac1c0e91e15e8f0ce6d5d2a56037519c3b1df5ef

C:\Config.Msi\f76dfdc.rbf

MD5 8a1e15b5d2f3c15b1a2371c280328bc8
SHA1 b6200087c87a1c784a6a6d02a16998a1934cff6d
SHA256 f231ff5322bd34defbebf4548c2ce7148576481f52c9829f51e75ebba653c491
SHA512 3006e39dae75fdea6719fb2ac28f4eee4bf2588582bbf50ec921ac8eb0f59a06eaf024a5d65dbafbb9e792fef86c0e4ee0d78cee736a20a0eee61944bd43cb92

C:\Config.Msi\f76dfdd.rbf

MD5 4631116763b745f833b7b038109ce117
SHA1 3405589b8f9bc7c60f562108a35908743529a6af
SHA256 31c6b41f131b83cd811f5cd7ec51c4da9aabffdcdb544f32f880b4eba352db6b
SHA512 d3be284773802270f316a7ffe5796958cf3531f336007dae6d6a749f0fb3d8c0b31ef444451b2150d6d444a60a92a4fb3df4e031ca8a70d7fdf8aa16ded916fc

C:\Config.Msi\f76dfde.rbf

MD5 59412225e43ffa632061bc4af6c23a29
SHA1 2d3c2b0c00d402c174dd862250e2f0bb26b3e085
SHA256 06305cd4ce3608d7a72a7d3ac824d815324e8bc8fad52f58fa2095aaac39eb17
SHA512 11704d4d62bf028671d5483b075f70075125f462b10f089bfd70ff109a3ba2c133e112b4af71b3f805d1c31481adef065e731222285d92ee5eb22d31f541cbce

C:\Config.Msi\f76dfdf.rbf

MD5 d56f4d98f6078295ab1ab0670bf2b9a4
SHA1 0e323bf6db23597c13091db97c2b9978e119595f
SHA256 38a8a8442b967038e301164e27561dd79ed8cdc7efadb89e440fa2da929345ea
SHA512 072fac60f5c2b3bece23dff6b3d7a69330f349ccd7b04fa1db0e811145a468a9fd5aeac052e52ac13e24fa1b3ca3bae17e59442e381c8636e1e9505eb7cf8342

C:\Config.Msi\f76dfe0.rbf

MD5 750d64660645311559524a8c57c02dcf
SHA1 eed3e34d144556640d3cc843a31594219ab1ecd5
SHA256 3976b799208f9053afc453e95f0fef5c3b010845b571ecc674885f2121d2bcaf
SHA512 65c06035fdb9b3322690260ee347a4097576ac90d82593c6aa263003101c15c3dbac4d14e44cd948596aea9c4ceff9e9ef5f2e5ba3f8a14bebaa206cc42e840d

C:\Config.Msi\f76dfe1.rbf

MD5 833011ab151a76f4063f0155b4c2c156
SHA1 49fa4318a8aecfecb0e167515aad84c9fe8b5c14
SHA256 409449bb4460982f38a717d0ad4f94ab4d3662968c398282a78095a554a592cd
SHA512 4b9b3f81f93a4fa495b26e27bb3b9666de3070ef6a0ba62b3e4095264e1abc13ce8ce85e91e5390e8b7a3a0b08e064ae4311312e7e0c67e02ad9c01545676c57

C:\Config.Msi\f76dfe2.rbf

MD5 d475bbd6fef8db2dde0da7ccfd2c9042
SHA1 80887bdb64335762a3b1d78f7365c4ee9cfaeab5
SHA256 8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599
SHA512 f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008

C:\Config.Msi\f76dfe3.rbf

MD5 ddb7181b125abdc6d2b2831b8be6b3a2
SHA1 20b12d3f59fd427429ffbf6ba3edd82de0365921
SHA256 8aead63e2d39a64c429d5b79a13d73d6c133b19607c3d3e32a60262c8574caba
SHA512 30af739cc615542fd1ae8a073ace0e1690d4a5d102595416d506dffa158f9610c32d63b7c5ad335715c76f2262d2df6e8f850812e915adb4a9043a0ab90ff6b0

C:\Config.Msi\f76dfe4.rbf

MD5 36c3ff7ed2592e97d9a01bae095a037d
SHA1 b6a2c49c8481969283c2e3eaca78026adbd1f524
SHA256 b226b3f204026c41878073f62b5210d9a81aea255e4ad8d24b611ec37bc39b77
SHA512 0b8797dc15dbbda12f3aa75ebae88d336fcca7f76a62461dfde4a371c8a8281a93dcd25dcd32710eab805988dcb71f9a35af284294d5021c26b29407eada684b

C:\Config.Msi\f76dfe5.rbf

MD5 d718132c57d5f9433bd4dbc76dafcb3e
SHA1 910ff15d0209427a0beed450cdb60e9851fb083c
SHA256 b7107789317b87463abd8dc2d4c10d22d8bbdb5e59f3f3332e7627eb0919759b
SHA512 e2a17881a2e1f7418073f5649db52c9889798c143044c0d3b100089fc245ed3201051fe5d34463b43e23beae057340d4f49244e338f9c68c059851aee1d05548

C:\Config.Msi\f76dfe6.rbf

MD5 144e67dd00d5f958d34c7341a4748512
SHA1 fe75888d1abb99d49d368e50d954f1fa3307122d
SHA256 2203532ba8e256d6c6037da6e73a79238fb3a84cf37e26a8d209fde1a43dbdea
SHA512 82044a755d7a4c9ddaa676b92d3acb15b055d9b553031157b1ff07865dff87827c20766de9ba5b1dae1240b796e393f944d14e95d0d3131ee7f6697104be6a9f

C:\Config.Msi\f76dfe7.rbf

MD5 189254e2323732285405ef21024f77bf
SHA1 ce3a7b03c7385c4025f4b310d2674c7b5485c28a
SHA256 5505cbb3db5c57e63492c78df45cff9ad4da97d9ef0c624b0fd062b8de9c2482
SHA512 ed799ab56b31553d8823cfbc284898708e9d6a38659d9ca5096049447e8a2c78c30c9a35faf4869c20b0c1b4208c17756da6df0e24440c0295dc6cd5cc60c4c4

C:\Config.Msi\f76dfe8.rbf

MD5 68f9dc456607f5e4ef2cc69fd52da031
SHA1 8da5a56199921d2a15839f7ac924c6dd394a65dc
SHA256 f9621117f4c50b57e0b0a6b7b62b2478b8b6469439810eb5ff40c1b65958a4d9
SHA512 74640dbf8f66a5ed068ee8019edc0800c096cc8f14a8d7294a435644be54785e2083cb1bc9311ce0b3a45baf5469ce27eb10977e3aa4b0817b652ac65e3e1b01

C:\Config.Msi\f76dfe9.rbf

MD5 0b92e34cbe0f5a2fd1d4623ac1adc70c
SHA1 dc3ff919983d79e3b96f9c7d274cb3e88652503a
SHA256 a7b6259921a56ea44d3560dbe99acef787f4fb6e785260f0601f13dc2d3c887b
SHA512 417fde41ba6ded8759a30e3078b2df801b2c578901a3367c4e49976f9a3a20902d758b0741b9b64779f52acbe692841bfc7dd4b057bd98f60ae249334e98bcb2

C:\Config.Msi\f76dfea.rbf

MD5 5e65ed1f7efddd406ce16aaf90d45eaa
SHA1 27c0bea0fb39245c95650e6fc404cc69053bf61d
SHA256 f792d18a252aa7b8cdf604352fc871b5346212e442c1785da8dc15657a4dda80
SHA512 ca4318127fef1a5a9adfc7aa7323219a2060c13f6bc5d8a8b892dd05f806eadcfd756318fe37c6f70f5a1589b733742360b7dcc9a8b2c694a4d5d0e6ffa98034

C:\Config.Msi\f76dfeb.rbf

MD5 9b6728e20ab8bee1b196b1b52bb21321
SHA1 89d58441380a25083b5e90dd30d74de8af0496bb
SHA256 959b8d276f0b74f902379d05f0a825b0b2118e96554ac22e6e070bcd650f0ab7
SHA512 38195d1708e375f955b5924c37fd0fdddb88e22c29793c42b867ba4438fb1a7b48e45dac05315bfd7c9079039d8668c0aab3d4c74b69fb46b04d276477514aa7

C:\Config.Msi\f76dfec.rbf

MD5 ec62f94fd38011803a5d7646874780c7
SHA1 2eefa5d657078c2608c994cb63e20992274fb4a7
SHA256 295f491d55b4b265d7b8184e0ec379f51bc30aa424f15961687e2ca4ab1a223d
SHA512 25e06909ef92cf26d945760a75ff880401f0590b7e6e9bd32c1552634df33b2705ff9e810eb5d39757b0c985299c73f799e204cbceab5ce9b51644df3f664701

C:\Config.Msi\f76dfd9.rbs

MD5 3b17d8d32a3ef89c20ef429bf5a3fc88
SHA1 e4f549cd73858c4939e9cec1c97d67359cbf2322
SHA256 b466a4d4051e29894e169da11349dfd69a348c6868086894af103a7cf33ca2ec
SHA512 dd5bf88c06d43001b4afe50c5443c8e876d6088a14ae7c2f9ef429bf52a77b3891d49563aec291ae2ffda918386f256d4858682720357506426eeb58cf80bdc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 401ba581ba21b3795c06dd3ce3ad6bff
SHA1 178a41db7c46501d07b5ab670dc6cc13fb10ddf3
SHA256 026d59a4137c92b9835df08e2901f1317c7923e9333a6c23a5ae8a683288bf01
SHA512 5f91f3b1e9f889f46179ffcba0a940bbf42966df2e531e4fda277a3011bfd536a35eee528aef9e065a1a78278b6ae85237871dd0e9936ef324bd7d0fee55f517

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 933fa4d93c94f41d6f5ab719b8b17bc1
SHA1 28bbec57e921dd9b006808ddb8c06af49296afaa
SHA256 45c40dfb30a9a86f1e7a31a5f29b3e02c7c945c55b1c138b8c0b2bf5c2806d3e
SHA512 ca196c8c2352f5c8bf75afdfa281ba347775f2cf70b5e548c44ca969e34f93411adf13a1d96a6c561b4535f0d575836912ce0f3ab7dd89c69178dd24f7b64274

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\Local\Temp\DX233A.tmp\dxupdate.dll

MD5 57f0c80414609302bfd4dfbb61b69ac1
SHA1 f077266250833d2af729df9c00983d7f4ad2663a
SHA256 dd8903faa5244492fdb8868dbca66d74aac98c394ca5382a0c24bcf621e7a16e
SHA512 2f171feb76b6014b10e493755c0138cd9edc12941b4f35faf2e99a49f08801b58cad8b4de5ef12fcba19e9261c864b911ace23c290f73384bfc378b6d9c1881b

C:\Users\Admin\AppData\Local\Temp\DX360E.tmp\dxupdate.cif

MD5 b36d3f105d18e55534ad605cbf061a92
SHA1 788ef2de1dea6c8fe1d23a2e1007542f7321ed79
SHA256 c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae
SHA512 35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

C:\Windows\Logs\DXError.log

MD5 0b4b7f8a3e584e79c5b4744aa3ef2e11
SHA1 8cbca597c4ea01c3d4941b6a285778b6f12eb752
SHA256 2cecfced79eacaef8a51ce29290669795c9da5b45eaf8fe5c289712ac385743b
SHA512 d90a4ab709eabdf0e6170df7d7d749588915c8747f00eb07402ab3d28f4d6aa55e1469f0edb3d9e70dde9003ca6e6b4a3a12884196d5af46ea7603a522f4a783

C:\Windows\winsxs\InstallTemp\20240501212055588.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.cat

MD5 80f181c2010a7db0efcb5f13645e9c84
SHA1 17f3d888de0f592bae3f8ef4a1581966124d3307
SHA256 c38f6cfc3f6aa11957113683c1bf7c3f44816ba359fe89eedd4ee92da1b3dca9
SHA512 ceabc0075e012cac43342f42b4e74331fa51bf3b2f280d788294b99682f84efb8eca039fb3be833112d8b0915a5fa65c922ee9800315ba4f17cd5643d016d034

C:\Windows\winsxs\InstallTemp\20240501212055634.0\9.0.30729.4148.cat

MD5 f9d94a589320dd63dd898c211d019012
SHA1 304d84933e0ff0b421c1bc5f2fd51cf98a0495a3
SHA256 83d24fe403df20693673c49b94091b577e1cb4fe975d9d79eb2e74fad693a937
SHA512 d118d45efe2ca085de6afe563dc8462457d48ba80a4b7e9d25adb2b2ed6d6db425f074dbba2df41307d38f70d95eb2066332108d5f50461fcf2ce6458f3cc167

C:\Windows\winsxs\InstallTemp\20240501212055588.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.manifest

MD5 6a912f492582eb415293421a9babe38c
SHA1 f5be1af48df88218a416d0c4293b4b1ce58c0708
SHA256 19f63f32922553d62a08d17f41a75ec07d687c0bdaf8aa4ceff6d9725b5b6d14
SHA512 f310afbb63b58a630317b0002b302cf7bd424cec20fc3d8e16d821652e2ebc8b3e10b9d2ea8a564c0df3986cf3aeb68fd13c6a5aa73032ff8fd8a9495c12ad57

C:\Windows\winsxs\InstallTemp\20240501212055634.0\9.0.30729.4148.policy

MD5 dccec0d4688b82ccd409ead94b9a52cb
SHA1 2a7fe58d3aac85da7dd7f0a68c0e4a459244e68f
SHA256 42935f89f488aca0615d5a8a9741c4b8830c36b5c971f5aa05c82df345ceccaa
SHA512 68d2ffc9c58c5089357e2d9145757d67b11b5885ebb79c32e857b845b8a7cd95d7eaa72670d4f5830bee1d0e64164308461cc3a9912db34a13ddaa0692444348

C:\Windows\winsxs\InstallTemp\20240501212055588.0\vcomp90.dll

MD5 401f8901dbaac9b3033e42a0698a0676
SHA1 8769d3c0980c5efe8b05f27ddb62b4a5f6fb6b33
SHA256 fa473512b462d89b1829f3222362ac02757538f252967d16fda485ffa92ccf74
SHA512 c879017075cffdd735c81ccf124516f71ee1833156e708b234423b82e787d06ff7dc96a1b00985a96608572b6cbca383313354eedd9ab3deb1598d1182f7670f

C:\Config.Msi\f76dffb.rbs

MD5 1372bf4501b5dd51fbae08af309713c8
SHA1 fd4c596cc973d5da668fefe84bde9ce120bc6daa
SHA256 c1258154c0c8c327347d5db05d6b0eafcab65e81c7bbafebcde2d7cf047614e8
SHA512 b42bc771f2bb64839f4585425bc5fed89be418ef7b8f5a8b9a1b71c4f426cb046df0bd245f15e28e4024f8c059a47461d31d63b29044e10823f1c25ded1d185d

C:\Config.Msi\f76dfff.rbs

MD5 efb7273e52756ef7872de9e5052a91af
SHA1 eba80c036e1a414fc1be1036af66879404c4036b
SHA256 94b57c63c47b0bc1632fc6ffa4aec1a0b35e7d456c30b0d69e20a0ec8ab2df26
SHA512 88d02601a13a54568bb19bcdf8adab899c6edabf2694b5cf8b6431e39e266282441e3f410676460303dccbf6f75b4095d2861d2d09d6a65684a7f3a958329f8f

C:\Config.Msi\f76e003.rbs

MD5 36ad1bf16088b6bcf8ce567341c3872d
SHA1 84c63174d69e890b32bea38b806b5052f96956f6
SHA256 ee5e6b4241f5eedf825a0fa2060f551e35970e8e54f943e4dfadbbf9b1f5c13b
SHA512 4867b5c9a8aceb189fc49b6c270b0aee1f25c6daff30c2d67a9c7b34b2ec77aab83f36df4c379ccfb7df9eb18f0568f9dd534400375204fcafb3e92b79304760

C:\Windows\Installer\MSI6340.tmp

MD5 9c023adf5ede661ee2a0a5b189afbf5d
SHA1 f1f6e1b9f8d022d4710c10c70f1a512e0b66b43f
SHA256 861c150262a7609779c0ea46ac5d6a21f3537a3ecdadb3e9011e71ca6095dc09
SHA512 ac4650c16703eb7885efcb7036d1d3eae3a052ec5c2a493a26817df944521595ed993b8dde5454a7d37afc241c54d651f0240c92ed6329b036d642ea370e1b9d

C:\Windows\Installer\MSI646C.tmp

MD5 cc5ee31f6c41c9837536116fa39e950a
SHA1 a2103322536c027b89106a911f038f512ab8ae4d
SHA256 42d53a13c1feafa293e86bd5d950ff307fca5f4938de82074e61f61cacd46473
SHA512 aaccbcd16d17171ae80c7c608856be3a318dbde83ad54c3484430923d0cd11984565804f5597e997fa842c7f942533f64c741a6f297761754349f5fb953770a0

C:\Windows\Installer\MSI66E0.tmp

MD5 277fda69f225dd35f4e9973c62559dec
SHA1 4e1dc3dedd95034666c877dd1825df56e8db745e
SHA256 4432a6c1d40bf169f815bb47e8e26cbd03b020f30b72030cf2e782d8aa1cc831
SHA512 60c30a685d65fec61e39ecdace8f17ba546c7971f2c2741eeffdedd5b917169231f878c4870a9c255a68f26b28b3017903cf7ecf0f767d364ab338d8c25d0b9b

C:\Windows\Installer\MSI67CE.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

C:\Config.Msi\f76e00b.rbs

MD5 807ce90463c92b3106f49359359313b6
SHA1 060c814205d4d92c52bba0e5e67a2ada452a2593
SHA256 8a15675b8f4341c4a39ba0b7980ed5c145a73dc055288e313733ece0fb004d48
SHA512 cdad3ae443e1f4e448e30ca78571128a6543aadc197cec33a9f2de9ab2f1ed1f83c2476891a38a15c963df3b492ea5d39547a93bcce735f409ad5ec2f053f57b

C:\Config.Msi\f76e013.rbs

MD5 0067af9412d4c3e272db855eef464b96
SHA1 f489c15f6ed330cd6deaa6104cd11bd6f4bb80ea
SHA256 fd5eb5b0c0af991e06623566878270a57208eae682eb96c2767577477d525ba2
SHA512 b2cda8fae3dffc26cea2534aff500264e59aa0d92ee1ac16b9e01426990300bc545f6aecef049a1780d9c3deed91c027ac78a5b4ca17d5fddcb05cf39f433f07

C:\Config.Msi\f76e017.rbs

MD5 3383f31d1e8cd980c08f5357e21cbf3b
SHA1 39f33cc209a53de7a52ab79d336253f8f4186937
SHA256 d996aa7385efcfc22d62c6470bced95f06e9e7fe5825a0fddd155e89a9569545
SHA512 67f3abbb87bbd54b7a466af655143d6a4ce7ba9b87fc35dbb2ff0226bdff98a4724b4de8e726bd07613dd18137fb3e256ea0e73bd4fc94244674322a8bf44143

C:\Config.Msi\f76e01b.rbs

MD5 143299ccb1de4573ff3b64bcf0dfef0a
SHA1 409241d4db9ea0cbb904135f3d0368d9ca6729ec
SHA256 9ad21d59a90825fc0e01fa2b4ad80ac7471e090648247748354eccf13efcd662
SHA512 3b830ea2292990118d4ebfe429a25c961a280a45a9af531a8078cdc414594e0147a3e2dcd56892dfbae85c33f75dda590ea756624ed4a61ed09dd145c6296481

C:\Config.Msi\f76e01f.rbs

MD5 44c3e7ef6e026c488eb2d8d8ac9ac594
SHA1 c0966c063a4d74ab01678a93d535929b04d9092d
SHA256 fe2e24331e3da1457514cef19b2924f7792c27d4c0cafe1e92ba35b8471c3903
SHA512 dbd44a2c13d24b3f9fa223f46afeabe62e72e1e8fc2dd8de8a09fce87f65cc425c1e930bd84b190fd8ebb6797a7be6ef178da0144b4800ce36e04c64183d9fd7

C:\Config.Msi\f76e023.rbs

MD5 c86a2d5e456272f59aa17b6d114a2372
SHA1 9f2fcb1afcfc289da656b92bbdd362339bdd1244
SHA256 a2222b4d573939a56b9694ef68f974b55a21958af17d2118c705e588b04ca359
SHA512 434caad22f22d7747cb4ad24f23c0388d1948f79ab31b8f5213b7f051ab425c08acb4e8bbeeadf76ec671955794ad848b2c0fd65776d5349a7d20f81fa534b55

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 21:17

Reported

2024-05-01 21:21

Platform

win10v2004-20240419-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

Signatures

PrivateLoader

loader privateloader

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe\CWDIllegalInDllSearch = "4294967295" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe\CWDIllegalInDllSearch = "4294967295" C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\v7n8i19u.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\oxn422ri\imxe1f9p.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u8wrkqzc\ra86dy6k.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\y9mzp14r\0coupy19.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\eonr4zy4\5swsjb9a.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nwhdwtk8\pzztmi4k.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z2l70du6\1r1j1hp0.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\0zw6a798\bm2ex01v.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\n747du3f\ssxl4o9j.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\l9sncgw8\7kk874sv.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2wkvgnaq\cedtkp5c.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fumfz07y\s6w903kx.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\md65gl97\v3ro364v.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fwzz3wsh\kphy9ogx.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xdotjgj9\om4f5gpo.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z3vu74rp\izsocva8.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\lq2fasep\8nxx29ii.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\myns44gd\raiapyg8.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\w0pp9t5q\6pkpusx4.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\v2dva0xq\e8c85nyl.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gys4882u\i420ou7r.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\infinst.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\infinst.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
N/A N/A C:\Windows\Installer\MSI9C7A.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F30F90-3E96-453B-AFCD-D71989ECC2C7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F30F90-3E96-453B-AFCD-D71989ECC2C7}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F33137-EE26-412F-8D71-F84E4C2C6625}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F30F90-3E96-453B-AFCD-D71989ECC2C7}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32\ = "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE -s" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F33137-EE26-412F-8D71-F84E4C2C6625}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F33137-EE26-412F-8D71-F84E4C2C6625}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SET5407.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx10_42.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET584C.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\D3DCompiler_41.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx11_43.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File created C:\Windows\system32\SET581E.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\d3dx10_41.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx9_32.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET5407.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET57DF.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\XAPOFX1_5.dll C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET589C.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET505D.tmp C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET5455.tmp C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\SET5772.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\D3DCompiler_43.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET586D.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File created C:\Windows\system32\SET589C.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\SET4FD1.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
File created C:\Windows\system32\SET5455.tmp C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\infinst.exe N/A
File created C:\Windows\system32\SET57B0.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\SET586D.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\d3dx9_32.dll C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\infinst.exe N/A
File created C:\Windows\system32\SET505D.tmp C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\d3dx10_42.dll C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\SET5772.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\d3dx11_43.dll C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET57B0.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\SET57DF.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\D3DCompiler_43.dll C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET581E.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\XAudio2_7.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\XAPOFX1_5.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File created C:\Windows\system32\SET589B.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\SET4FD1.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET584C.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\XAudio2_7.dll C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET589B.tmp C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Live\Shared\wliduxhc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FanUpTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3b7b36c81da9c0d07\WLXSuite.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceer30EN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\WLMFDS.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\PanAndZoomEffectZoomInFullToTopRightTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3e7628531da9c0d11\PhotoLibrary.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\WLMFReadWrite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\HeartTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\RippleEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\Spin360EffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\TextEffectContemporaryFade2Template.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\en\uxctlloc.dll.mui C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\BowTieVerticalTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\WipeNormalDownTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\InsetUpLeftTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3c9951a41da9c0d0b\Contacts.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXVideoTrim.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\InsetDownRightTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\en\WLXVideoAcquireWizardResources.dll.mui C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXImageTranscode.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FadeLowerThirdTextScript.wlms C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\TextEffectFlyInLeftTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\WhirlwindTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoVoyager.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\ObjectStore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\DiagonalDownRightTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\DiamondTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\SlideUpCenterTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\wlbici.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXMediaPublishSubscribe.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlcese30.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXQuickTimeControlHostPS.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\BlurThroughBlackTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FadeOutToBlackEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLFlickrPlugin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\TextEffectBigZoomTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\TextEffectCinematicTitleTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\ZigzagVerticalTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\PublishPluginsInterop.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\HueEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\PanAndZoomEffectZoomInFullToRightMiddleTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXTranscode.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FlipTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3c83dbf91da9c0d0a\soxe.core.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\433926c91da9c0d17\MovieMakerLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\ShatterInTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\SlideTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\Jun2010_XAudio_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\Aug2009_d3dx10_42_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\Jun2010_D3DCompiler_43_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\PanAndZoomEffectZoomOutRightMiddleToFullTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\Contemporary2TransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\SplitHorizontalTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\TextEffectContemporaryFlyInLeft2Template.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\WheelTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\en\startuplang.dll.mui C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\LangSelector.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxcontacts.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e585abd.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585add.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe N/A
File created C:\Windows\Installer\SourceHash{E9FA781F-3E80-4399-825A-AD3E11C28C77} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585abf.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{1D6432B4-E24D-405E-A4AB-D7E6D088CBC9} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e585ae1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\infinst.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240501211946628.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9135.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e585acf.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585adb.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585ae6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI989E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C5A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI705C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{41C61308-6CFD-4D54-AB6A-7136ED08A18E} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88B7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8EA4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A75.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA16E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8028.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6A01.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585abd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI983F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\DirectX.log C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\infinst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211946613.0\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6CFF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585ab9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7435.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI828B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585ad1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WLXPGSS.SCR C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe N/A
File created C:\Windows\Installer\e585aae.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{6522F5F9-411B-4513-A75B-CEA00395F032} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e585ade.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211946644.1\9.0.30729.4148.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211946613.0\msvcm90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211953707.0\msvcp80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585ad5.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211946628.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI74C3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{659CB81C-B54E-4DF1-B618-F35777393A54} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585aba.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7842.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8048.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI82CB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBDD5.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211946628.0\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240501211946644.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB883.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585ab7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI93E6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240501211953707.0\msvcm80.dll C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000828eb54ef8e6371f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000828eb54e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900828eb54e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d828eb54e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000828eb54e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\ = "Windows Live Contact Database" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Contacts\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector\WLPG = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Installer\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppName = "wlstartup.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppName = "wlcomm.exe" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3c C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\36 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\36 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3d C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31\52C64B7E C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\35 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\38 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\39 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3b C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3e C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\38 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3a C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3A C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3B C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\35 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3D C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8CDD41E806AE81E43B3E917301D4B5AD\ProductName = "MSVCRT110" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0003981D77AEC394D8DD2E2634E659B9\Language = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{600FA303-4E2D-4C85-989D-5CA19A41D121} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{483A53CD-EF18-4B19-8AA3-2E2E3214EB41}\TypeLib\ = "{EF401225-1260-4716-A842-7D180DC14C1E}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5FA3C31-EA68-4A02-AC07-7C64D64B6E7F}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{015A3968-837D-4D35-BD89-C9A4C5750DDC}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CBEE322-1627-41F4-B655-AE18F6B088A1}\NumMethods\ = "9" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FBB103C-F1B9-47DC-9EB3-A0C07F5F6AFA}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5AB59828-D660-489E-AC97-F1996D5129B0}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FBB844D-953A-4D0C-9A2C-DB1327A0C89F}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66BB2723-7E7D-4AB3-BD1F-843CCF00B640}\TypeLib\ = "{A5FA3C00-EA68-4A02-AC07-7C64D64B6E7F}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D84A00B2-87F0-4285-848E-3C833E82F4C0}\ = "ILiveTransportIdentityServiceCom" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler.1\ = "WLXHWEventHandler Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.WLMP\OpenWithList\MovieMaker.exe C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8CDD41E806AE81E43B3E917301D4B5AD\PackageCode = "1739CF8EBF5A4504CBA2DB826C3F5138" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BE8AE00-AF70-4C02-BC1E-9BC069D84030}\ProxyStubClsid32\ = "{81C55BCB-3490-436A-9F94-A264C15BFC54}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WindowsLive.PhotoGallery.jpg.16.4\shell\preview\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F30F90-3E96-453B-AFCD-D71989ECC2C7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{32A7EBE8-A0FA-4A9C-A402-E0DA8E95A060}\ = "ISqmAdapter" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03F8D437-1586-46AF-B78E-D4FA71943E4A}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Contacts\\ObjectStore.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B90B14DA-6965-4BEA-8A2D-BD910041B941}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A937E757-3D1C-4FB3-BAA7-99F68F4CAA88}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE55E82-C49F-4E21-BFF8-6E59B819576A}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3519154C-227E-47F3-9CC9-12C3F05817F1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DC016B3-B4A5-4B29-8582-0D6FE5F56BF9}\NumMethods\ = "6" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{581376AA-EB28-4689-A5FF-E2E042506CFF}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpa\OpenWithList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C18BC956E45B1FD46B813F757793A345\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Common Files\\Windows Live\\.cache\\3b7b36c81da9c0d07\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Microsoft.LivePhotoAcqDTShim.1\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WindowsLive.PhotoGallery.video.16.4\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpeg\OpenWithList\WLXPhotoViewer.dll C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wvx\OpenWithProgIds\WindowsLive.PhotoGallery.video.16.4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D84A00B2-87F0-4285-848E-3C833E82F4C0} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F89A7F69-0506-4071-874F-42FC2D729601}\VersionIndependentProgID\ = "Microsoft.Photos.LiveSlideshow.ClassicTheme" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E30A45E6-1916-4659-95EE-035E62DB9AB0}\LocalServer32\ = "\"C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\WLXCodecHost.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WindowsLive.PhotoGallery.raw.16.4\shell\preview\DropTarget C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mpeg\OpenWithProgIds C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{508B548F-252D-45C2-91BB-2E6E9164D81C}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E84D0D46-3D57-4039-9EFE-310AF1CAF92A}\ProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0F97DCA-FFA8-48DE-AB20-7782040C67A9}\TypeLib\ = "{A5FA3C00-EA68-4A02-AC07-7C64D64B6E7F}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{080D5974-4B61-458B-921B-17628E423713}\ = "WMT DV Extract Filter" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Microsoft.Photos.LiveSlideshow.CinematicFullScreen1.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C0613A5-8F7A-4252-859E-980DE2DFE2B0}\ = "ISSCEErrors" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Photos.LiveSlideshow.ClassicTheme\CurVer\ = "Microsoft.Photos.LiveSlideshow.ClassicTheme.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WindowsLive.PhotoGallery.ico.16.4\FriendlyTypeName = "@%ProgramFiles(x86)%\\Windows Live\\Photo Gallery\\regres.dll,-3077" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE181FAB-D331-4D48-9443-18C395B853B0}\TypeLib\ = "{A5FA3C00-EA68-4A02-AC07-7C64D64B6E7F}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{120E3B77-B437-48AD-94F1-653BA199CC5C}\NumMethods\ = "8" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D5A7D0E-9A06-4E17-85D9-A0B24036371D}\VersionIndependentProgID\ = "Microsoft.LivePhotoPickerDialog" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BF620143-7420-460A-9EEE-178B78D4939D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Photos.LiveSlideshow.VoyagerThemeFlip\CurVer\ = "Microsoft.Photos.LiveSlideshow.VoyagerThemeFlip.1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A98858BE-062E-41FD-B46A-E1BA5F61794B} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E96782C-FAB2-4552-ADB8-4F3CC70FFE8B}\ = "ISimpleContact" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FBB844D-953A-4D0C-9A2C-DB1327A0C89F}\ProxyStubClsid32\ = "{F2AC1396-CF5A-4A0D-88FA-32EBBC4D4632}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE9495E5-76C2-487A-85C0-2F7127CF359E}\ = "ILiveSocialNewsActivityIdData" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0DDA997F-E7FA-404B-B3D3-F1610807FB66}\TypeLib\ = "{7B996FF4-FFF2-4573-9728-C1A612BD8592}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5FA3C12-EA68-4A02-AC07-7C64D64B6E7F}\ = "ILivePlatformFactory" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mpe\OpenWithList\WLXPhotoViewer.dll C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{636F33CF-E833-4761-BD18-60C1902529F2}\ = "BinaryObjectSyncRequestFactory" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E12FF79-7432-437B-A7EB-7EDB35E76217}\NumMethods\ = "42" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.LivePhotoAcqOptionsDlg.1\ = "LivePhotoAcquireOptionsDialog" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7F2CE947-4E80-446D-9AE4-17DD9D82A353}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D8D19C8-0A33-45A4-9B3E-255B85C363A8}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{600FA302-4E2D-4C85-989D-5CA19A41D121}\TypeLib\ = "{A5FA3C00-EA68-4A02-AC07-7C64D64B6E7F}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75278229-E27B-4370-A85F-FFD82CC1F1EA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\v7n8i19u.exe
PID 3048 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\v7n8i19u.exe
PID 3048 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\v7n8i19u.exe
PID 3048 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\oxn422ri\imxe1f9p.exe
PID 3048 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\oxn422ri\imxe1f9p.exe
PID 3048 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\oxn422ri\imxe1f9p.exe
PID 3048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u8wrkqzc\ra86dy6k.exe
PID 3048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u8wrkqzc\ra86dy6k.exe
PID 3048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u8wrkqzc\ra86dy6k.exe
PID 3048 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\y9mzp14r\0coupy19.exe
PID 3048 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\y9mzp14r\0coupy19.exe
PID 3048 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\y9mzp14r\0coupy19.exe
PID 3048 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\eonr4zy4\5swsjb9a.exe
PID 3048 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\eonr4zy4\5swsjb9a.exe
PID 3048 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\eonr4zy4\5swsjb9a.exe
PID 3048 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nwhdwtk8\pzztmi4k.exe
PID 3048 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nwhdwtk8\pzztmi4k.exe
PID 3048 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nwhdwtk8\pzztmi4k.exe
PID 3048 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z2l70du6\1r1j1hp0.exe
PID 3048 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z2l70du6\1r1j1hp0.exe
PID 3048 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z2l70du6\1r1j1hp0.exe
PID 3048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe
PID 3048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe
PID 3048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe
PID 3048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe
PID 3048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe
PID 3048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe
PID 3048 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\l9sncgw8\7kk874sv.exe
PID 3048 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\l9sncgw8\7kk874sv.exe
PID 3048 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\l9sncgw8\7kk874sv.exe
PID 3048 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2wkvgnaq\cedtkp5c.exe
PID 3048 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2wkvgnaq\cedtkp5c.exe
PID 3048 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2wkvgnaq\cedtkp5c.exe
PID 3048 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fumfz07y\s6w903kx.exe
PID 3048 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fumfz07y\s6w903kx.exe
PID 3048 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fumfz07y\s6w903kx.exe
PID 3048 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\md65gl97\v3ro364v.exe
PID 3048 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\md65gl97\v3ro364v.exe
PID 3048 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\md65gl97\v3ro364v.exe
PID 3048 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fwzz3wsh\kphy9ogx.exe
PID 3048 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fwzz3wsh\kphy9ogx.exe
PID 3048 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fwzz3wsh\kphy9ogx.exe
PID 3048 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xdotjgj9\om4f5gpo.exe
PID 3048 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xdotjgj9\om4f5gpo.exe
PID 3048 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xdotjgj9\om4f5gpo.exe
PID 3048 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z3vu74rp\izsocva8.exe
PID 3048 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z3vu74rp\izsocva8.exe
PID 3048 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z3vu74rp\izsocva8.exe
PID 3048 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\lq2fasep\8nxx29ii.exe
PID 3048 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\lq2fasep\8nxx29ii.exe
PID 3048 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\lq2fasep\8nxx29ii.exe
PID 3048 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\myns44gd\raiapyg8.exe
PID 3048 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\myns44gd\raiapyg8.exe
PID 3048 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\myns44gd\raiapyg8.exe
PID 3048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe
PID 3048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe
PID 3048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe
PID 3048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe
PID 3048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe
PID 3048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe
PID 3048 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\w0pp9t5q\6pkpusx4.exe
PID 3048 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\w0pp9t5q\6pkpusx4.exe
PID 3048 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\w0pp9t5q\6pkpusx4.exe
PID 3048 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\v2dva0xq\e8c85nyl.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\v7n8i19u.exe

v7n8i19u.exe v19o4ogh.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\oxn422ri\imxe1f9p.exe

imxe1f9p.exe gi3areoq.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u8wrkqzc\ra86dy6k.exe

ra86dy6k.exe dgbrnyc0.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\y9mzp14r\0coupy19.exe

0coupy19.exe 5ym8ttku.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\eonr4zy4\5swsjb9a.exe

5swsjb9a.exe 6cc02wx3.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nwhdwtk8\pzztmi4k.exe

pzztmi4k.exe 1q58q6mp.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z2l70du6\1r1j1hp0.exe

1r1j1hp0.exe anga8rwr.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\0zw6a798\bm2ex01v.exe

bm2ex01v.exe emcdqxd8.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\n747du3f\ssxl4o9j.exe

ssxl4o9j.exe e68trmsh.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\l9sncgw8\7kk874sv.exe

7kk874sv.exe sbw1cn63.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2wkvgnaq\cedtkp5c.exe

cedtkp5c.exe ue3we1gk.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fumfz07y\s6w903kx.exe

s6w903kx.exe 528awnb6.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\md65gl97\v3ro364v.exe

v3ro364v.exe btvygr5v.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fwzz3wsh\kphy9ogx.exe

kphy9ogx.exe jd8ijiot.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xdotjgj9\om4f5gpo.exe

om4f5gpo.exe 8uj1hoht.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z3vu74rp\izsocva8.exe

izsocva8.exe qavzvej9.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\lq2fasep\8nxx29ii.exe

8nxx29ii.exe y5m509no.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\myns44gd\raiapyg8.exe

raiapyg8.exe eq5ys233.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\z0oihpku.exe

z0oihpku.exe n7fx28jz.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\wctuq0y4.exe

wctuq0y4.exe umu9sx12.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\w0pp9t5q\6pkpusx4.exe

6pkpusx4.exe uhc8evq9.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\v2dva0xq\e8c85nyl.exe

e8c85nyl.exe tveg53c5.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gys4882u\i420ou7r.exe

i420ou7r.exe no46y2mr.tmp

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\39ce0fa51da9c0d01\DXSETUP.exe" /silent

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3

C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\infinst.exe d3dx9_32_x64.inf

C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe" /silent

C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\infinst.exe d3dx10_42_x64.inf

C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\3a4a0a4a1da9c0d02\DXSETUP.exe" /silent

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe d3dx11_43_x64.inf

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe D3DCompiler_43_x64.inf

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe XAudio2_7_x64.inf

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5E5C3783503A87DA0A743DC3D951DD39

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 21DCB84B9622A7AA19B1AA5E5654E8AE

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5CFD420159F9FEA665AD48A3F10D0892 E Global\MSI0000

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /Create /tn "Microsoft\Windows Live\SOXE\Extractor Definitions Update Task" /xml "C:\ProgramData\Microsoft\Windows Live\SOXE\updaterTask.xml" /F

C:\Windows\Installer\MSI9C7A.tmp

"C:\Windows\Installer\MSI9C7A.tmp" -i

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
IE 68.219.88.225:80 g.live.com tcp
US 8.8.8.8:53 www.msn.com udp
US 204.79.197.203:80 www.msn.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 225.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
IE 68.219.88.225:80 g.live.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ls2web.redmond.corp.microsoft.com udp
US 8.8.8.8:53 ssw.live.com udp
US 40.90.130.194:80 ssw.live.com tcp
US 8.8.8.8:53 sqm.microsoft.com udp
US 8.8.8.8:53 194.130.90.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\050121~1\tmp52F2.tmp

MD5 8274c233094ab59f40135619f32848cc
SHA1 cb588154fc7e951e0199d2a56dc494010e7a994f
SHA256 ac1a5b92fc478ed69aec3d94c6c0ba328789bb4e44a9c56598a4f961edfcb09c
SHA512 08434975e41233ac9efe507d87743fa3962321b2b556b1066514745d9a885f62ceab2d0bb6eb8d045186e5b9d1efee561851a7fdd5726495658ebf4d7693d105

C:\PROGRA~3\MICROS~1\WLSetup\wlt54AA.tmp

MD5 cbf9a63a3faccbb98f8056b9ee1118e3
SHA1 2a1404023097cdfc07a578e0a8b5b5abe4db7b90
SHA256 21679dca7b22f90fb864b4a30d7ef032710804b04bfd9c369305f50d8ad6e81c
SHA512 b20458b6c80503e62a282c872dfa4fb40b53bbc079ab43ce721f47910b72cc7e5cb77123b5da8e4b72fb0a2b87b4151bd5467ef7fa2f7424ed49762b25184d47

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 6bba5a7ea205b00474d9073b1a75f67e
SHA1 6f501f39be35fd6e29753a7e648d1f040e733bcf
SHA256 e63258d9621253183e15b4ae01438f85cd94f2391493d127134e3b4d4e00f0b7
SHA512 95d23a109c61bac6ca1ca7d6c77ba26d6221f078548353d0c62bf4e9897b3ab7bc3ea3eafe5e2458852f37ab733dc92a9bb4101eee01a67bf6c8f67c761158e7

C:\PROGRA~3\MICROS~1\WLSetup\wltEBFA.tmp

MD5 6df4dd5ef40cdb035d1851ecb495d498
SHA1 5c8752da038c7218d6d3bb2d0217f1a40a2a2da3
SHA256 cd4a58a31dd7dbabffbff3a16f1771e500480b6054581ab9f5c6c029807931df
SHA512 8f6ed579df5822869c9f16f579ffb32be3c2218b7b898b97976d1f9099fc47d6703740fc9e6894328eda42c8f141b579c8ea3f074214a5b73a3284d67279a75e

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\v7n8i19u.exe

MD5 b3695953f17eb4ef1c67422007304546
SHA1 a4915419b346f11d304f337f4e9bb627be5171ea
SHA256 650b8d8737e5565709c740508b41b187720eaa32edd12f8b66bacc27f2270953
SHA512 73b5aab985ca473b88d2efb3386a0c22eec12c035bf6f89e23905d58e6e5cd83d71ecf2909e06d661011da4987badc1b5a071613980260c5bc75a9e48ee93db2

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\v19o4ogh.tmp

MD5 a6bcdb8f4c2995fdd878db23f9d800f1
SHA1 3d58e01f26811095e7ab09ef7ca117ffbb831276
SHA256 ef36704ed00de8491b983b191968fbb8a06d17af675de19dcf0506edee8f26be
SHA512 5f6fcf82275b567b56b59f1e9485102a6c7fa94b63d3b1f72501f498d82802b5d9d1f8650cd82e489d0616573a58ce808e1c9021ac01b2e9b8f9ec5d3e567812

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4gnkc157\D3DX9.cab

MD5 692b02ad89ed82727a47247556320ea8
SHA1 cfb54a9792ca16d8fb8c35513015abd5ae996ea0
SHA256 ada3f11e2be0f1e9faf4634de6cf5f95eebb65d24ec6b9220b479b70fe584be2
SHA512 1a9165fe1001671ab3d3f8bc9eb7532b95848c7b0582e3aad8bad53ed90dbbca0a6df1fa154afac9f4d18184a51422ca72131e92cb977ec3e25d2d860814229a

C:\PROGRA~3\MICROS~1\WLSetup\wltEF19.tmp

MD5 5fb8878a81b4814ccbaa4c9c1a8b5702
SHA1 f53bcf0dba7960a7e085a4283d8aac8488459e15
SHA256 4cbac23a4d6e893d1038bdbe33775924ed9c48ebb6c1e43e70074c8d8b571c21
SHA512 9fa503ca6682db982e0138f81972dcf700c7264a6c3f280c68860b10aba68132a9d5a6b60f195e40b971572dbdb0e52b391cd70120c326f2ab7a6ab1c671d43b

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\oxn422ri\gi3areoq.tmp

MD5 46869c11974313746173fa325517d5d5
SHA1 ee07cc2700fd628cd55a9083b440efd394803172
SHA256 967c62f26e6556453e5a38ec192f02fd25bbb983fdd2c9ccab012528b9001dd7
SHA512 f273ac7affd55675711335e3d948d94aeb86ef8a06db0b972017f2d08ee6d3efe9ffa5ae0c10d4c3acd32a13895a4b4753a457c11f2a0ac59c1bd49eab528b29

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\oxn422ri\D3DX11_43.cab

MD5 169d9f118ff7ddc6fd8388e673c0b72d
SHA1 23c5bcfdc3e8ea04951805bcf8736f4dfd9b11ae
SHA256 82670e1c9092db7e00b9c91cf73c7b12251e4714ec66926f3bf616b2ce8df98c
SHA512 31b02fb847c0c9ac1fd01ff8e802f61d83a9e3197813f181395c7fe53d2e7096be6617ca169af1c827be97fc44c080f2b23d4a4f78e026a6d785ec4552af2ef0

C:\PROGRA~3\MICROS~1\WLSetup\wltF209.tmp

MD5 02136a305a5fcbc5b31373cb489a1a34
SHA1 c6d9d7390c781ddce4d972bc92f57a00952f32b4
SHA256 0de72fad2d446e5a49da3e8f2193dd20eedc5efc15de5f628b6f84cb58d7b00f
SHA512 1bc2e54b11e6eeca047804d77eb7f7ec9f0f3dd539e5a8ae2b7dced5653c985dcc25eec9f0f65153935f06b8d4b36f21d00c53cdaf32773e93a4bb3e244e36f5

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u8wrkqzc\dgbrnyc0.tmp

MD5 0edc6461b2b7af6dcec4a152c6d12797
SHA1 0c0f0df6223a061e7661d772761020ac2e2e06a2
SHA256 5a754fc90bfa2f60b3a0fbf45e9ff7658f77daa08debb2bdb6ca6c26304bd627
SHA512 54a540e6e410fc7740317e494f60c8b12b2b824fe5ede4d5339e79c0cde4ff8db09f1c9c4350cf175cd6898a77e74e8efe5973dc526e3d990380940c01e0a99f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u8wrkqzc\D3DX10_42.cab

MD5 0a1d01413e017982e2d9d819e94b6a11
SHA1 9fa93226a928772754a0e30e8872d961a013a7d9
SHA256 b77ba929b68ba8fdd40209ddf39ad6443b0513b7be639c87f69d8afba90173c7
SHA512 881b22755fb56f38cef0d668ef23df14e3ee0e85218cfd485add3d102da25eec5aa00931dea3ff6934077e03d8eb4f93e688518a37ecc7b308c23d443e47253f

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 622f87970b917b53f81554131b63e21d
SHA1 55f8c0a1096b5d415485468488b35b0b0dae4d39
SHA256 fba65c31b7a67bf9a1a2f1cbf07d4dac3362c17376993b83df5a81790c188190
SHA512 4ccb85c462d537786dcb9eab85a634ff07d8e2511e3183bf1046af26faa1b1fec5ab420abacaa0534cffb3e4eacb0481573a29c5e9cee0eb061217ad991731bb

C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\dxupdate.cab

MD5 8adf5a3c4bd187052bfa92b34220f4e7
SHA1 b52be74c4489159bd343d3c647f28da1fd13d9b9
SHA256 13393a91201e69e70a9f68d21428453fff3951535dec88f879270269cfe54d6f
SHA512 3e2f2fe4b5742a4cf6ee2f6b8c0ca734fd0b3c5431dff112c907231846dd3eebee7b9b8117f0256119614282cc7a4896474a199563078481d48a1204ca96f92d

C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DXSETUP.exe

MD5 ddce338bb173b32024679d61fb4f2ba6
SHA1 50e51f7c8802559dd9787b0aebc85f192b7e2563
SHA256 046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de
SHA512 7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\dsetup32.dll

MD5 0f58ccd58a29827b5d406874360e4c08
SHA1 ba804292580be6186774e7f92e6dfb104e46bf25
SHA256 642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb
SHA512 3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4

C:\Program Files (x86)\Common Files\Windows Live\.cache\3aba18a31da9c0d03\DSETUP.dll

MD5 9e0711bed229b60a853bcc5d10deaafc
SHA1 2bea53988bd35c5df5c9edcef0bc234c37289477
SHA256 def6f245762be36cf18b435ba8b7ebc224b9c21d1a1db606a8e8fafdaa97bba0
SHA512 c0b31872e52c8f4270d991c70d1a1c9ef9a4bbee4807c54c05a449cd1607506ab16ff1e74b378651b36e3276322c86cd843565c8a1aa33a49c47322ef4df0185

C:\PROGRA~3\MICROS~1\WLSetup\wltF363.tmp

MD5 c70d9646c09c2f27ee53b5788419d7f3
SHA1 f143de048873e4dba0eecb2a34a98ed5998d12c1
SHA256 21f718f04df5a024b8db72f5995fd53a7aec14198977d7b418925040af233a0d
SHA512 6ef9e829118880a9c1c77a36302b8f5305635fe738edd36134fb136c242580fe7a7a3532880364342caf8ce36d0cd17ee97f2de387faac197ce0cd37d5de4ecf

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\y9mzp14r\5ym8ttku.tmp

MD5 4ed866061580d42f96f09c16987462c7
SHA1 ee69d20909acec25024fdb8680a9dda03ad51d2c
SHA256 225a26cf9670ab0344b052474fe5ff576c808b53eed275d66efc51d16a149804
SHA512 4f9c871a138729e8af4970f7259ee44375de6a949452d0a768938d263b095fd76ebcb4354ce437d96c6c84d0562ff08cb2dd4fa5ace3fa497fb039113dd76e90

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\y9mzp14r\crt90.cab

MD5 575a2172466e1a8b0f17bb3d64f0fc94
SHA1 86778234f14757b95f475dd6cb7fec32ff179cd8
SHA256 a2ae8965a8502654e7e8458c301dc0225d893a55d3c71b1cbbf6e9c0f3204a8a
SHA512 a79a9e7e2f101487d80de9ab6e4990502fffc932abd41549894bda32ac5707574e9b5ffe9f40f9f075915bb6a4c7d2215c28d461c1cdf45246f202c1121b6cee

C:\Program Files (x86)\Common Files\Windows Live\.cache\3aee8bfb1da9c0d04\crt90.msi

MD5 1c26a77f50bfca590760bdac24e84e03
SHA1 856b931bb34ef8aabdc924c0e017a18c78430aa7
SHA256 184f0e66df21a08c25afc6b7243d1f38feb19b5a45d2b2bd5963037c4fb908b7
SHA512 638573cbb2c260e9ee8a79e39bb095fb43be9d31641fc7f4ce906378811e6c2d77175c6b39c3ff9a877236bddf5a42b1000adf8acfe95d0248e8b2a2cd263bf2

C:\PROGRA~3\MICROS~1\WLSetup\wltF549.tmp

MD5 447ecd02b6dd7367994fdaf6ad40f1a2
SHA1 41e5ad502ac8f903ffd143fa6626ad332b9e38d1
SHA256 c840030ca34878f7205ef9ff19ac1a3bc904f46ca31db8606fb04f81d986e8bd
SHA512 10971224c4b9263ba22c4bf62dee73fc51e9c7d787ff02d0cd02ad3adb598acf79f6130e48131ecc1032d01deae35e889db45c1b39ad2e6b6875bbf86a5f325f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\eonr4zy4\6cc02wx3.tmp

MD5 6971afaa9cc2552c74fdb965c2fb76d0
SHA1 2a384297c92a41f12d467642adc72b9b585374e5
SHA256 0dd513040077b5c7e1a869f1e1e1f709cc669d21105650e6515ceab34627d468
SHA512 af3a47a32f0c5f01623c1d280159995ae6102f986ff4c7b475b7235cddbf32296e726f2be4203de293095fdd18a5065c9d6855f1e4d072142ac793152f318055

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\eonr4zy4\crt110.cab

MD5 d119aaf4bf4085612e9af0518bef08e2
SHA1 06a029c35d3161aeaeb7189f3cb27fa855c6fbf6
SHA256 d7161a6d9176ed76ecb13b0931bdef32cb3239e9559c875ebd9cd485a2e31d39
SHA512 015b19f5894c09df2a553f56ae3151a2ea0671020379dd818d1a7c1b9fe69772d67daed4e6c6afef5faf1aa9994a061345f816ad191ca0e20988c67b9c02ef58

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 807d29601e502b5546b1e75064a0c45d
SHA1 c99e58c2fd1b8830990bed53ef69816b6b2b77be
SHA256 9e1a8d3807a49e82bbaf255ea379ada65b9f9d7316827f57b6244c36ecca8f9c
SHA512 cff1fd047147eb57a3b31828597caa6e2669a080d355129377eeeae31f1ed6f75c6441d87bc5237f8dedab27dab92bf7e6c48b19a748969d6f6a320e79607ac2

C:\Program Files (x86)\Common Files\Windows Live\.cache\3b3874da1da9c0d05\crt110.msi

MD5 b6874af023443ad4bff84ddd4a219aa7
SHA1 358e1c9245cd0e916712586e459d038e3e6807fa
SHA256 e66c187e6633b82bcb64201600bbe6eade67e40bc23aaecab71c0c130d3a4c30
SHA512 b1588d6f69b2537090eaaa198ca46ba697c0c704ad2a2c81d56040095840e21860a0f714abe37ace67b08d4251b27240bc183a62a11e3ae7a6c091377cce7689

C:\PROGRA~3\MICROS~1\WLSetup\wltF635.tmp

MD5 222a19d7053676738a56fd3705303200
SHA1 10756e87ed956adbc8b3a73e3b4b1a0f62c06545
SHA256 430dd49b0fead20b222985ededc24686e254f171c4d7abd3a009d725f3666681
SHA512 3f125562f99a200aae441414d5d248550715cf1421fb0dbfe0f9052f0ba70482004596aa0532037d5d605472be722dde1181b7ba5e0b3e416bb1437d7a74f58f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nwhdwtk8\1q58q6mp.tmp

MD5 3ffdc68017839bba5212426593646e16
SHA1 d159eab8ad10eb07cf15f55c52220748fe1d30ed
SHA256 cc40009fe1e528af8bb5f24687324999d36e948d69197b88761b0e93d704eb0b
SHA512 7cebe2dfe1384bee8dbbe0afef02b11b0c70fb612eed85ce3d53228a629338b250922fb93f503195734106fc83aa7a35961c1caf0a12d41e92e068c79afa10b6

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\nwhdwtk8\crt110_amd64.cab

MD5 52eeeca22f1c4f393702ab75ca4a0c7f
SHA1 188c56555be4bfddabc1bdfbee827e47ec6b64b9
SHA256 bc1671181fb9179dbf6e326b23030e0ffc19c9a2b084c7c28ad80152b40569a3
SHA512 cd6feb5535807253b64923029d6d4ea4c2a7464eee1ec2ce07af5c224ee3a714f537ba7327f105b223fddec08b1297b0a61150537222b19b061ed06fa2abb624

C:\PROGRA~3\MICROS~1\WLSetup\wltF6F3.tmp

MD5 fd61bf6ae58ec3aa09157fed71f14492
SHA1 eed13224b402129767d24ed82d09d8473eb5e806
SHA256 08d2e9ee6fe16a67242176d218b6423a1be21fd81c1ee60d45cbf0651647fb70
SHA512 20a2c4f5c19b931c1367a095ab65e50deb16fbd4bd4e98f9ba1ebf6d7c776d975dc6bd4a57ff9f9952569c43c01bf2f8f100202e4aae0ae7d61d2ae22a4aafea

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z2l70du6\anga8rwr.tmp

MD5 6b0e1c4a026558ebd9b7adf2478256b4
SHA1 09d4806b572891dec18f8ea36fc783ae3fa2f333
SHA256 f4d56250a6ad6ebe6d16444e7bb65daf8cadc94e12be7d7f4a156acbb52f1059
SHA512 a8e8f71b202a4ae1bdecdd7ac1b96e791d6663aa731def39bb561c89d350a1029c41a7aaee133bb8c8d68502a45ca4fef16d2192df6592db711011a9523150e0

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z2l70du6\WLXSuite.cab

MD5 dd4976b6bbde52aceed41ea0e619c7cd
SHA1 eb0d5db7445bfcd5254c0b1e95cd60aa0f16105e
SHA256 2e14e58be3fa84b292bd49be75a053340c878956c5f7eb76bf1d68464e0b9648
SHA512 a7502c2e40a99aa508731c0cfb0fe6317c64381816ad6fc0a3524f7540559d762261e0a957235bbf128ab75adabcd8dbbc425e71d577376e859712084593af2e

C:\Program Files (x86)\Common Files\Windows Live\.cache\3b7b36c81da9c0d07\WLXSuite.msi

MD5 9f91bd1204abad23916cea89e0a6502b
SHA1 9b23bcadaee6fc61d02ae5b0aad060cdeec61023
SHA256 f213e44352caa38ae3b443b76377d62a686a6697dd55fd3120e0b86cdd571c87
SHA512 95b313aa1e7bc71d13f82f3219f7e03f076d08cb8f5cdc31b1858af1791b745fa7cae6bd2513ef8614abd186fa9f3f8401d882e5d1d9331259910fb2f3c679fc

C:\PROGRA~3\MICROS~1\WLSetup\wltFADD.tmp

MD5 f9f7f6c1ee64179ac24c2797097d5706
SHA1 8c17d7f8efbf19b76d3d843a2a2e8a7828cf314f
SHA256 696f86945af7fcc7ed0fef9c95c7343e44db8c61c14ffeb5f35381664f1f5191
SHA512 2c3fd69f1db6ef20c115febb912dadfa9e7048743837f1dc5fffadff42efdb9a751fdd99390ce0e2cb54c1519f9183c8ded6fba4cea5433933cd73a023304e50

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\0zw6a798\emcdqxd8.tmp

MD5 a6b1bf5479520ded28fa779a66c14dad
SHA1 1e14710a9e9c58ce227b9d4b2c960997a5577815
SHA256 b0cd17b8c87e89a17743c8f1c75e401984b4ba2a8127f38aaef62c83cfdd4df3
SHA512 28063d56c23123c38d0bbbf8a9ba5b5dd2630c379ad8592973bf84139a91b392a8b32f8a9ec4fa82adc6426192c85b9c15860b87880a4bcb459cb3cdcb063758

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\0zw6a798\Watson-x64.cab

MD5 abc26cf06709db3146c92e0c8377a8b1
SHA1 2125a3554005ece8524b919815fdd9cc1037a66b
SHA256 cebe84014bfea44543c3c956d665b2d3d30c0308b80ca90a831b9c7d846356cf
SHA512 48906552f9a7b90ac76a242601739e3533859117125b912f02c40a38a756a9099bcc291cdbe98e1a9bc832bd734dbad610d9994223624127c8a28cfe0829c9d9

C:\Program Files (x86)\Common Files\Windows Live\.cache\3c116b351da9c0d08\dw20sharedamd64.msi

MD5 2459308b46fde807b05e541ed484af4f
SHA1 6d6732af93fce1f5f4bb8f9e41cab2c70c1b7bf8
SHA256 46a2b00e630d478780bc0db5c312811ed0e194f0680ecb1df769cd3103bcd422
SHA512 ceffece9a3d10f88194846d463c95880b2af203d65d1077415f433c3e657b501cefad07410ce650ce534485a6bd756e8937151b67714045b528bc88979864a87

C:\PROGRA~3\MICROS~1\WLSetup\wltFD02.tmp

MD5 10b8dd1e4ee0a05ec2e1e31510b37d61
SHA1 672c7950d93f23e7b100a2fc5bc8797adcec95ee
SHA256 a94259c2dfd6f0422a31494bc0474189605883ca10bfd2a8b9317b6381c170d7
SHA512 d08d34098d321847c330ba132181d2ede1c8a5d8aa845c7bebdabab1596beaf1a92889c5824f48b370e2c3471dace1b6ba92c85b6715d284d0c4ae27bfecb4a4

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\n747du3f\e68trmsh.tmp

MD5 7b68481c3758c89baf84408ca6a516a9
SHA1 50bfcb68317aa5c41bf163b1e1d6b9a3e1b50d45
SHA256 7a6ad74823dacf11e46e4b9d720bb610ddf0b0653963d616671e926748133e0e
SHA512 ad4b42ec85c977f31ee552bb51287e46333ce163e2652f3d640d87431e059cd8e5426241e34c37ac3d23806ecac05b042311db5ebb1b0553016c4353b7baca1e

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\n747du3f\soxe.definitions.cab

MD5 3bd00551de772995f7671a6ba45d65ab
SHA1 8249b2c28c73cd3a0bae4067e5cbd8c0e65d6923
SHA256 23c26ddeb0a3576c50d7ebae995a807163c63fdd5e8319aa071d13fa9a0a6496
SHA512 4e40ad0e7a414911b578ec515666475f9ab981723760fb6aa0b697e417a004cbae725f1ab295ac3026d22323dddab9db7f298d2cfebba854a1f2bf5ff5a6b6eb

C:\PROGRA~3\MICROS~1\WLSetup\wltFDCF.tmp

MD5 5ac50acb23e095fc4a3b3754b7e67e29
SHA1 c5f5157c33924313787f007a1f54406d2cba16b8
SHA256 83a4fc7db344ce7e7225e92ee0a3b8df86549a0ae43d3d536acb90ffdebd9ba3
SHA512 e5daea306d18b2b6ffc0f2554ff3bd2fcb1119b693125965fc780c7d89d47355f041b0747d133eb2e7ee82b1a60a7f0549005fb972161222c8821a01ba862d00

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\l9sncgw8\sbw1cn63.tmp

MD5 6fee869fb755bace369d1ab411e7b378
SHA1 c7f5a525cab44441e30de2fcd2b17d60c099d40f
SHA256 ea894ba961f35cbd34f63a5569a8fc9642bf82ed5d6cf2df2618d84e7328feff
SHA512 c6175007077dab80a11e2bf4606735fc382d602f60c2ab26e90e221ae1aaeca9e782c8698e589e0e4299b43e02b1c68b59297737ce820f870742dbf141560107

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\l9sncgw8\soxe.core.cab

MD5 22ca63e33ab582842692359e8178ef1f
SHA1 da6d9d58e849cafed8a58a331ef1ffd17ee085a4
SHA256 48f7e9437dc980c37c284e3157f5651663725cbae5e4341f70e6672972cb87fe
SHA512 caebfa50b3c1f8b64bcd08b08d6f3b41ed6e4683767b5764ae2b636bcd67bbe845aa38747c0bd6bc9f552d24dc89a00e43cdc2668d1645ea7b4540768be702a8

C:\PROGRA~3\MICROS~1\WLSetup\wltFE5E.tmp

MD5 7fa4c347edd4745f69e50e04d6c759fd
SHA1 4d65e4997b62bacbfb881437fe69bcc11c868ad3
SHA256 474ac624b9291612f7d3870ae1b972dd2cff6b4e58d36e68fe57e4c9dbf1d4fd
SHA512 fdc6bd74509d8f7264bc2afda8da88fcbc899cce1d27772121dfc43d3166f105adcde311fbf279235e2e0bdf0debf8eff1be593226673acfbfb522bee4423d0a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2wkvgnaq\ue3we1gk.tmp

MD5 34983f6eb1552b4805a6766c9461cef3
SHA1 7f52a185a5c10c1291be7907731d1e990f8a4a90
SHA256 c4d4ce3d9a3a8c881281858045075997747a4ce8ea953a1f5f301e60a09093b1
SHA512 9f8e41f3b79cbf9b56b737abb779a6c4ab95aec07e9961240fb08efd1ed78fa677be9a9e841bc2bdd185631ecb986ad8820fb6ff098fe7866f7ce74f3d5ef6a6

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\2wkvgnaq\Contacts.cab

MD5 5f26b195ce2d0e31cee1efc7005eec86
SHA1 d7b8aa59ee38748d843033c066c6b61da57ccf64
SHA256 35debf728fc1abcbc96048e4d386b81c12bbe7ad1558e4ccee0002edd6b7da09
SHA512 55b037584949ba68993646c3fc49938890cc08c4a98766ee3d9e53d651db3dd2cb5a6399709690dc042ae1c9236aa26113ea416c333eb50b1218cb194615ef38

C:\PROGRA~3\MICROS~1\WLSetup\wltFFE6.tmp

MD5 35cac173c2b8032543c5977e34277238
SHA1 28930a5c72f00723d1f471004f4b2a4bcdd63573
SHA256 b2ad5d9c9d9df2d9aaec5e00bd8adceb36de0d3fe66c23fe6567c084a7107ad4
SHA512 aeb83d0d8e293c90ffcdb2157431c6566c8c69487067e96755d17de4383d0d752760f66b8a1c666175317b3c7260f1291503504c08fed910f5b0969e50b1716a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fumfz07y\528awnb6.tmp

MD5 ee3ac9d9b218516b43d3a2b8f2a24508
SHA1 8f0e3f8edc39a816f2c8edd171a7738c45bfb6bb
SHA256 98f6006ffb554539cf1cf6be46795e7e6b9b1592ae42a97f780a467badb07ada
SHA512 0048ffd26aad92b1545414c99c5825315f8538a34d46017629be49e9ebe817cb5a5bfa3aa699afe4316f886bb2791d84609cc7e10b589a2e2584be51788e28c4

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fumfz07y\PIMT.cab

MD5 801f96ac4b7e12b9691c12e94c7abe2d
SHA1 05b2618a84a080d3e41725bdc6f73632cfbb4a8f
SHA256 a030b62c1da3ba7d8821e60fb4427c9041fbc077867b59a528371b5e5cdc419a
SHA512 a75d0e8074f55bd1cacc3f6b7938fd111d5328963dfb6573f0b2f1e8ab9738887b2f55e657893d37319feb922e4bd998e20a91a516d7783f472bc8fff5aef95d

C:\PROGRA~3\MICROS~1\WLSetup\wlt121.tmp

MD5 6733a81b51871a2a23b55a3701647aed
SHA1 1d954976870df0085660db7333a70e5c7badf54e
SHA256 071ab4216d435c8e1b65e7c7193067a3ab02b70b2b5eff1c2a0eb505b86f1129
SHA512 541131798086fa172be0810adde06c5a4a94449e0c222fd40070c570f409c8a11b342c6e243bf295221e868a53fa77c09e25c45d5ba69d59ae88e4806e154ef7

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\md65gl97\btvygr5v.tmp

MD5 5a9d80b5422ab12c962cb2e62e865485
SHA1 9a0e76535e25e71bb9225509a32ab95df5c0703d
SHA256 e05f4900a6c6765a339a12fbe2d4a163413c09432d9845934ad9e0ffc032790c
SHA512 ddd059f2435e113c3bcb3cceb2224dee2b566ec6a1283a18f50861ef9499df73cdc6fb7ec88a11285b0a431bbf98ba678b8f0c17868214a34629c5b9066d082a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\md65gl97\d3dx10-x86.cab

MD5 e2c883cf5af7ffd177c2e885e7b9211a
SHA1 1133cc73222ee105989ef10ac06a421f62b77ab0
SHA256 100f6fdade69a4efa4e315154046b13e5dd6af2d091a573f27dd922f242c07dd
SHA512 bc9e8304cfb131ac300485d9b2a221da434733b23a9b7235b044ce22fdaf0c0ba22ed74caedfbdfb1a044345bbb04d954e2d6cb3b74591c4c5df324ea99c679a

C:\Program Files (x86)\Common Files\Windows Live\.cache\3d0239281da9c0d0d\d3dx10-x86.msi

MD5 141021890289016535d5d12741a0cbec
SHA1 67cd42ff9e9cf6433b16eb638fb08d6d77c9fb3b
SHA256 66dfe4c288e800d098e8ee5c02c7fb8d8279ace5e105a946f2517877ef550fe0
SHA512 393af5d625ef751a986ed2b90a4edcd5ae7b842d228dbc5e41ecbc5d7ecb4d176264f80ac951ad1b698c1b49b435befa5117e77778aec5696f031db85349992e

C:\PROGRA~3\MICROS~1\WLSetup\wlt23C.tmp

MD5 81a7886ba27f04ce9d4905c57df4963f
SHA1 7cbc155539038abcdab731aa7afb8843ff504fa6
SHA256 2973ea30120ad3475971e4f96cc73f32176ce29204deb1f1e62eadbfb5f7576f
SHA512 861a73c358a74d985cff144cee7370dce97bfc1de182431d7d0acea6f7161acc1b7a32abccc881511819d6b06acf59fe12a427a56f057506565010e5a8c64289

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fwzz3wsh\jd8ijiot.tmp

MD5 1d71f23b16a5fa228583e8d43861b114
SHA1 947a1bbd7478f586bc59c42962dd3a0ecffc5d1d
SHA256 fc75b41a31b7d2d91ccf1b49c801ec6233af8f83bb98b10247a65041d5b58f2d
SHA512 a2ee87cd8da55f4ce7f81cbe7a15f08054478ed8222e71019fc7069e6cf8acd6f63b341557c3439b833d4fe69ed84688beea08fabfeba04fd7603fdac9f7a591

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\fwzz3wsh\UXPlatform.cab

MD5 c012292727bb374cfa9dd557ee29d2b4
SHA1 123197276bae304ba78ee833dc6f9d9e59a0b0b8
SHA256 6e2eb5f8da9c05983c68c9e9df6d3a449bdd940526795564f34381d254e30766
SHA512 38e34b21c60c3f5055e2e844266dc1a52085e3036f11fcd589972dc75ac68cefe777a6a2947de3a9a002271b7ad3e7bae5f3d49e133a34f4af615c32ce488a51

C:\PROGRA~3\MICROS~1\WLSetup\wlt5C8.tmp

MD5 68aefb6ed3bf7aa1d1993ecda73b05aa
SHA1 34daa72e1a210d7366560deed0ff06ab4d01bab7
SHA256 23c33b9cca2501a9dade1827fea716ccfc2ceff590b7aaa5d58e4a44d4e79d12
SHA512 23a21ad23edfe3fd1f52893bb427180d6e97b43821391519b522c7b6c75cb10b505bf5dc033e8694102094ebb972c16dfa19788d3e02f714d74fe04cd2e86b8a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xdotjgj9\8uj1hoht.tmp

MD5 482282c1d8b97485791896ff1d5de587
SHA1 187adb3cceaeb7c566af159e1fb832d555e9b50a
SHA256 b9e4292c40d759cf1fd235463429912fd70a9e5f0d4bd8fb8ac9f0a6cbb8dd9e
SHA512 e05e1982b8aa9259127e8966dfd5e085b435b114253133fb417fd50985c13ec9a0f0bd58dd52a82ce695a11e697f7f21e96bf40a00cf6888b16e8689139d325c

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xdotjgj9\PhotoCommon.cab

MD5 b37655c4d63f411a6b23eaf89bf981cd
SHA1 09cb0a0f7bec9b62db44d24a1aa11b4fdd40c7c7
SHA256 108c6d632199dfb6146d86c35b7aaa29443ba869d46dd99605ca9a455f0c7217
SHA512 2169c6e9a7482643003a41fdc3dd27d67bafac415cf393c4b75e53766ad68e13616b790a7e1d7933499c1b86410e5f8ef5e1413fd93ae0ab0462b5ae526770aa

C:\Program Files (x86)\Common Files\Windows Live\.cache\3db9cd7b1da9c0d0f\PhotoCommon.msi

MD5 ff2a751d2b5e41a1451d2fb6bdfd13e9
SHA1 8c625401a9b1ef7a5143c704dce8c24b7c888bbb
SHA256 02a76e8a58daf828e774c1c78206db50bbcc24a735b0fd26de4a9c99cce5486d
SHA512 beba30d47a25b573751df37431a4397e3506671709a571bf62cf6bc20fdfa0bb410f463d9f87affade4a9e98964e6a67221341aae79c496ec8474938bc67c880

C:\PROGRA~3\MICROS~1\WLSetup\wlt8C8.tmp

MD5 a1ca671aaacab805e8f2abcb395ff9e6
SHA1 c76bf6223557be1b66a315dca5689f1b52c35fcd
SHA256 6a4f1cedad70d61082136d23ec223e0dd8d8ce0ced4fce5865411e73ff6be43e
SHA512 e765f1c9638239fbed86ba40b16c0b58639a58ca4133fe78600ccbfc7e7e2946a7c156fee455285b7c0e0f0cd170c54b790645b023a010801557cfa84d7d8f3b

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z3vu74rp\qavzvej9.tmp

MD5 f21475d6334dd07e5fc46d2944041625
SHA1 25af2cbbd7d2c06ece4b8d2d0bf8f9efeb97e3ba
SHA256 6344dc693f5a109ce7c553e8f9f3151f9d32219bd7d399ea0d9b2f3c53ab6008
SHA512 42e9012ec27ea53f8c1939a5627c3156512c1934dc9221c91d8c5a9ad79ee352b40311118148ad9d0fbf22b69bc4dd3bdb3ad535892170de55c14853b34d209f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\z3vu74rp\SQLServerCE31-EN.cab

MD5 37fc354101535eea1153bc3db872cebd
SHA1 954e75db8e79d6472c15055d9a0050a719633e29
SHA256 13e3510939eb95edcd43512f03684f799e6d3ad3600569523d7ba69dc0cd5f8e
SHA512 23e97e433730dee8e7ee606682cd6b76a2f0bab667e37081af0f1f8bc1bc29b9da3e881499e110cb365d9ba0f23f1d46e5faeadfd8f8d40eff3a917472eeb003

C:\Program Files (x86)\Common Files\Windows Live\.cache\3e2ea1021da9c0d10\SQLServerCE31-EN.msi

MD5 54854bac91e616bf8f71184c05ad0355
SHA1 73b893c66a58b3b581bbdb50cf069f9e44c7e657
SHA256 f14f64c25cbdc7e06f2ea7f08170305a5990fa0449d9371056ec59441e24476d
SHA512 7cf8114350b2d6e6e4c7940601f6b3da28f8f5397895033f2d82c97d2fc8c6ba71bc46b12abe254be521906fae0422b1084567cb70332103b29d851803b46c99

C:\PROGRA~3\MICROS~1\WLSetup\wltA7F.tmp

MD5 d1f5aaf5952b8ab8bc00c2050b0f7b17
SHA1 6ddf870ac98ef74628b843fd1d55826469ecb15a
SHA256 f134e280ad2376d8ab260663f4411d2c5795aa1d46d61bb70b241223c1ffa07b
SHA512 5ce822e3040204f41a546979134155d4f3f51365b83c412d320e9e022d7db4282f3d29875a70a8f05f4e9f25ef8ae4e5f3cabb3f4a83e09832ebee4dcaf98d1b

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\lq2fasep\y5m509no.tmp

MD5 15b6c63a96afb7046b5a4647bd42afa3
SHA1 f44ab9202277891e7d0b5c6dcd6034ab15b0c2ae
SHA256 a57fe9702b3f706f723f5dce75d6ba41cdd1aff71119691e49745f19559a911a
SHA512 0259c29a3e24b7a5cab10c41e94e421a7b2947e4933ca1bce1a2a7b37e6c9442792fad0bd1d391675fcda49f212b0b991c41a73d57acf88e0946af0b061f5ba8

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\lq2fasep\PhotoLibrary.cab

MD5 0e858e55ff6d484000a15b127b327b2d
SHA1 99e9f82cec40ffe800dc40aac3aff679987b16b5
SHA256 2df461dc570aacfb03320d402e99472d7b1010ef2d30d17e577ee6a1b371da95
SHA512 480c69713b6e335d28e4628bca6475e108808983e4a63ddb3a65e583581ce9d9bbd5bf17f7dd1f85b5c9dea5d2e738bdc249c2427845d2579221bb07470dfae9

C:\Program Files (x86)\Common Files\Windows Live\.cache\3e7628531da9c0d11\PhotoLibrary.msi

MD5 3e04cec983eaed85e81bf35de71f8bf7
SHA1 3f38e49179b4a5fd9e7704fbb29ead21e139cbfc
SHA256 22a0a57db76c1a2409760d4c9ee59b7ce1ee1a9d0208267cbdfa67579b31b63e
SHA512 789f361e89f292962aad8b2e54146ce252be2434adcae6f093fad66a403e5292916d923610266b76ecadd47f59d878226603c68b03d682b867994ac70af6b31c

C:\PROGRA~3\MICROS~1\WLSetup\wlt1530.tmp

MD5 89cd9901db2cad003e71b38f4d8e1091
SHA1 1ab795681f702456c0c9e1681dd796e4455208f7
SHA256 18f354f3bde3411c90d948e02e60de5e11faa131ce04da242925dd0f004cd4d9
SHA512 14f0152eab4ec8fdd57dfbe9fb690ae9d0770feb7826224adc2b44bf826d7498a329757ba4a338c92c226cbe8ad3e14dc671d9767a3e13f87606e43af13c5bb1

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\myns44gd\eq5ys233.tmp

MD5 0c3dcf52147fc517105085a2cf29f276
SHA1 1452ed0b01002e26bff7144c8173ffe7f8204c6a
SHA256 5a0973f8aa75ef72f429af1174dd758e98a89a52601e09f06301fb5e9cfa0d69
SHA512 32757d69f29dd29550dc3d9cffe4f62e72893b0f2a990a3ff9669a8524a6148fed8adef5ee4258201bde3c89906ad97e40cbedfb056c5dc471654b0b7f0e16f9

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\myns44gd\MovieMaker.cab

MD5 e4dd66c57f1f7bab8698f33b63fc8953
SHA1 acf6e50512ba97d9faddb2f5f32758adc6d21b86
SHA256 51f718660147fb21f8e3533e84ed607944a9fb6d7b3935d5d2ac625c0d5834cf
SHA512 513976514f9ea5357517e9ac8283411e359a434bc02fd95f885968d2e19ca42ff2cc993aac7a68d890fec02521662905f4a740c50449d06e3b9379b240d860d9

C:\Program Files (x86)\Common Files\Windows Live\.cache\4015adbb1da9c0d12\MovieMaker.msi

MD5 33cfb91ec616a06b8af75e772e966433
SHA1 69ccfa871359a84467d243f280dfc813b428d5c2
SHA256 00c89e20a23be3aa005bc2eb75cc4a6c6fb89b6623cfec017282a6e547ad9790
SHA512 61dcf628e1595169a2d9abd8113cb77ecc0606d083f90f57f964f46abab7949c0083b7d268a3c662510ca4cf3c4a561c89d41f07ca46e0ce8c7080097f6d2fd1

C:\PROGRA~3\MICROS~1\WLSetup\wlt232C.tmp

MD5 44623495b671a344259bb39829452204
SHA1 333a5196dca06c815d930e225637db95a8d3197a
SHA256 28af1144633453ec668884b1513d0f5bdfde61333e183b5187634c59d60bbbfd
SHA512 7d4362c833fd4dd3180a7b5f0772f68ddc93659564350e63bf659cccec9507d6ace15d230d0a2965c260325dd1f7bfecec9963ed4b08d7cddb37df2d1e9959a9

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\n7fx28jz.tmp

MD5 689289a46d4201c65f55d8bc55727962
SHA1 a8c7ae37ced5e023d799e9bc1117dea0937d30aa
SHA256 061a0adcb5b78ca9c0d270afd2d8ee726d61a76e784a0f17da39b82cd3bab324
SHA512 cb857422767f42bf5e2967a28e86b2d730c049098e2656c8c2d53974eb34f3700887b8673431946195c6e7d322801548676df5d4149b234588ce05aba606b6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gfojbsg0\UXPlatformLang.cab

MD5 214c866506d9f5daac7e143aa6c34113
SHA1 22945fc13b4f4642097dbf20307d6605cbef8b21
SHA256 f0d961af77d8eeac0aa5b759332161d97497d632c646b548d570de12eccae50d
SHA512 01a7d0cab0b99a9046c2b0718949aba48850c54fb341f280534d20edfe361663fee929d5961e44d49df90519170882138da03d52c76e5a8ed23cf0ae7f498783

C:\PROGRA~3\MICROS~1\WLSetup\wlt26A8.tmp

MD5 96aec171dd6a4eb4e4ef59b1dc287fbf
SHA1 7675f8808b74f66714ea778774f9b37f5a8fb8fc
SHA256 d4fada7f0157e181127d56799ad85152a500d484f16a2d31058285801ee0fc9c
SHA512 bb9d7769b0a202133a5e635fb185b53593eeffbe1f84e58755bbe14adea77c8a90fd114846aa574c3c78efc119420e573d2fbd2006928b749000f4619678389a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\umu9sx12.tmp

MD5 41f796559068c3eee4439b1ce316e16d
SHA1 6459a9f903daddcb6062ebd1cc535bab8c23037f
SHA256 51108a4d8194c4474de0197f532387e0647e968318dab1423f808bb638f5cb9f
SHA512 cc088c3c6e3c1fcd270820809ba5a8792287b76a54b2dc02233d08b019db4feb16b2ac303009b6c6a88c73d3ab890292f064fc897690036dca69d437e6a50b8d

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\29gct92p\WLXSuiteLang.cab

MD5 49b7599ebea3ee623e597db46c7e242d
SHA1 d5d0f3a77e19a05b563edd4eff414c7028c47e17
SHA256 61954d216412aa914fa85eafaa0a57278c9e225acbc6e1eb79f44c80417be095
SHA512 608a6c3bc7ba75b44f063c1d4bef9a2864799d3d66afae6264bf2fa95ccda9667c406add98350ff569c4dc3b4b90657611020edf6580f30304a568feb85e5f1c

C:\PROGRA~3\MICROS~1\WLSetup\wlt2785.tmp

MD5 e03b80e674707a949f63897fd4cd2a97
SHA1 a593fb96e478076ee3e8aa32677a58255fc5a944
SHA256 9048360b66c7acd4d4cfb84a7498421ab6e3fee8db8b41c2b913695ec70dbf78
SHA512 d1921db4517a7ceb210874871b7b2e26dde5102dd9002c46de6be05f98842a5e147741a78ad22c6930efac5ac0e344e6d45629e035567462df946895d9f48408

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\w0pp9t5q\uhc8evq9.tmp

MD5 f4ef088077682987634607e514d71f20
SHA1 685b510b43cf9ab0b0ae4958426af70c8b7b59f1
SHA256 55054add1c3ad636c9dc0ac0787251bffd4080df08918d76e6843a5a54eae980
SHA512 3bcf8b87f5b650b8a9a9db01e33b16ed1959b562227d5d24d9ba6ecacc494e90f3bb01777fc487e42cf6c0e465d0d58b84429b158409be42aaa6ff05d0dac37d

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\w0pp9t5q\PhotoCommonLang.cab

MD5 0ccef7ead7f4d81b3de61c10bfef0d8e
SHA1 840a64697ce4e24f7e1238de8e11b638c0dd8e8c
SHA256 4d62c558732ceba418de8b020c174e7aee102196c6ae40046eea7f485d1d78c5
SHA512 d2aa10f5793a2373f6cb65c5369d0c7f71ba2ea687ee757108bba3219831ede28342a3dab1455f09c4fdea1499e853fc5ff773da49e9a6dc5cb7842a75bbda88

C:\PROGRA~3\MICROS~1\WLSetup\wlt2881.tmp

MD5 65394a7bdab03c429522cdd490a134a0
SHA1 afe2564e539027cb1e2cf2154e5aedf609cf0bcb
SHA256 7daa30526128109b67310a3581f37c2b112d6e66e74ee2b6b74512378fda30ec
SHA512 579016091d455f75ee0f25dae7eb1a69e1c4fa6773dc739b3954ce7575dff82ca328276e648c0042f16e959502ff5aa24630bdfaf37168ebb15303bc8dbb7032

C:\PROGRA~3\MICROS~1\WLSetup\wlt29EB.tmp

MD5 9971f5592ec6f9f159cd1210da51921d
SHA1 90035e88438350a128773ad22c8a4140a1e4036e
SHA256 5790818fcead57808d9d43ae94ad8c0ef44c7d2e3e89aca2152ffcf3a1cf4c25
SHA512 b0724fb4375e2cf9ca5433f78317cf6a055760165b2caf29b2213427baf5918fedc7e2dc327cee91ccecc1b95c4448a4ecca6f38094e44a49c0b19088decf4ac

C:\Windows\Logs\DirectX.log

MD5 a6d31bb2f41aa46a0f24014432f192bb
SHA1 84145c8aaeb0bd474836c92443c9d095bd4cf006
SHA256 8959ceab297a7b2bfd58051ff14dcf4acd94da4eb56c15f8bf595a23f3243bdd
SHA512 2ad52f4662ba34ff4fb6d8b0f3a6c87651c32ea49e1116867591c5010154933b5e0ebe578ceb3f58ba6613e1a97b189efd34ed4468c022ac100951f195ab5f75

C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\dxupdate.inf

MD5 8c281fcb5546d1ed3cdaf6e3f7303139
SHA1 de342a17f2df0386f6584e2f55ae43c558ceb6c4
SHA256 7530c6e18dbb522c5f4fbf6714962c185ea318f9eab7aeb833b0cc07cd2fe656
SHA512 344ea0a375c8851fcf413f441a1cac3013b3748d1630a4d677da72e98f41823bf9427d896de7e1fe35bf868279538cf3b8322aa6ef20025bff48a6bb7f8c42d3

C:\Windows\Logs\DirectX.log

MD5 b4c9c5aa4b88587d9c2a9b0d8720dc8a
SHA1 e83d8ac0cac94e18510d7b2aa7135b994399d8d6
SHA256 4bfac163e35c2734df4361b0f754b8c265e8c377e11c129d1a06a93cddc74209
SHA512 fda9d0a9c185350fcd573de248aab2f438571ee467803b92597c09a346c7f9cfd25cdbc19d28f9c7d140ff018d1c7fa2f61ba361f831b0876ebcddbe7d020b86

C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\dec2006_d3dx9_32_x86.inf

MD5 c28f4fd1644e2a20b1c897438e197e1a
SHA1 5178534444ed7dec8c63f02defe7bdb864c47123
SHA256 ef09d783bf5cff2cfba99946e5e71fda577b196a49c88bed1c51b5fd29cecf94
SHA512 7cf93260efb1d794a17ba25b1fa02ba03b0ceeed8131d274b805155072a9a2b92a899471a8b23add8bf46c6a5a3cda63499043eaa754001bb43cafd882c8e708

C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\dec2006_d3dx9_32_x64.inf

MD5 39929631df326b944470256c4f9cbbf3
SHA1 932de27abf59c889c02ed747f0ac04f5e494492a
SHA256 ff00313af4a90f426492d72969f5efc6c56a17f2dd91f20cb5c0a38d9f1f2b6b
SHA512 8dd2755a2b2fb90c6880cbbde65d127f55d12df2bab4560ddf86d6793b2cd4733929d97efef5fd8eeb417731a571888c893188df0361ee57eb4437fab331cb13

C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\dxupdate.dll

MD5 57f0c80414609302bfd4dfbb61b69ac1
SHA1 f077266250833d2af729df9c00983d7f4ad2663a
SHA256 dd8903faa5244492fdb8868dbca66d74aac98c394ca5382a0c24bcf621e7a16e
SHA512 2f171feb76b6014b10e493755c0138cd9edc12941b4f35faf2e99a49f08801b58cad8b4de5ef12fcba19e9261c864b911ace23c290f73384bfc378b6d9c1881b

C:\Users\Admin\AppData\Local\Temp\DX4E2B.tmp\d3dx9_32.dll

MD5 26af232140c88b42d92a88f2198edf6a
SHA1 b62aed3f71d8963227e5021c2222192873ce753b
SHA256 e96693794daa05a75a83c11df2e7b42f2de61567c6ad0b69e353b50f6c88119f
SHA512 54a6a235af4dc3f3c693fba5ac2d487d96c9d7a2bb7deeab35d5a252e723e597226ec84e953625c8808546f91fbcfc42add85076846a63925fd9eabc09dbf935

C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\AUG2009_d3dx10_42_x86.inf

MD5 b3a2e761e5da007cc6036c5703e12eed
SHA1 447e852f9bdc357b00864d4dccc7486f1313918b
SHA256 a80a00464775da82c02f628c5bc13cab0d0643ec2a44b28d2acf7c77d467becf
SHA512 28a106886578fb38f144602d2b29c72a906bb24a50b16ea7d3f71f8bd7f194fc0d7c8451dd1c3e9ecc59be3a866c07a23dd394a17d39eb7b55cde7b347bed3a1

C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\AUG2009_d3dx10_42_x64.inf

MD5 8d272f58bf5ce42962d7d9835e9b489e
SHA1 7e0969289f839b5dfe606f6ce6ed106460f97682
SHA256 2bfdd3d3bf485439013045b3a08942f457385bb89ab76d9479fbdd85f09e9d96
SHA512 0554257a41df07860233f26330020a45e2dab2613a6028f79914aec7552d5c54525b137e450202db1283b602c3d95908acbf9f1eed20dd79c21fda5963fc2b5e

C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\dxupdate.dll

MD5 94202f25810812f72953938552255fb8
SHA1 c1e88f196935d8affc1783ccf8b8954d7f2bfb62
SHA256 6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564
SHA512 65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

C:\Users\Admin\AppData\Local\Temp\DX52BF.tmp\d3dx10_42.dll

MD5 501ac862517c5445742bee8a2b88414e
SHA1 49f3f2df66d357aa84a5e7a0eb368ea595b7d95a
SHA256 46429c4affe041b08a7acfda0e9162ba42de966acb2cbcaf09ef976232073b51
SHA512 08dc13d5ad0a0d2aaca9d3dbfb53304216111da73bf48810df2982650d580757c10c8b9bf80ae5191e06ebaa44b2bf9c244ae141308748c3e7fb9ef6088900ad

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\dxupdate.cif

MD5 b36d3f105d18e55534ad605cbf061a92
SHA1 788ef2de1dea6c8fe1d23a2e1007542f7321ed79
SHA256 c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae
SHA512 35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\JUN2010_d3dx11_43_x86.inf

MD5 fb5d27c88b52dcbdbc226f66f0537573
SHA1 2cbf1012fbdcbbd17643f7466f986ecd3ce2688a
SHA256 3925c924eb4ec4f5a643b2d14d2eda603341fbbd22118cdd8ae04aaa96f443c0
SHA512 8aa2200f91eca91d7ee3221bc7c8f2a9c8d913a5d633aa00835d5fb243d9cb8afa60fe34a4c3daa0731a21914bc52266d05d6b80bfc30b2a255d7acdf0d18eb5

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\JUN2010_d3dx11_43_x64.inf

MD5 590fe1ea1837b4bfb80dc8cb09e7815f
SHA1 792b5b0521c34c6b723a379dd6b3acf82f8afb1f
SHA256 2c4cf75b76203cba6378693668c8c00b564871c8bfd7fbda01e1e841477b2a3b
SHA512 80bee8f1ad5bfaba6b3ac5a39302a1427dbaa5919d76c89b279dc753170ec443924eadf454746ce331a6682ee729ab79bd390a5d3b55db8d08fd6f4869101f53

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\JUN2010_D3DCompiler_43_x86.inf

MD5 1a86443fc4e07e0945904da7efe2149d
SHA1 37a6627dbf3b43aca104eb55f9f37e14947838ce
SHA256 5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf
SHA512 c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\JUN2010_D3DCompiler_43_x64.inf

MD5 6494a3b568760c8248b42d2b6e4df657
SHA1 700f27ee4c74e9b9914f80b067079e09ec7c6a7f
SHA256 3e779533a273e3395109c7efac13ba1c804c01b3ddb16938406fbdf90d851216
SHA512 2bf68b123d7823ad7182e132d9e55f8de7580229e8e1b3b40030da50bb9bdeaf67bb9727ce2171fa83b7f804c24d9728ffabb44cb5017b16b771bb19e62b1b42

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\JUN2010_XAudio_x86.inf

MD5 31d8732ac2f0a5c053b279adc025619f
SHA1 c8d6d2e88b13581b6638002e6f7f0c3a165fff3c
SHA256 d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da
SHA512 abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\JUN2010_XAudio_x64.inf

MD5 dd987135dcbe7f21c973077787b1f4f8
SHA1 ed8c2426c46c4516e37b5f9aac30549916360f7e
SHA256 1a0f1b929724f8b71d5ce922f19b9d539d2d804c89af947d5927b049ef0fd3d8
SHA512 f0469c94219b4df99d7b9b693161a736fa8eec88a3f6c7f2cf92fab2ade048dfe61fcde3a4cf4f7a2aaf841d079a46b17259dea22cfb02831983f55bd7f61899

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\d3dx11_43.dll

MD5 8e0bb968ff41d80e5f2c747c04db79ae
SHA1 69b332d78020177a9b3f60cb672ec47578003c0d
SHA256 492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d
SHA512 7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\D3DCompiler_43.dll

MD5 1c9b45e87528b8bb8cfa884ea0099a85
SHA1 98be17e1d324790a5b206e1ea1cc4e64fbe21240
SHA256 2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
SHA512 b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\XAudio2_7.dll

MD5 81dfddfb401d663ba7e6ad1c80364216
SHA1 c32d682767df128cd8e819cb5571ed89ab734961
SHA256 d1690b602cb317f7f1e1e13e3fc5819ad8b5b38a92d812078afb1b408ccc4b69
SHA512 7267db764f23ad67e9f171cf07ff919c70681f3bf365331ae29d979164392c6bc6723441b04b98ab99c7724274b270557e75b814fb12c421188fb164b8ca837c

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\XAPOFX1_5.dll

MD5 8a4cebf34370d689e198e6673c1f2c40
SHA1 b7e3d60f62d8655a68e2faf26c0c04394c214f20
SHA256 becfdcd6b16523573cb52df87aa7d993f1b345ba903d0618c3b36535c3800197
SHA512 d612e2d8a164408ab2d6b962f1b6d3531aed8a0b1aba73291fa5155a6022d078b353512fb3f6fff97ee369918b1802a6103b31316b03db4fa3010b1bf31f35fb

C:\Users\Admin\AppData\Local\Temp\DX561A.tmp\infinst.exe

MD5 a7ba8b723b327985ded1152113970819
SHA1 50be557a29f3d2d7300b71ab0ed4831669edd848
SHA256 8c62fe8466d9a24a0f1924de37b05d672a826454804086cddc7ed87c020e67ff
SHA512 60702f08fb621bf256b1032e572a842a141cf4219b22f98b27cb1da058b19b44cc37fb8386019463a7469961ca71f48a3347aaf1c74c3636e38d2aea3bca9967

C:\Config.Msi\e585aaf.rbs

MD5 a870df4e144c88390d3d59f585e7cd04
SHA1 ce4ebd9067edf9f4515ea04652a08d92a7c5d8ad
SHA256 dc013dc3a55086c78ac7be896f1f98e3e22b9e0c46c80529d86951be55fcc636
SHA512 05999d976c6d2b110908792c98825c2346eae5d9f246a7ae26915392420e4863c4242473890bd5c39ecc173f4a0ec5331cba7d782a7daab47999579542cc9f9d

C:\Config.Msi\e585ab2.rbs

MD5 175225fad0287627c02b063cb2007476
SHA1 534c2cb41dfd6a76c39f894c1330834faaa51491
SHA256 a9cbb0a382a9d9714592f8fd0c4e6f879da56258ff9e8d00e26cfc8bc74e6688
SHA512 df6fa03abc4673e4f71b205fa233170c9a4bbe8fd6fabc33742919fcd553ee8620477d32683ae0508116db0f6bfe907db0bbfab21283138d7b10c5ddaaddbfc2

C:\Config.Msi\e585ab5.rbs

MD5 cbb34a362d1328cac88e8f80fd1e7b4e
SHA1 5cc35cf753df8ea260df5f0b226357c8bcee05ac
SHA256 669c74172411f5b15b6e89dfb2e12fe44c13b8af0f662f43037200acdd0f3cbe
SHA512 cc1448f089c606e2f4030f1ea2a6393f7beac472b3ba6e22038a8b1dbac1cd1eb0842b6865e306edd07b3ba4b701fd499a0b53a2d92bc3ca00db43ff80419afc

C:\Config.Msi\e585ab8.rbs

MD5 5a59c1dccd0d4e631766350c167a3020
SHA1 9ceb65ff2323220be8920a8627d2b70c0cc75151
SHA256 75aa1254bc5d42ec337b10e40fd9dbd41d36c4b1c4accb4bd60761659b00d696
SHA512 4deead3d0110b2c8f14c4b096da829c897f8f3aa2a9a2bac7b095da61830d2211ca6e4fce3d41f6de71cefdf430c89ca81be2623e871ba5a8d0ae1a610d71bd0

C:\Windows\Installer\MSI82CB.tmp

MD5 afa2262aaada580a74e1dddaeb03bc58
SHA1 5738eb9ba190361390d97725f90a71c6bb5bf5b0
SHA256 1deffb4fd70c9c346e1c5121b5069f758198ce12cdec5c2151127658bf12e460
SHA512 86099269378b31483480c36107f357f06d27e4c9e4892ee184438f7a3730f67853b5d44bf0bb7049242ad9ae262d08b07052bcd9f9f72175e754185725787f99

C:\Windows\Installer\MSI96A7.tmp

MD5 6d37510237c55f1bc5b9c725b5f4a29b
SHA1 74bf05bfffc85676902f576c2e98bc0bb5f06481
SHA256 02316d156568ea766e803738db187a83b02c86dd897042e005fc4846f4c489e0
SHA512 906a02a68074a534b1348eb710929bd21ff9d94a83f34df3ab55f2959ea437a613d478be86e2243ad2abc3aa4f6656f5a7e7ff54f0e30b2c6440905b4e0a071c

memory/5792-4229-0x000001421D2C0000-0x000001421D2FC000-memory.dmp

C:\Windows\Installer\MSI9C5A.tmp

MD5 aca45d29a6d4b8b6f5bec262f10bbfd5
SHA1 adedad9ecfda50861c5f426442d12413a2392c64
SHA256 3ebb755cb7cc4e4f6d62b0bfc0656300941f4ec255fb3128378dd1453f943b06
SHA512 6bf7c048b41479a5521f88926ea3c6048423ab42b950a220f44c79d3d4ae4a3244581a2a666cb6d6d977425f8efbbbb1c9d2ae69c11e59a3bfabb15a9e2d7c59

memory/4412-4242-0x000000001C3E0000-0x000000001C8AE000-memory.dmp

memory/4412-4243-0x000000001CAB0000-0x000000001CCAA000-memory.dmp

C:\Windows\assembly\tmp\WPWLCW52\System.Data.SqlServerCe.dll

MD5 a200e7209b42baa18f438695ce45b0b9
SHA1 8a9a7c8d450dbdd1aee86c100a70f651740c56e2
SHA256 14e15167dd36575ddd4ebd99894212c6d1493321c9c261d541828da56b8262e2
SHA512 558337b85e55abe409ddbda86ed86905fd561c91c1007064e8848ee126299bfbdb088dc9d3fe9b0038d96fd5bb0886090b7f06ebece8822dc288d6eba280f6c9

C:\Config.Msi\e585abb.rbs

MD5 306807a1f49a755c04c5ec9e91e8f73e
SHA1 4b25ff42f485c72ce2ffbb5d92f53fc7f87e94fe
SHA256 593b1666228a4bef47146f96a28a377162394e8f61ff754eb20d34ead3bde577
SHA512 4101b0ebbdb3bf82f9eb0e890340d69126083f9e6e329e067fb1f96ea822127f34daea38f62eef283f7ab0747edeab98483a13327edb91685a6a702d0a8644c3

C:\Config.Msi\e585abe.rbs

MD5 5fa7888c10df31f25e41ee74fa7285f3
SHA1 c628dfc29e033bffc67c5e159c651d233e69b80f
SHA256 a228f3f83c9ea3263b6ea0f549589cb96dc62851a5c3487b6740abe429bdc13a
SHA512 97e736d07fc5d5370e214240a8990a411d7ecb43f5aca5167b221c87be6a604ea42bd81f232e33f3fcac3a93eb52296e0a6ecd9a81e9ad98c21df57128407864

C:\Config.Msi\e585ac1.rbs

MD5 2189d7bec50d111e2c7eb1cccecf91e9
SHA1 c2c6c88384298423fe0214a08f66e7a6e327ed93
SHA256 45ba4c28987dc265689f7bfa4929c856a4f846091b7bcd19e037b03e667042af
SHA512 2e2d6d9e1b60d69cc4d9b511a3c66f4c19fcea5c036b9126e35f2aec1a2ff261f4a75facc808b763050bd9c69dfcb8939d1d0a90a86dc1b5b847d257d7fbca62

C:\Config.Msi\e585ac4.rbs

MD5 5a8ca5a286d51bb76670e2905c95a0e1
SHA1 88499673afc7869e42fb3ed73ff86ae9211f347d
SHA256 60636f4dc30aeca0561adcd1a082af11b2b36407c7e80b6beae0f9e54357054f
SHA512 c1e02ae9103c4ce6ae38756cc73c703cc5269293b703b7c97b26392820d7b4ca042803af1a4fbd665219413cf12c197690090fa5933294eaabaa4e59ad14648e

C:\Config.Msi\e585ac7.rbs

MD5 ecccfe342e278309f77c055c36d3570c
SHA1 fbc2a75247c29e4cee357fb8a0865862ed22b4d3
SHA256 b1ec75c796b6a0c974d45664f5fe47c86d708e47a81c2fd06cbe4578a8a8aca6
SHA512 342be251945c9b443bb41fce1f7779cb74cdcff22d5dcd1a54ece893be5e3801f70c133679f9cbfafe22e3cda1e922c719cd407256681c5c75e54edb78151ce0

C:\Config.Msi\e585aca.rbs

MD5 5ea508041fd9e4a9df24e7156e087385
SHA1 1daa1909589aa275e374ea379b64e5176952e3cb
SHA256 a43554eb5a6f7d2bed98fcf9f64dde8dca58bddc2cc36f6433b7a68bc2f051af
SHA512 3ef4e8fed02eca03f80e8124d7d4de60bec14cfa8d08d29ba9e62adb1af4250aedd1e5226fc07b9052456857d6bc41a5867d95e6310cc5ce6e0d62f0f6669e2e

C:\Config.Msi\e585acd.rbs

MD5 b669b8965c7dd27868e40296c9b2f3bc
SHA1 d24cbd57a711c61bff9ec643a667dc4e1d192be6
SHA256 1eed71b77ccd9611f811fa668b276e8b70cf4fb5683b3800eb038b3825d6e0f4
SHA512 e30b6e90e717540d78c8cdb2e4f2503839ea5d91411e2f5b6df10430915284c267fbd7abd44dfbfe7696ac81812713fad57929cd76d34e00f589dddcd2ce52ee

C:\Config.Msi\e585ad0.rbs

MD5 909cf1ba6a66aeb7ff9590b29cffc7f6
SHA1 84eb005e67338e606f6a8bbfa844279b3296a3ac
SHA256 866da9cd48838457cd8134b7fade5ae9095eff93c800f59e064790b33cdc5b6d
SHA512 601a50d1c4ec0a43a8949df4ce05adf6393bf4948a9d5125484207c4629018f8e74f6cc8e58a3395654b4ff035feaf92f95e2285ebcd36261244c98f2a055fc8

C:\Config.Msi\e585ad3.rbs

MD5 14530f5117ee1c1af123c64a305cc2f5
SHA1 e373f724185fcf75c9c5ceae297a206155e9d3f5
SHA256 a44747160e1cd40d8517f502082ce753d743c5809d5ab53d7fcb40cd6b4a0773
SHA512 383b68dcc8cafd482ed1f4a9cdccd20e3f02dafaf8ed8307966e8ab11a4af418e7b827bc642846d40f87d367a1c25c30995e04dd5da9018b1c74c9c7e8d5db6c

C:\Config.Msi\e585ad6.rbs

MD5 79f67325554ce92ad89b649c8ac59199
SHA1 ca11db8bdaeb7193399474cba5d286d55bb1cb92
SHA256 16230e7edf891c4ee345bd8ac711aa2b4cff835180e176ef7e3d8dbb71773a4b
SHA512 536919ae140f15be877efc0990b84d6be9c893e89c72ab47036c190d97193104f1266950cb799acbf9c93ee8cb07e6e2c0bae1e543b3a9521c3db652cfed97ad

C:\Config.Msi\e585ad9.rbs

MD5 cdbe8c8da8004b22d3ed7e9c6a85a4f5
SHA1 979606885c3be3fb358b3618d2851d8b106f9e62
SHA256 001f4eae8c41d6ec047b242dffe34c936a6a6c333dbc72e992cc80e8dbe09b72
SHA512 301c9c1d16cfaacdee77673dc555cd0e4d30e4bfa10187fe0ea8705c34b915d77e01b741a1752e8c2a68f156c2ec17a1f9a472761113ae6f54c61763c188ceaa

C:\Config.Msi\e585adc.rbs

MD5 ff0778d632fa3d272aeed2b324b9c795
SHA1 ecd025cdf9d89056495611ecb673c169216fc5e6
SHA256 62565a9e9c883118597263d8c629ca17be4d1a13f228c4c1f736117bbb586c16
SHA512 94c98d0f5f2cb3dd26cab7352aa942d5750d10c6122236b05213bbe82a1f1d9e8251359d43d78469be29c8c22bcbf8debb103ab06b27bb80331920e63c37d405

C:\Config.Msi\e585adf.rbs

MD5 2d7f0de3f248da836cbacb21d298fb6a
SHA1 1014637a989d171ac5bfd80ff582781600e18713
SHA256 1d227a28996349a459e83a11b600fd56462dc8a94f720a5cd0753d9ec10e84bc
SHA512 6f2aa7822971864d4f9a0f353afc8ab720fc823a11b868b9f9ff924b3f151ad96986109d208d2180698589f53a4d69cfaec5cd0779ba9b2cbf0172ef783d6160

C:\Config.Msi\e585ae5.rbs

MD5 ce763be6df663de6fc5ff511250e0516
SHA1 06ea024c94807dc348bb1e52d415b5b54fde4980
SHA256 2a52ac2353ef162e25111db4664b96e2d7cf55b8116e4e94c7cdc8ae33a9e31b
SHA512 7d12950ccd4dac6209974a42ef7ee4cfb4221fefd8b10495cfd3d6a2685ca65d1e7d3a6d1372b0639669131088bf75fbf6927583fa5e61d85455e773912b84d7

C:\Config.Msi\e585ae2.rbs

MD5 b41d23adf3c5fe12d74874463aa7f0a6
SHA1 6a137f1eb7fc1c27020ad0c6f419dbbe65b534c2
SHA256 2f2bd79ac2e88968787513c4fb4e1fc91dca9079313811ff85ecbed1c946a46c
SHA512 50d54b085fe9b9996853bc1e4df848e91038f8d02377a686c40fca3201f6e92963ddb32463b29ba0d30fe99d0edc3d0cc56e1d98e9a1fa0b17399c57693121f9

C:\Config.Msi\e585ae8.rbs

MD5 0d2a4d8af3350eca7c4a6a721c781e85
SHA1 3623682789b52d99c4750cd1e2b69c0f960b9cdd
SHA256 121d0c3673a354faff45a051d210a53546f8bffe834da60e4340d464c463d9bd
SHA512 96396e1e144c53b31ec5e739e28ec4ef38a7dcecf9b5bc4e2089ada3375096bac1a6ec0a91e511bb05cd974c065483bd62a1254b3d9d0d68ea044aa8bbd69cdc

C:\Users\Admin\AppData\Local\Temp\05012120-00000be8-gwlv0p79d6\Files\2024-05-01_21-18_be8-ptbmqxam.log

MD5 d6144a10cc819ae2edd867eb54aaefa1
SHA1 881d705751a7badeec985be79720f573b16b80ef
SHA256 c9cdf0bff0beee0ba49486b23fb1a07f88ed20e00d2ee7e6a825ad5f783a3e73
SHA512 4ad3f171194043f40d0f1419717e5eba05195739e3dfa493239b27bb76767dfc314fc32652df9e061738cbbe0e9ca994343e7dc239749a4bf7807556d3c8cbc7