Malware Analysis Report

2025-01-18 22:03

Sample ID 240504-tpecbsag8x
Target wlsetup-all.exe
SHA256 072424c82f942f2b43b68b9154e1f3e0c61b7ee39a08372048ed34e09bd2554a
Tags
adware persistence stealer privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

072424c82f942f2b43b68b9154e1f3e0c61b7ee39a08372048ed34e09bd2554a

Threat Level: Known bad

The file wlsetup-all.exe was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer privateloader loader

PrivateLoader

Sets file execution options in registry

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Installs/modifies Browser Helper Object

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 16:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 16:13

Reported

2024-05-04 16:17

Platform

win7-20240221-en

Max time kernel

117s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\b6keb2o9.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\b8h7rm5h.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\9e2aawd5.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\183ei32e.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\geemmibh.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\wvomj96n.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\qxp9q6gz.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\ylrruiyz.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\0qjpyk27.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\sihik69v.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\9a9xnygy.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\9e88wqnj.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g6r18do3\6346yvom.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sk8xmi59\r2o2pwe2.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\wwxc5n56\au8rns5c.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4dm3ac7f\wt00bxxv.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e42kikbd\6gz9me0y.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dhgvsqac\8jmozsp5.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sa3zlyzn\5sadxwtb.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iboywmd4\m731a7zu.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\3j4l0xw0\19jlgp97.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iae0z1rb\1q8rngez.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1c07sbzf\vbanbk7l.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vtw9ktok\xjq35er9.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\cebbmgz2\dbw2z055.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m14xnw1s\pyfmwc63.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\o91ascj3\tias9x2n.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a4thutla\h9v02819.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\x6195lro\hhax5l7n.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kk62mqme\k8wg9wlw.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kf0488dp\ttvzhwbu.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rxoaqucx\cjmogz1j.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xohdwue2\pea2xlw9.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe N/A
N/A N/A C:\Windows\Installer\MSIF74D.tmp N/A
N/A N/A C:\Windows\Installer\MSIF76F.tmp N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72BFEB11-2681-490D-874B-652FC1D75ED8}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79FD7442-008F-42D9-ADFA-377C441D2DB1}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDCREDPROV.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\InprocServer32 C:\Windows\system32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72BFEB11-2681-490D-874B-652FC1D75ED8}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79FD7442-008F-42D9-ADFA-377C441D2DB1}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDPROV.DLL" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7F9888F-E3FC-49b0-9EA6-A85B5F392A4F}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\InprocServer32 C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72BFEB11-2681-490D-874B-652FC1D75ED8}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\wlidcli.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79FD7442-008F-42D9-ADFA-377C441D2DB1}\InProcServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\wlidcli.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32\ = "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE -s" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WindowsLiveLogin.dll" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WindowsLiveLogin.dll" C:\Windows\system32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32 C:\Windows\system32\msiexec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\DXTempFolder = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\DXD28B.tmp\\\"" C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\NoExplorer = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Windows\system32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\NoExplorer = "1" C:\Windows\system32\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SETE791.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\D3DCompiler_41.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\SETB25E.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx9_32.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SETB25E.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx11_43.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\LIVESSP.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\LIVESSP.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\d3dx10_41.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\SETD365.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SETD365.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx10_42.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SETE791.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Live\Contacts\condb.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DSETUP.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\41fc3e701da9e3e1d\PhotoCommonLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\wliduxhc.thm C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\startuphc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\Jun2010_d3dx11_43_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\wlupdate.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\msidcrl40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\wlsettings.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\abssm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxcontacts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3e35d0301da9e3e17\SQLServerCE31-EN.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDRES.DLL C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\wlarp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\Jun2010_D3DCompiler_43_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\settingshc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxctlloc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\en\wlsettingslang.dll.mui C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\startupres.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\wlupdate.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\Jun2010_XAudio_x86.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\38c2ea701da9e3e0b\WLMimeFilter-amd64.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\wlsettingsres.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxcalendar.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3bc165301da9e3e14\Messenger.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\4296f7d01da9e3e21\MovieMakerLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\LangSelectorLang.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\wlsettingslang.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\LangSelector.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\Jun2010_d3dx11_43_x86.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\startuphc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxctl.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache\373c88f01da9e3e07\crt110_amd64.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\375919701da9e3e08\wllogin_wlx-x64.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\38fe6cd01da9e3e0e\Contacts.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\uxcore.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\wlshim.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3b113f701da9e3e12\SpamFilterData.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\36e476101da9e3e05\crt110.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3ce88fb01da9e3e15\Mail.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\wliduxloc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\Aug2009_d3dx10_42_x64.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DSETUP.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3b7539301da9e3e13\PhotoCommon.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\langselectorhc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\Aug2009_d3dx10_42_x86.cab C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\38dd19901da9e3e0d\soxe.definitions.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache\36e476101da9e3e05\crt110.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\3dbecb701da9e3e16\Writer.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\wlsres.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\4189fc701da9e3e1c\MessengerLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\LivePlatform.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\settingshc.thm C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Windows Live\Installer\defmgr.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\417bb4301da9e3e1b\WLXSuiteLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76e95b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e97b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240504161530787.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e95f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e972.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DXError.log C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161529539.0\9.0.30729.4148.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e97a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI227B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e965.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e966.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI16A8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1CF8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DXError.log C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e963.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vcomp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFE46.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e98a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\CacheSize.txt C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e956.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161530787.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161530787.0\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e982.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e98f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161529508.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF77F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e96e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e96f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e9a8.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFFA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e97f.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\CacheSize.txt C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e95b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e963.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e97f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e972.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e99e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240504161529539.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF623.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e956.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161538743.0\msvcr80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e97e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76e95e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76e985.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1BAE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e989.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e98d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DXError.log C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
File created C:\Windows\Installer\f76e98a.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e9a8.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161530460.1\9.0.30729.4148.cat C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\ = "Windows Live Contact Database" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Installer\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppName = "wlcomm.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Contacts\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppName = "wlstartup.exe" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3C C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\IdentityCRL\DeviceIdentities\production\Done = "1" C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\36 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\IdentityCRL\DeviceIdentities\production C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\38 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3C C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\3E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\IdentityCRL C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66BB2723-7E7D-4AB3-BD1F-843CCF00B640}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{600FB328-4E2D-4C85-989D-5CA19A41D121}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{09133927-3F57-41C2-82DA-91530515B2AB}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{600FA304-4E2D-4C85-989D-5CA19A41D121} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C01-EA68-4A02-AC07-7C64D64B6E7F}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\AppID = "{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00BA1CDCFF107CF418A6616CF790320C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C02-EA68-4A02-AC07-7C64D64B6E7F}\ = "ILiveObjectCollection" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38604C20-4F74-42EE-B3D3-F1E71F6AC7A3}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{FD5EE9BA-A7F7-4728-8D72-813977AFC201}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{8D683055-CB8A-4861-A25A-20B08DFA4B33} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{34CD8C45-56A0-4200-933F-38035ED7F7FC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{A5FA3C16-EA68-4A02-AC07-7C64D64B6E7F} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{DE181FAB-D331-4D48-9443-18C395B853B0}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDBHO.IDBHOCtrl.1\ = "Windows Live Sign-in Control" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2517915-48CE-4286-970F-921E881B8C5C}\ProgID C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51CF8E37-5A9F-483A-8CA6-289C73AFB1B4}\ProxyStubClsid32\ = "{35C08979-C203-494E-A780-A5ADC524204D}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C8BD9F007D5674D4BAF56F89EE8385D0\SourceList\Net\1 = "C:\\Program Files (x86)\\Common Files\\Windows Live\\.cache\\399926301da9e3e11\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F44BDDDB-558D-4D5E-8A41-093288C38901}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF4B4853-6A83-4EB8-BDBC-3890889753AA}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9F5F2256B11431547AB5EC0A30590F23\PackageCode = "BAF31D5102F77DE489F1F3904B410C8C" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDBHO.IDBrowserExtension.1\CLSID\ = "{9030D464-4C02-4ABF-8ECC-5164760863C6}" C:\Windows\system32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D69A1CF8-3A41-4B00-86BA-394D34C7A25B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2AC1396-CF5A-4A0D-88FA-32EBBC4D4632}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Contacts\\conmigrate.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{3E96782C-FAB2-4552-ADB8-4F3CC70FFE8B}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C7FF59A-29CE-495E-8513-2461105C0D70}\NumMethods\ = "4" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C05-EA68-4A02-AC07-7C64D64B6E7F}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{A5FA3C02-EA68-4A02-AC07-7C64D64B6E7F}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A5FA3C00-EA68-4A02-AC07-7C64D64B6E7F}\10.4\FLAGS\ = "4" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66BB2723-7E7D-4AB3-BD1F-843CCF00B640}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00BA1CDCFF107CF418A6616CF790320C\SourceList\Net\1 = "C:\\Program Files (x86)\\Common Files\\Windows Live\\.cache\\38cc6ff01da9e3e0c\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{49B4E48B-4FE9-4C0A-AF58-946EB29A1E13}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{FACA22DC-24BB-4510-A331-D00BF666E93A}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C18-EA68-4A02-AC07-7C64D64B6E7F}\NumMethods\ = "17" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{A5FA3C06-EA68-4A02-AC07-7C64D64B6E7F}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8D683055-CB8A-4861-A25A-20B08DFA4B33} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C18BC956E45B1FD46B813F757793A345\ProductName = "Windows Live Installer" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{AE493755-4757-460C-8C59-634510127579}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0BB497B-0EE9-4C86-8AD5-259778312379}\ProxyStubClsid32\ = "{35C08979-C203-494E-A780-A5ADC524204D}" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{983014B9-03A4-40B2-AC1D-184A3DD28AE9}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA53D40C-1BFF-4851-9A72-C9415FA608BE}\ = "CMIntermediateObject" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C01-EA68-4A02-AC07-7C64D64B6E7F}\NumMethods\ = "9" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE9495E6-76C2-487A-85C0-2F7127CF359E}\ = "ILiveSocialNewsActivityDataCollection" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C14-EA68-4A02-AC07-7C64D64B6E7F}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C14-EA68-4A02-AC07-7C64D64B6E7F}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F187AF9E08E3993428A5DAE3112CC877\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C18BC956E45B1FD46B813F757793A345\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0003981D77AEC394D8DD2E2634E659B9\ProductName = "Windows Live SOXE Definitions" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8BD600A-7498-4ACD-AF57-84BABC97D0CB} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{600FA340-4E2D-4C85-989D-5CA19A41D121}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2037D971-2483-4669-8E80-B14FD47B6250} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72BFEB11-2681-490D-874B-652FC1D75ED8}\TypeLib\ = "{121932AD-6881-46E4-BCA8-9155A87E77F9}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E96782C-FAB2-4552-ADB8-4F3CC70FFE8B}\NumMethods\ = "7" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{C1BDEF70-4BD0-4C1C-B06B-67D74FBE8F0D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5FA3C01-EA68-4A02-AC07-7C64D64B6E7F}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2771B0E3555C8094191AA2C0B664D94F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D9185B6607EDEB244BF079F8AB2154E2 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2AC1396-CF5A-4A0D-88FA-32EBBC4D4632}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A5FA3C11-EA68-4A02-AC07-7C64D64B6E7F} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A70EA5C4-E28B-428A-B1BD-B0D62885791D} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35624222-5F89-411C-A415-D35DF9DDC042}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A6C64DD86500CEF47BA082BB611A1FF1\ProductName = "MSVCRT" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8CDD41E806AE81E43B3E917301D4B5AD\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE7F264D-B87C-445D-ADEA-3756C6C2A13B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\EFF588CF6F8EA3434E8EC3ECD31D11D9A3805421\Blob = 030000000100000014000000eff588cf6f8ea3434e8ec3ecd31d11d9a38054212000000001000000200300003082031c308202dba003020102020900d8e9f71464f4b781300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3038303730393032303931345a170d3133303730383032303931345a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b73082012b06072a8648ce3804013082011e02818100b4b4ca5c74226505250710a306600f517f531b63c227d8981fa1134febef3bb2fa65977410c3f8ab9cb0f116982fd836a688e1a7cf9850e27b719f3ac84b9327317fe89b19d4d321d989a9f3310d7ccdc3671ecbf86f121c3ff132a52ba824f32b990d35f3ad6ef042fad7d9e0ae50bbe5808e367bc89bc070e366c565c533d9021500f998b616779da552b83162782400451be24e74ff0281802092e5ef0cedb0d4a8bb8a200ce6e530f4f167ecff6c4c5597927e7cd6f0a74018e37766478ce455c5c9fd738a1b96624fc3fa8999a03aac37b849a68dafc388f708a0ef07a69317951c4c6edd285d16fc0fae19c54551b63d1d40546f80b426a68481c09c4e7682087d55d5290de5400f94061ad0c27b97ad894f231b4f3e0c0381850002818100aa0bb040d7968a48941dc0a39b6c223df1a9879adffff1af6452409ef9e933d0bcf8b29db66ecc7d8f168d1249177f3d436999aeb91c7d951613a259eea227ce11ca177931d670d04e67e0f53b28451671fb4d74780ab34c7d07c54d7565fe1b5ad4ef63229922c79791ce285eab021645f0e1a524ddc475de33b5d89165f553a38198308195301d0603551d0e041604149046b506bf3542f9f0c64e4b842f7ca629522fc830530603551d23044c304a80149046b506bf3542f9f0c64e4b842f7ca629522fc8a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900d8e9f71464f4b78130120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403033000302d021500ae1432cdbf8f7a98f358c3995165ebdc8e241d7a02141f102cd6a29ff5b907bd0d9e4bf3bbd74e062271 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\7F8E8604ABE7983D5FCD32E1F388CAD3A699585D C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\7F8E8604ABE7983D5FCD32E1F388CAD3A699585D\Blob = 0300000001000000140000007f8e8604abe7983d5fcd32e1f388cad3a699585d2000000001000000200300003082031c308202dca003020102020900ab3e152c24c9e721300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3131303531373231303534315a170d3136303531353231303534315a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b83082012c06072a8648ce3804013082011f02818100fabeebcbad8d8a07e339cbec6804e7cfcd7b7bc8c6590a4182ad7801510a1b8bc676d72eb0c83dd38e53378ff1eba7caec1a6334bc6aa7b71c6d024c81ac7eec5f7dec2d9ab0b3449fad6756f376d670dd880e97795305084b207fda38eaf7a126f3463a18aa7c9a6c2954a31471d3303a9ad01eeebe4424abceb8203b64a24b021500d431c3ef6780b96e0f2947eadcecb1d613635e7502818100df0d23c50ff45163d2320f6943b2c479c030c68b73455c6c63f42ba020c45e758148e639dbcfb57aab0f5a902f924b7c5de649c479300021fb2bee4fc3d773c06935a99a27f681f5f1750c46160312c13b5225ff30f9f69efe84cbbfffb929d24111a41ceaa62d46dd32309a72a0209e82b06de38c3bc32993d141cd2d1790f00381850002818100f9b0f1cf36bddfca9847b4f6af93caa66a0c03d6f1f7b48d431a31c9655b7a7eb6553b16bb3d40e83ff0526b24bc24b9adc10b9d805ca920fed465127922f0e0cf946a32e4d7141ca3ae56c8bce58df0fb848c8db9904390da74ec92bea5ac61c77c179d07a380501d9d5acc0d416b06c5fdd861b78e648ba03f4145ed39778fa38198308195301d0603551d0e041604146884a8968565915fcfe091a48141a38338eb552030530603551d23044c304a80146884a8968565915fcfe091a48141a38338eb5520a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900ab3e152c24c9e72130120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c02142b3e13b30a01482a3ac4cd33b53882477cab460a02140cbacb849f1a2844cb5e5a0fe8b4e556f4ecf821 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\EFF588CF6F8EA3434E8EC3ECD31D11D9A3805421 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\b6keb2o9.exe
PID 1044 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\b6keb2o9.exe
PID 1044 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\b6keb2o9.exe
PID 1044 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\b6keb2o9.exe
PID 1044 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\b8h7rm5h.exe
PID 1044 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\b8h7rm5h.exe
PID 1044 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\b8h7rm5h.exe
PID 1044 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\b8h7rm5h.exe
PID 1044 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\9e2aawd5.exe
PID 1044 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\9e2aawd5.exe
PID 1044 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\9e2aawd5.exe
PID 1044 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\9e2aawd5.exe
PID 1044 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\183ei32e.exe
PID 1044 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\183ei32e.exe
PID 1044 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\183ei32e.exe
PID 1044 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\183ei32e.exe
PID 1044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\geemmibh.exe
PID 1044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\geemmibh.exe
PID 1044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\geemmibh.exe
PID 1044 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\geemmibh.exe
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\wvomj96n.exe
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\wvomj96n.exe
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\wvomj96n.exe
PID 1044 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\wvomj96n.exe
PID 1044 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\qxp9q6gz.exe
PID 1044 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\qxp9q6gz.exe
PID 1044 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\qxp9q6gz.exe
PID 1044 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\qxp9q6gz.exe
PID 1044 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\ylrruiyz.exe
PID 1044 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\ylrruiyz.exe
PID 1044 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\ylrruiyz.exe
PID 1044 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\ylrruiyz.exe
PID 1044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\0qjpyk27.exe
PID 1044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\0qjpyk27.exe
PID 1044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\0qjpyk27.exe
PID 1044 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\0qjpyk27.exe
PID 1044 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\sihik69v.exe
PID 1044 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\sihik69v.exe
PID 1044 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\sihik69v.exe
PID 1044 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\sihik69v.exe
PID 1044 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\9a9xnygy.exe
PID 1044 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\9a9xnygy.exe
PID 1044 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\9a9xnygy.exe
PID 1044 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\9a9xnygy.exe
PID 1044 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\9e88wqnj.exe
PID 1044 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\9e88wqnj.exe
PID 1044 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\9e88wqnj.exe
PID 1044 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\9e88wqnj.exe
PID 1044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g6r18do3\6346yvom.exe
PID 1044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g6r18do3\6346yvom.exe
PID 1044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g6r18do3\6346yvom.exe
PID 1044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g6r18do3\6346yvom.exe
PID 1044 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sk8xmi59\r2o2pwe2.exe
PID 1044 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sk8xmi59\r2o2pwe2.exe
PID 1044 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sk8xmi59\r2o2pwe2.exe
PID 1044 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sk8xmi59\r2o2pwe2.exe
PID 1044 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\wwxc5n56\au8rns5c.exe
PID 1044 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\wwxc5n56\au8rns5c.exe
PID 1044 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\wwxc5n56\au8rns5c.exe
PID 1044 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\wwxc5n56\au8rns5c.exe
PID 1044 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4dm3ac7f\wt00bxxv.exe
PID 1044 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4dm3ac7f\wt00bxxv.exe
PID 1044 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4dm3ac7f\wt00bxxv.exe
PID 1044 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4dm3ac7f\wt00bxxv.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\b6keb2o9.exe

b6keb2o9.exe u05vwpqu.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\b8h7rm5h.exe

b8h7rm5h.exe 5hiw9m2w.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\9e2aawd5.exe

9e2aawd5.exe m3ripmgv.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\183ei32e.exe

183ei32e.exe ahjwnku4.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\geemmibh.exe

geemmibh.exe 1yhy90jn.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\wvomj96n.exe

wvomj96n.exe clpu9km4.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\qxp9q6gz.exe

qxp9q6gz.exe a1i3jpea.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\ylrruiyz.exe

ylrruiyz.exe knowzmtf.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\0qjpyk27.exe

0qjpyk27.exe 37zm8ad3.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\sihik69v.exe

sihik69v.exe 195cb9rv.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\9a9xnygy.exe

9a9xnygy.exe qtnxzcgh.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\9e88wqnj.exe

9e88wqnj.exe y6c523v0.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g6r18do3\6346yvom.exe

6346yvom.exe 366q1tqu.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sk8xmi59\r2o2pwe2.exe

r2o2pwe2.exe 5q40vciv.tmp

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000005B4"

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\wwxc5n56\au8rns5c.exe

au8rns5c.exe 3uzzdo5j.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4dm3ac7f\wt00bxxv.exe

wt00bxxv.exe x8fxk4ja.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e42kikbd\6gz9me0y.exe

6gz9me0y.exe rz43qxfo.tmp

C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe" /silent

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dhgvsqac\8jmozsp5.exe

8jmozsp5.exe 9klqgn3d.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\sa3zlyzn\5sadxwtb.exe

5sadxwtb.exe owvvx0jk.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iboywmd4\m731a7zu.exe

m731a7zu.exe fotba8f9.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\3j4l0xw0\19jlgp97.exe

19jlgp97.exe 5zx5o8l9.tmp

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000314" "0000000000000534"

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iae0z1rb\1q8rngez.exe

1q8rngez.exe 6zak7c1g.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1c07sbzf\vbanbk7l.exe

vbanbk7l.exe awrjk1h4.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vtw9ktok\xjq35er9.exe

xjq35er9.exe je5khi32.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\cebbmgz2\dbw2z055.exe

dbw2z055.exe 62zfe8fm.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m14xnw1s\pyfmwc63.exe

pyfmwc63.exe 0pv2xmel.tmp

C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\356075f01da9e3e01\DXSETUP.exe" /silent

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\o91ascj3\tias9x2n.exe

tias9x2n.exe ecldniep.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a4thutla\h9v02819.exe

h9v02819.exe qwftzynk.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\x6195lro\hhax5l7n.exe

hhax5l7n.exe kaknofre.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kk62mqme\k8wg9wlw.exe

k8wg9wlw.exe 0gc8iynx.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\kf0488dp\ttvzhwbu.exe

ttvzhwbu.exe gp5q7y5r.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rxoaqucx\cjmogz1j.exe

cjmogz1j.exe ucoberpf.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\xohdwue2\pea2xlw9.exe

pea2xlw9.exe 75vvws0u.tmp

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "0000000000000000" "00000000000005AC" "0000000000000314"

C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe" /silent

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "0000000000000000" "0000000000000574" "0000000000000534"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

C:\Windows\system32\MsiExec.exe

"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

C:\Windows\Installer\MSIF74D.tmp

"C:\Windows\Installer\MSIF74D.tmp" reg.exe add "HKLM\SOFTWARE\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 9629A203A8DCD4DB3CC91243819FE9A7 M Global\MSI0000

C:\Windows\Installer\MSIF76F.tmp

"C:\Windows\Installer\MSIF76F.tmp" reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Function Discovery\Categories\Layered\Microsoft.OnlineProvider.Devices\WindowsLive" /v 00000000 /d "<categoryMetadata name=\"WindowsLive Devices\"><queryDefinition><category identity=\"Provider\Microsoft.WindowsLive.Devices\"/></queryDefinition></categoryMetadata>" /t REG_SZ /f

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDPROV.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDPROV.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDPROV.DLL"

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

WLIDSvcM.exe 4640

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Windows\system32\LIVESSP.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL"

C:\Windows\system32\regsvr32.exe

regsvr32.exe /s "C:\Windows\SysWOW64\LIVESSP.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\SysWOW64\LIVESSP.DLL"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot23" "" "" "631c88d3b" "0000000000000000" "00000000000005DC" "00000000000005AC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding ADA5B2B7F5C18FB136E1B6BBBA4F8563

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding A31DD0C4DFE399D0276EADA771CE5E22

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 89E41CCF85F15C449FB0818E8DE6FA17 M Global\MSI0000

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /Create /tn "Microsoft\Windows Live\SOXE\Extractor Definitions Update Task" /xml "C:\ProgramData\Microsoft\Windows Live\SOXE\updaterTask.xml" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp
IE 68.219.88.225:80 g.live.com tcp
US 8.8.8.8:53 www.msn.com udp
US 204.79.197.203:80 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.190.80:80 crl.microsoft.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 ls2web.redmond.corp.microsoft.com udp
US 8.8.8.8:53 ssw.live.com udp
US 13.105.28.18:80 ssw.live.com tcp
US 204.79.197.203:443 www.msn.com tcp
US 8.8.8.8:53 sqm.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\050416~1\tmp1AA2.tmp

MD5 8274c233094ab59f40135619f32848cc
SHA1 cb588154fc7e951e0199d2a56dc494010e7a994f
SHA256 ac1a5b92fc478ed69aec3d94c6c0ba328789bb4e44a9c56598a4f961edfcb09c
SHA512 08434975e41233ac9efe507d87743fa3962321b2b556b1066514745d9a885f62ceab2d0bb6eb8d045186e5b9d1efee561851a7fdd5726495658ebf4d7693d105

C:\PROGRA~3\MICROS~1\WLSetup\wlt1C1A.tmp

MD5 cbf9a63a3faccbb98f8056b9ee1118e3
SHA1 2a1404023097cdfc07a578e0a8b5b5abe4db7b90
SHA256 21679dca7b22f90fb864b4a30d7ef032710804b04bfd9c369305f50d8ad6e81c
SHA512 b20458b6c80503e62a282c872dfa4fb40b53bbc079ab43ce721f47910b72cc7e5cb77123b5da8e4b72fb0a2b87b4151bd5467ef7fa2f7424ed49762b25184d47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2A47.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 6bba5a7ea205b00474d9073b1a75f67e
SHA1 6f501f39be35fd6e29753a7e648d1f040e733bcf
SHA256 e63258d9621253183e15b4ae01438f85cd94f2391493d127134e3b4d4e00f0b7
SHA512 95d23a109c61bac6ca1ca7d6c77ba26d6221f078548353d0c62bf4e9897b3ab7bc3ea3eafe5e2458852f37ab733dc92a9bb4101eee01a67bf6c8f67c761158e7

C:\PROGRA~3\MICROS~1\WLSetup\wlt7195.tmp

MD5 02136a305a5fcbc5b31373cb489a1a34
SHA1 c6d9d7390c781ddce4d972bc92f57a00952f32b4
SHA256 0de72fad2d446e5a49da3e8f2193dd20eedc5efc15de5f628b6f84cb58d7b00f
SHA512 1bc2e54b11e6eeca047804d77eb7f7ec9f0f3dd539e5a8ae2b7dced5653c985dcc25eec9f0f65153935f06b8d4b36f21d00c53cdaf32773e93a4bb3e244e36f5

\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\b6keb2o9.exe

MD5 b3695953f17eb4ef1c67422007304546
SHA1 a4915419b346f11d304f337f4e9bb627be5171ea
SHA256 650b8d8737e5565709c740508b41b187720eaa32edd12f8b66bacc27f2270953
SHA512 73b5aab985ca473b88d2efb3386a0c22eec12c035bf6f89e23905d58e6e5cd83d71ecf2909e06d661011da4987badc1b5a071613980260c5bc75a9e48ee93db2

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\u05vwpqu.tmp

MD5 0edc6461b2b7af6dcec4a152c6d12797
SHA1 0c0f0df6223a061e7661d772761020ac2e2e06a2
SHA256 5a754fc90bfa2f60b3a0fbf45e9ff7658f77daa08debb2bdb6ca6c26304bd627
SHA512 54a540e6e410fc7740317e494f60c8b12b2b824fe5ede4d5339e79c0cde4ff8db09f1c9c4350cf175cd6898a77e74e8efe5973dc526e3d990380940c01e0a99f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rq27ol9t\D3DX10_42.cab

MD5 0a1d01413e017982e2d9d819e94b6a11
SHA1 9fa93226a928772754a0e30e8872d961a013a7d9
SHA256 b77ba929b68ba8fdd40209ddf39ad6443b0513b7be639c87f69d8afba90173c7
SHA512 881b22755fb56f38cef0d668ef23df14e3ee0e85218cfd485add3d102da25eec5aa00931dea3ff6934077e03d8eb4f93e688518a37ecc7b308c23d443e47253f

C:\PROGRA~3\MICROS~1\WLSetup\wlt72CF.tmp

MD5 6df4dd5ef40cdb035d1851ecb495d498
SHA1 5c8752da038c7218d6d3bb2d0217f1a40a2a2da3
SHA256 cd4a58a31dd7dbabffbff3a16f1771e500480b6054581ab9f5c6c029807931df
SHA512 8f6ed579df5822869c9f16f579ffb32be3c2218b7b898b97976d1f9099fc47d6703740fc9e6894328eda42c8f141b579c8ea3f074214a5b73a3284d67279a75e

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\5hiw9m2w.tmp

MD5 a6bcdb8f4c2995fdd878db23f9d800f1
SHA1 3d58e01f26811095e7ab09ef7ca117ffbb831276
SHA256 ef36704ed00de8491b983b191968fbb8a06d17af675de19dcf0506edee8f26be
SHA512 5f6fcf82275b567b56b59f1e9485102a6c7fa94b63d3b1f72501f498d82802b5d9d1f8650cd82e489d0616573a58ce808e1c9021ac01b2e9b8f9ec5d3e567812

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mu2mu57n\D3DX9.cab

MD5 692b02ad89ed82727a47247556320ea8
SHA1 cfb54a9792ca16d8fb8c35513015abd5ae996ea0
SHA256 ada3f11e2be0f1e9faf4634de6cf5f95eebb65d24ec6b9220b479b70fe584be2
SHA512 1a9165fe1001671ab3d3f8bc9eb7532b95848c7b0582e3aad8bad53ed90dbbca0a6df1fa154afac9f4d18184a51422ca72131e92cb977ec3e25d2d860814229a

C:\PROGRA~3\MICROS~1\WLSetup\wlt7689.tmp

MD5 c70d9646c09c2f27ee53b5788419d7f3
SHA1 f143de048873e4dba0eecb2a34a98ed5998d12c1
SHA256 21f718f04df5a024b8db72f5995fd53a7aec14198977d7b418925040af233a0d
SHA512 6ef9e829118880a9c1c77a36302b8f5305635fe738edd36134fb136c242580fe7a7a3532880364342caf8ce36d0cd17ee97f2de387faac197ce0cd37d5de4ecf

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\m3ripmgv.tmp

MD5 4ed866061580d42f96f09c16987462c7
SHA1 ee69d20909acec25024fdb8680a9dda03ad51d2c
SHA256 225a26cf9670ab0344b052474fe5ff576c808b53eed275d66efc51d16a149804
SHA512 4f9c871a138729e8af4970f7259ee44375de6a949452d0a768938d263b095fd76ebcb4354ce437d96c6c84d0562ff08cb2dd4fa5ace3fa497fb039113dd76e90

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\m6q2csp3\crt90.cab

MD5 575a2172466e1a8b0f17bb3d64f0fc94
SHA1 86778234f14757b95f475dd6cb7fec32ff179cd8
SHA256 a2ae8965a8502654e7e8458c301dc0225d893a55d3c71b1cbbf6e9c0f3204a8a
SHA512 a79a9e7e2f101487d80de9ab6e4990502fffc932abd41549894bda32ac5707574e9b5ffe9f40f9f075915bb6a4c7d2215c28d461c1cdf45246f202c1121b6cee

C:\Program Files (x86)\Common Files\Windows Live\.cache\361ee3f01da9e3e03\crt90.msi

MD5 1c26a77f50bfca590760bdac24e84e03
SHA1 856b931bb34ef8aabdc924c0e017a18c78430aa7
SHA256 184f0e66df21a08c25afc6b7243d1f38feb19b5a45d2b2bd5963037c4fb908b7
SHA512 638573cbb2c260e9ee8a79e39bb095fb43be9d31641fc7f4ce906378811e6c2d77175c6b39c3ff9a877236bddf5a42b1000adf8acfe95d0248e8b2a2cd263bf2

C:\PROGRA~3\MICROS~1\WLSetup\wlt7830.tmp

MD5 5fb8878a81b4814ccbaa4c9c1a8b5702
SHA1 f53bcf0dba7960a7e085a4283d8aac8488459e15
SHA256 4cbac23a4d6e893d1038bdbe33775924ed9c48ebb6c1e43e70074c8d8b571c21
SHA512 9fa503ca6682db982e0138f81972dcf700c7264a6c3f280c68860b10aba68132a9d5a6b60f195e40b971572dbdb0e52b391cd70120c326f2ab7a6ab1c671d43b

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\ahjwnku4.tmp

MD5 46869c11974313746173fa325517d5d5
SHA1 ee07cc2700fd628cd55a9083b440efd394803172
SHA256 967c62f26e6556453e5a38ec192f02fd25bbb983fdd2c9ccab012528b9001dd7
SHA512 f273ac7affd55675711335e3d948d94aeb86ef8a06db0b972017f2d08ee6d3efe9ffa5ae0c10d4c3acd32a13895a4b4753a457c11f2a0ac59c1bd49eab528b29

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\72ytorm5\D3DX11_43.cab

MD5 169d9f118ff7ddc6fd8388e673c0b72d
SHA1 23c5bcfdc3e8ea04951805bcf8736f4dfd9b11ae
SHA256 82670e1c9092db7e00b9c91cf73c7b12251e4714ec66926f3bf616b2ce8df98c
SHA512 31b02fb847c0c9ac1fd01ff8e802f61d83a9e3197813f181395c7fe53d2e7096be6617ca169af1c827be97fc44c080f2b23d4a4f78e026a6d785ec4552af2ef0

C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\dsetup32.dll

MD5 0f58ccd58a29827b5d406874360e4c08
SHA1 ba804292580be6186774e7f92e6dfb104e46bf25
SHA256 642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb
SHA512 3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4

C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DSETUP.dll

MD5 9e0711bed229b60a853bcc5d10deaafc
SHA1 2bea53988bd35c5df5c9edcef0bc234c37289477
SHA256 def6f245762be36cf18b435ba8b7ebc224b9c21d1a1db606a8e8fafdaa97bba0
SHA512 c0b31872e52c8f4270d991c70d1a1c9ef9a4bbee4807c54c05a449cd1607506ab16ff1e74b378651b36e3276322c86cd843565c8a1aa33a49c47322ef4df0185

C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\DXSETUP.exe

MD5 ddce338bb173b32024679d61fb4f2ba6
SHA1 50e51f7c8802559dd9787b0aebc85f192b7e2563
SHA256 046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de
SHA512 7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 0e81961c115e33a04d7a3e8a307e7478
SHA1 1fdee534431e91ce2879097c532fe0cf64f6a4bd
SHA256 3be6a6a4690bfcc0924d8e08420595da84acd8ee52932fbd4c727bad6b7e3503
SHA512 8de5357228a8865bd85516c670c4e0a156d3044e969359c8086508af6f9fb70a7be06863cc18cd41f6dd1a9f498db27ffb695f0ad729d311f2ce6c095ba63180

C:\Program Files (x86)\Common Files\Windows Live\.cache\366b0ff01da9e3e04\dxupdate.cab

MD5 8adf5a3c4bd187052bfa92b34220f4e7
SHA1 b52be74c4489159bd343d3c647f28da1fd13d9b9
SHA256 13393a91201e69e70a9f68d21428453fff3951535dec88f879270269cfe54d6f
SHA512 3e2f2fe4b5742a4cf6ee2f6b8c0ca734fd0b3c5431dff112c907231846dd3eebee7b9b8117f0256119614282cc7a4896474a199563078481d48a1204ca96f92d

C:\PROGRA~3\MICROS~1\WLSetup\wlt7B6D.tmp

MD5 447ecd02b6dd7367994fdaf6ad40f1a2
SHA1 41e5ad502ac8f903ffd143fa6626ad332b9e38d1
SHA256 c840030ca34878f7205ef9ff19ac1a3bc904f46ca31db8606fb04f81d986e8bd
SHA512 10971224c4b9263ba22c4bf62dee73fc51e9c7d787ff02d0cd02ad3adb598acf79f6130e48131ecc1032d01deae35e889db45c1b39ad2e6b6875bbf86a5f325f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\1yhy90jn.tmp

MD5 6971afaa9cc2552c74fdb965c2fb76d0
SHA1 2a384297c92a41f12d467642adc72b9b585374e5
SHA256 0dd513040077b5c7e1a869f1e1e1f709cc669d21105650e6515ceab34627d468
SHA512 af3a47a32f0c5f01623c1d280159995ae6102f986ff4c7b475b7235cddbf32296e726f2be4203de293095fdd18a5065c9d6855f1e4d072142ac793152f318055

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bh4c9nar\crt110.cab

MD5 d119aaf4bf4085612e9af0518bef08e2
SHA1 06a029c35d3161aeaeb7189f3cb27fa855c6fbf6
SHA256 d7161a6d9176ed76ecb13b0931bdef32cb3239e9559c875ebd9cd485a2e31d39
SHA512 015b19f5894c09df2a553f56ae3151a2ea0671020379dd818d1a7c1b9fe69772d67daed4e6c6afef5faf1aa9994a061345f816ad191ca0e20988c67b9c02ef58

C:\Program Files (x86)\Common Files\Windows Live\.cache\36e476101da9e3e05\crt110.msi

MD5 b6874af023443ad4bff84ddd4a219aa7
SHA1 358e1c9245cd0e916712586e459d038e3e6807fa
SHA256 e66c187e6633b82bcb64201600bbe6eade67e40bc23aaecab71c0c130d3a4c30
SHA512 b1588d6f69b2537090eaaa198ca46ba697c0c704ad2a2c81d56040095840e21860a0f714abe37ace67b08d4251b27240bc183a62a11e3ae7a6c091377cce7689

C:\PROGRA~3\MICROS~1\WLSetup\wlt7C88.tmp

MD5 f8c160aa1ed8c06de7fae3375d784cdb
SHA1 d4d2fb9740f7e63e6a2091f322a6578779f643d4
SHA256 25f6e796666c5e8529fa2ed8954cfd8e4982cb3b498d761ff1a6c8ae3dbfc555
SHA512 74df878961bd04de93699cf4e700cf98d1fd0519d11d60b4cb7c67d5ac336dbfa3869a981fc490ee55d3d0e4597d10aecadafc6f46bb96e5d60e63b49b4b4a12

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\clpu9km4.tmp

MD5 687db3c1547f83f3f65ce6aa8d230293
SHA1 8243cc311faf8b477e0a0e1b61fa7d12a178e5b0
SHA256 34efdd985fd8525343f80b15305f59149f2ff764a655bf045c42f597a7d98fb0
SHA512 872b18717b20b6449c05dc3364a5862a39dae81ec76cc590a3ab842e3a3affdae614daa8935ef43a0e3dd7ef4d649d6fcc44eff5d0338d0ec4e08e1c52feb5a8

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\1p3vnbyh\crt90_amd64.cab

MD5 6ad524024eda69be12344c4b7e578ae2
SHA1 71418699513caba5354e329ea5d804752e4603fa
SHA256 1271fca2ae74c41ed1a17aa87749bdd95586266e05825c14794586b9e6293b2d
SHA512 e4db5666130714dc566a8ca0478d39be85e666b058fa8fc0c25f2b5526f9b5576a574eb560b5e46d330fd2fe48b8542fc2f9497df641a44767a1a6085e595580

C:\Program Files (x86)\Common Files\Windows Live\.cache\370a8c101da9e3e06\crt90_amd64.msi

MD5 7787432a872051f91e0c8226a51e909d
SHA1 0812252e7119ae0c6bb0a79b340f57894aa8ad75
SHA256 f7238333ee4d24f76ac983b06f92fe3ad6ede5586b54e40d6a123d51246e3ace
SHA512 42d7b95749d5aac0a61b552549afb855dcabf1375249e8f84c7276db4318273f0a47c3d5b446172ab1dcab71d7288d2a96b338e91d9efe8b6ebaee79f2324cfe

C:\PROGRA~3\MICROS~1\WLSetup\wlt7DD1.tmp

MD5 222a19d7053676738a56fd3705303200
SHA1 10756e87ed956adbc8b3a73e3b4b1a0f62c06545
SHA256 430dd49b0fead20b222985ededc24686e254f171c4d7abd3a009d725f3666681
SHA512 3f125562f99a200aae441414d5d248550715cf1421fb0dbfe0f9052f0ba70482004596aa0532037d5d605472be722dde1181b7ba5e0b3e416bb1437d7a74f58f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\a1i3jpea.tmp

MD5 3ffdc68017839bba5212426593646e16
SHA1 d159eab8ad10eb07cf15f55c52220748fe1d30ed
SHA256 cc40009fe1e528af8bb5f24687324999d36e948d69197b88761b0e93d704eb0b
SHA512 7cebe2dfe1384bee8dbbe0afef02b11b0c70fb612eed85ce3d53228a629338b250922fb93f503195734106fc83aa7a35961c1caf0a12d41e92e068c79afa10b6

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\tb3cszki\crt110_amd64.cab

MD5 52eeeca22f1c4f393702ab75ca4a0c7f
SHA1 188c56555be4bfddabc1bdfbee827e47ec6b64b9
SHA256 bc1671181fb9179dbf6e326b23030e0ffc19c9a2b084c7c28ad80152b40569a3
SHA512 cd6feb5535807253b64923029d6d4ea4c2a7464eee1ec2ce07af5c224ee3a714f537ba7327f105b223fddec08b1297b0a61150537222b19b061ed06fa2abb624

C:\PROGRA~3\MICROS~1\WLSetup\wlt7E8F.tmp

MD5 c80ee4f5af72ae6b9a8cf8877cf3ee21
SHA1 74794a20b914729567d4408df29376ada4316856
SHA256 ad417868f6a0be672ab9b11b8990966e6352d6d1e101da4876593f0be8bd84cc
SHA512 fad28903b69db8919ec69e04896f8aaf710df0685c6b24d7a33f4e917bcdec726b122bdae49ab3567e974ce0db46c0a65ff9296c90d552f9fb8dd88f87ca1efd

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\knowzmtf.tmp

MD5 4e2166010c0793733922ab8dd0f8f1c1
SHA1 d35948d1869ef3b73be4184799d1a908e4956514
SHA256 3e4c40aad7b54cf59eba3eae173265486ee4db7f3a292ddb87989e015be3b11d
SHA512 936f6989ccc62690ed0def395a07d737dd148d2d1cf42c8774c765bf07a73fdfd6da9e68e1ccf1521ce3ede299255c6a81bb66f3bee29f0503f83defcfd1d809

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bvtr4t9i\wllogin_wlx-x64.cab

MD5 6735bd2af3d4b0ef75ed45d1cb4c31ba
SHA1 267ffe13f5757adf59ebad967c5bab6dd8f44341
SHA256 720979be43764f2064931977636c6400a7afa8e59ca497acd9a71310fc55c574
SHA512 4dcb2b1834c1c443da79f017b8b584436658fa1bb13d04c00f56b4bba671a76995c482689b00e89f430df2476bb095d2dfaa826ab880e70aba8a86890009e64e

C:\Program Files (x86)\Common Files\Windows Live\.cache\375919701da9e3e08\wllogin_wlx-x64.msi

MD5 de8505467f1a7f2e6179a9c12cd5bfca
SHA1 013e8ebac87d67bfcb885535f8e3ab196ced7c91
SHA256 1d6109c4468d8780cf739f3c7b14953c1286e35350ef59519398684a6240ac43
SHA512 a84ca8781b320812e0827da6dc0acc4c5dcc48fa406092ecee4e6814780cc8b96c4f2124f771462de1675ea00647f8a58a5747d0adb1705555a7cd4d89725815

C:\PROGRA~3\MICROS~1\WLSetup\wlt822F.tmp

MD5 fd61bf6ae58ec3aa09157fed71f14492
SHA1 eed13224b402129767d24ed82d09d8473eb5e806
SHA256 08d2e9ee6fe16a67242176d218b6423a1be21fd81c1ee60d45cbf0651647fb70
SHA512 20a2c4f5c19b931c1367a095ab65e50deb16fbd4bd4e98f9ba1ebf6d7c776d975dc6bd4a57ff9f9952569c43c01bf2f8f100202e4aae0ae7d61d2ae22a4aafea

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\37zm8ad3.tmp

MD5 6b0e1c4a026558ebd9b7adf2478256b4
SHA1 09d4806b572891dec18f8ea36fc783ae3fa2f333
SHA256 f4d56250a6ad6ebe6d16444e7bb65daf8cadc94e12be7d7f4a156acbb52f1059
SHA512 a8e8f71b202a4ae1bdecdd7ac1b96e791d6663aa731def39bb561c89d350a1029c41a7aaee133bb8c8d68502a45ca4fef16d2192df6592db711011a9523150e0

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\vmrzzrus\WLXSuite.cab

MD5 dd4976b6bbde52aceed41ea0e619c7cd
SHA1 eb0d5db7445bfcd5254c0b1e95cd60aa0f16105e
SHA256 2e14e58be3fa84b292bd49be75a053340c878956c5f7eb76bf1d68464e0b9648
SHA512 a7502c2e40a99aa508731c0cfb0fe6317c64381816ad6fc0a3524f7540559d762261e0a957235bbf128ab75adabcd8dbbc425e71d577376e859712084593af2e

C:\Program Files (x86)\Common Files\Windows Live\.cache\37e7ebf01da9e3e09\WLXSuite.msi

MD5 9f91bd1204abad23916cea89e0a6502b
SHA1 9b23bcadaee6fc61d02ae5b0aad060cdeec61023
SHA256 f213e44352caa38ae3b443b76377d62a686a6697dd55fd3120e0b86cdd571c87
SHA512 95b313aa1e7bc71d13f82f3219f7e03f076d08cb8f5cdc31b1858af1791b745fa7cae6bd2513ef8614abd186fa9f3f8401d882e5d1d9331259910fb2f3c679fc

C:\PROGRA~3\MICROS~1\WLSetup\wlt85B9.tmp

MD5 f9f7f6c1ee64179ac24c2797097d5706
SHA1 8c17d7f8efbf19b76d3d843a2a2e8a7828cf314f
SHA256 696f86945af7fcc7ed0fef9c95c7343e44db8c61c14ffeb5f35381664f1f5191
SHA512 2c3fd69f1db6ef20c115febb912dadfa9e7048743837f1dc5fffadff42efdb9a751fdd99390ce0e2cb54c1519f9183c8ded6fba4cea5433933cd73a023304e50

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\195cb9rv.tmp

MD5 a6b1bf5479520ded28fa779a66c14dad
SHA1 1e14710a9e9c58ce227b9d4b2c960997a5577815
SHA256 b0cd17b8c87e89a17743c8f1c75e401984b4ba2a8127f38aaef62c83cfdd4df3
SHA512 28063d56c23123c38d0bbbf8a9ba5b5dd2630c379ad8592973bf84139a91b392a8b32f8a9ec4fa82adc6426192c85b9c15860b87880a4bcb459cb3cdcb063758

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uzademl2\Watson-x64.cab

MD5 abc26cf06709db3146c92e0c8377a8b1
SHA1 2125a3554005ece8524b919815fdd9cc1037a66b
SHA256 cebe84014bfea44543c3c956d665b2d3d30c0308b80ca90a831b9c7d846356cf
SHA512 48906552f9a7b90ac76a242601739e3533859117125b912f02c40a38a756a9099bcc291cdbe98e1a9bc832bd734dbad610d9994223624127c8a28cfe0829c9d9

C:\Program Files (x86)\Common Files\Windows Live\.cache\386d38f01da9e3e0a\dw20sharedamd64.msi

MD5 2459308b46fde807b05e541ed484af4f
SHA1 6d6732af93fce1f5f4bb8f9e41cab2c70c1b7bf8
SHA256 46a2b00e630d478780bc0db5c312811ed0e194f0680ecb1df769cd3103bcd422
SHA512 ceffece9a3d10f88194846d463c95880b2af203d65d1077415f433c3e657b501cefad07410ce650ce534485a6bd756e8937151b67714045b528bc88979864a87

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\qtnxzcgh.tmp

MD5 f273437319eacfe6980b8b509f5da862
SHA1 05f81d8954108e07a4d78d4ffd6b2d3367f0c4ee
SHA256 f01b626d3931848e8ac2c7d646523e6609a71d91da4c7fa6c2f5248984e529e6
SHA512 6fbcf76d6f76c47b39287fc379672fe2545ffdbcd30e1e092a5d65abb52bb018a9da19c1211763926b3c8025c12e2dd231b12cf76775d667ff7283f5ea623839

C:\PROGRA~3\MICROS~1\WLSetup\wlt880B.tmp

MD5 ea97299a6ca38bca1acede644e42e701
SHA1 7930b08655a834986d68c317d003290ccd3a7025
SHA256 575b69bf46cf9bbd7a1bfe954827a46dc21294e593d96899902f93e36ee698f1
SHA512 aa33609e7b58d851b6f4c229e26d89b6a24b732e78a17afcf4f1f5193b383259e6cdef875b5d4e0bcd965e6995c354d31ee9dc9b161c00faadd8fe9e4aad4266

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\e3wxop7p\WLMimeFilter-amd64.cab

MD5 884151b8b5afc0d83906dc8ee1a6f7e9
SHA1 841185a41287ccba75e47d894da3e74b9be22283
SHA256 31ff81d5c58140dfdc900c33fbd23bf9546b67b4e45b436da357a7f19ffef607
SHA512 0995cd15a11ffaf6841b93cda3ef1f07930a7d6519a338d9b0267a948c5232fbcbf9e4c33bf0638e8b0397f427ce5a1e01182e2eac1a8bc85335d2725aaccc59

C:\PROGRA~3\MICROS~1\WLSetup\wlt885B.tmp

MD5 5ac50acb23e095fc4a3b3754b7e67e29
SHA1 c5f5157c33924313787f007a1f54406d2cba16b8
SHA256 83a4fc7db344ce7e7225e92ee0a3b8df86549a0ae43d3d536acb90ffdebd9ba3
SHA512 e5daea306d18b2b6ffc0f2554ff3bd2fcb1119b693125965fc780c7d89d47355f041b0747d133eb2e7ee82b1a60a7f0549005fb972161222c8821a01ba862d00

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\y6c523v0.tmp

MD5 6fee869fb755bace369d1ab411e7b378
SHA1 c7f5a525cab44441e30de2fcd2b17d60c099d40f
SHA256 ea894ba961f35cbd34f63a5569a8fc9642bf82ed5d6cf2df2618d84e7328feff
SHA512 c6175007077dab80a11e2bf4606735fc382d602f60c2ab26e90e221ae1aaeca9e782c8698e589e0e4299b43e02b1c68b59297737ce820f870742dbf141560107

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\thlvxiot\soxe.core.cab

MD5 22ca63e33ab582842692359e8178ef1f
SHA1 da6d9d58e849cafed8a58a331ef1ffd17ee085a4
SHA256 48f7e9437dc980c37c284e3157f5651663725cbae5e4341f70e6672972cb87fe
SHA512 caebfa50b3c1f8b64bcd08b08d6f3b41ed6e4683767b5764ae2b636bcd67bbe845aa38747c0bd6bc9f552d24dc89a00e43cdc2668d1645ea7b4540768be702a8

C:\PROGRA~3\MICROS~1\WLSetup\wlt88CB.tmp

MD5 10b8dd1e4ee0a05ec2e1e31510b37d61
SHA1 672c7950d93f23e7b100a2fc5bc8797adcec95ee
SHA256 a94259c2dfd6f0422a31494bc0474189605883ca10bfd2a8b9317b6381c170d7
SHA512 d08d34098d321847c330ba132181d2ede1c8a5d8aa845c7bebdabab1596beaf1a92889c5824f48b370e2c3471dace1b6ba92c85b6715d284d0c4ae27bfecb4a4

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\g6r18do3\366q1tqu.tmp

MD5 7b68481c3758c89baf84408ca6a516a9
SHA1 50bfcb68317aa5c41bf163b1e1d6b9a3e1b50d45
SHA256 7a6ad74823dacf11e46e4b9d720bb610ddf0b0653963d616671e926748133e0e
SHA512 ad4b42ec85c977f31ee552bb51287e46333ce163e2652f3d640d87431e059cd8e5426241e34c37ac3d23806ecac05b042311db5ebb1b0553016c4353b7baca1e

C:\PROGRA~3\MICROS~1\WLSetup\wlt8997.tmp

MD5 7fa4c347edd4745f69e50e04d6c759fd
SHA1 4d65e4997b62bacbfb881437fe69bcc11c868ad3
SHA256 474ac624b9291612f7d3870ae1b972dd2cff6b4e58d36e68fe57e4c9dbf1d4fd
SHA512 fdc6bd74509d8f7264bc2afda8da88fcbc899cce1d27772121dfc43d3166f105adcde311fbf279235e2e0bdf0debf8eff1be593226673acfbfb522bee4423d0a

C:\PROGRA~3\MICROS~1\WLSetup\wlt8B00.tmp

MD5 35cac173c2b8032543c5977e34277238
SHA1 28930a5c72f00723d1f471004f4b2a4bcdd63573
SHA256 b2ad5d9c9d9df2d9aaec5e00bd8adceb36de0d3fe66c23fe6567c084a7107ad4
SHA512 aeb83d0d8e293c90ffcdb2157431c6566c8c69487067e96755d17de4383d0d752760f66b8a1c666175317b3c7260f1291503504c08fed910f5b0969e50b1716a

C:\PROGRA~3\MICROS~1\WLSetup\wlt8C59.tmp

MD5 6733a81b51871a2a23b55a3701647aed
SHA1 1d954976870df0085660db7333a70e5c7badf54e
SHA256 071ab4216d435c8e1b65e7c7193067a3ab02b70b2b5eff1c2a0eb505b86f1129
SHA512 541131798086fa172be0810adde06c5a4a94449e0c222fd40070c570f409c8a11b342c6e243bf295221e868a53fa77c09e25c45d5ba69d59ae88e4806e154ef7

C:\Program Files (x86)\Common Files\Windows Live\.cache\396bec101da9e3e10\d3dx10-x86.msi

MD5 141021890289016535d5d12741a0cbec
SHA1 67cd42ff9e9cf6433b16eb638fb08d6d77c9fb3b
SHA256 66dfe4c288e800d098e8ee5c02c7fb8d8279ace5e105a946f2517877ef550fe0
SHA512 393af5d625ef751a986ed2b90a4edcd5ae7b842d228dbc5e41ecbc5d7ecb4d176264f80ac951ad1b698c1b49b435befa5117e77778aec5696f031db85349992e

C:\PROGRA~3\MICROS~1\WLSetup\wlt8D65.tmp

MD5 81a7886ba27f04ce9d4905c57df4963f
SHA1 7cbc155539038abcdab731aa7afb8843ff504fa6
SHA256 2973ea30120ad3475971e4f96cc73f32176ce29204deb1f1e62eadbfb5f7576f
SHA512 861a73c358a74d985cff144cee7370dce97bfc1de182431d7d0acea6f7161acc1b7a32abccc881511819d6b06acf59fe12a427a56f057506565010e5a8c64289

C:\Program Files (x86)\Common Files\Windows Live\.cache\359735901da9e3e02\DXSETUP.exe

MD5 f5443547caac20aa334a88817579270f
SHA1 3bf8b321c2e43af72307508df417a154c3f1afd5
SHA256 cdfdc371a373cd0f0daa00db46bae7e19258dd8ef7e521e57be96cbacdbb242f
SHA512 106c9181bd98bfd82a3247267043b71d269d1ea7503ad12ef0fa2f395378205c274d11393752d21450a56a70f8c16b740901d433cf334bea4f1f7691c08ce38e

C:\PROGRA~3\MICROS~1\WLSetup\wlt9707.tmp

MD5 e864cacc389c08aee3246fc32c9b250c
SHA1 f58c9f1e32ff15885591cbc9fe9449b89fed74e1
SHA256 34a1190038420476e5fc6983d285aeefc5d13567d12289744b6503afb038bead
SHA512 1071b990bd925099a4b0d6ed083f8cf73a52a032f27d7bd10ad7b9835beb9984274f71cb9c15b61afe8380267664940ad843788932f59402c35794dfe43ea803

C:\Windows\Logs\DirectX.log

MD5 8f08b6227aaa8a9feaff18f4447000db
SHA1 43ef0b402f63b36d6909e2bb7a1201805a83fac8
SHA256 40c76f801c77decc0c067fef011c57210cf62845fa9b6ef108d78400cbe34497
SHA512 358290eecdfb81789154125ad4dee6e6dc90e28de0f76f74eaedb672b316926ff5de945fab4e74b5b6ebd79d4a63d7a297f8b5988653aa7d9fc5f9a65324d02a

C:\PROGRA~3\MICROS~1\WLSetup\wlt99C7.tmp

MD5 68aefb6ed3bf7aa1d1993ecda73b05aa
SHA1 34daa72e1a210d7366560deed0ff06ab4d01bab7
SHA256 23c33b9cca2501a9dade1827fea716ccfc2ceff590b7aaa5d58e4a44d4e79d12
SHA512 23a21ad23edfe3fd1f52893bb427180d6e97b43821391519b522c7b6c75cb10b505bf5dc033e8694102094ebb972c16dfa19788d3e02f714d74fe04cd2e86b8a

C:\Program Files (x86)\Common Files\Windows Live\.cache\3b7539301da9e3e13\PhotoCommon.msi

MD5 ff2a751d2b5e41a1451d2fb6bdfd13e9
SHA1 8c625401a9b1ef7a5143c704dce8c24b7c888bbb
SHA256 02a76e8a58daf828e774c1c78206db50bbcc24a735b0fd26de4a9c99cce5486d
SHA512 beba30d47a25b573751df37431a4397e3506671709a571bf62cf6bc20fdfa0bb410f463d9f87affade4a9e98964e6a67221341aae79c496ec8474938bc67c880

C:\PROGRA~3\MICROS~1\WLSetup\wlt9B5F.tmp

MD5 d8a9b1c6abe93f16baa3488dc0f47050
SHA1 945e4f4f1729d963138a8209a97eea65ac1e019d
SHA256 5dfd9ddc848cfff6c7c1074e0e2ad2110abe7e7f0854cf1306570fd43a8f033b
SHA512 2c6e95eb1709e5bc4ca1c539f522168c5c68e636a7229006658d45f40888ca65853558494954e2172258e8782d14d653d31b09d22935931bd0df22f53675e59f

C:\Program Files (x86)\Common Files\Windows Live\.cache\3bc165301da9e3e14\Messenger.msi

MD5 9f222663d193f608b227c2e3d2f71564
SHA1 25af647b1ee8ca73f07e326f39ded537cbf561d2
SHA256 b10407019a89f7ca0069af07548d1fbcd12e54d1109f87c4f1a6fbaec3c8e7c8
SHA512 5997a317025b9734f16e11f3c97148d5f1b0e4f00b756e6116487e0bd98bf2744f4c49ddfa14b196123f2dc1299ff17795eaaca529a388fe0e4677e9830aa9cf

C:\PROGRA~3\MICROS~1\WLSetup\wltA33D.tmp

MD5 d1073dc49cc8e9cd443900fe927113f2
SHA1 58808905f6b510900c9930fbd284b2c8b1d603b8
SHA256 66d47558a04d7065b87df4644dcccb5a612da26f3ee21936a6c0060c978c8497
SHA512 0bd1969503a4dd951ca7224d3522b81573e204c9ea8bcf76151bfbd0aba36e649149573661abcd2daa9f5ac572915a4895a869d14cac6322a425b4bd276622cc

C:\Program Files (x86)\Common Files\Windows Live\.cache\3ce88fb01da9e3e15\Mail.msi

MD5 a41ccf591e8b170521cd1501a2e5aca3
SHA1 39acdcb93a6904eda38471662873a12b367eda5c
SHA256 db4140e239aedbfa51fedc4eaf207ececcb48c1878e8f3a8ad3971a8e3c04a3f
SHA512 44df558b7b754a8e90ee965b693c88b6dd8f821d07fe202ba3bedfcf1c0caf761143f7aa8f349dccb9841d3595264cafcaae4d7a18679fa4bea848bfabe2fd97

C:\PROGRA~3\MICROS~1\WLSetup\wltA87D.tmp

MD5 c7dfea23eb31c8502846e7137815a37b
SHA1 7d4538cdabb86c174e98e3cee8ef98e8c032f62f
SHA256 48c15aaf7cd3a2dc1a901cd27b227d6d325b6bf3d50959118e141f34c8c846c3
SHA512 ea7e79a78d9bfc0287430bc0d0f24f2a6338cefbec3d8f64d6e0ca53ebf2ce79522f5a8a71b5a4823d88a1fa3ccd04e05ee28ecc293c2daec68e405f92d857ba

C:\PROGRA~3\MICROS~1\WLSetup\wltABD9.tmp

MD5 a1ca671aaacab805e8f2abcb395ff9e6
SHA1 c76bf6223557be1b66a315dca5689f1b52c35fcd
SHA256 6a4f1cedad70d61082136d23ec223e0dd8d8ce0ced4fce5865411e73ff6be43e
SHA512 e765f1c9638239fbed86ba40b16c0b58639a58ca4133fe78600ccbfc7e7e2946a7c156fee455285b7c0e0f0cd170c54b790645b023a010801557cfa84d7d8f3b

C:\Program Files (x86)\Common Files\Windows Live\.cache\3e35d0301da9e3e17\SQLServerCE31-EN.msi

MD5 54854bac91e616bf8f71184c05ad0355
SHA1 73b893c66a58b3b581bbdb50cf069f9e44c7e657
SHA256 f14f64c25cbdc7e06f2ea7f08170305a5990fa0449d9371056ec59441e24476d
SHA512 7cf8114350b2d6e6e4c7940601f6b3da28f8f5397895033f2d82c97d2fc8c6ba71bc46b12abe254be521906fae0422b1084567cb70332103b29d851803b46c99

C:\PROGRA~3\MICROS~1\WLSetup\wltAFFA.tmp

MD5 d1f5aaf5952b8ab8bc00c2050b0f7b17
SHA1 6ddf870ac98ef74628b843fd1d55826469ecb15a
SHA256 f134e280ad2376d8ab260663f4411d2c5795aa1d46d61bb70b241223c1ffa07b
SHA512 5ce822e3040204f41a546979134155d4f3f51365b83c412d320e9e022d7db4282f3d29875a70a8f05f4e9f25ef8ae4e5f3cabb3f4a83e09832ebee4dcaf98d1b

C:\Windows\Logs\DirectX.log

MD5 526d899ce109e51f61e89402b5d451b3
SHA1 82f64d3d5ac044c9a4ac697683bd764bab1e4f84
SHA256 55ed57443b2142830c76359723f37b1201ae67db8d5106e6065135fb78805315
SHA512 b81f83306245fdaca7c1436c1eeb3c6e6bce152fc1710b2c240b979bdc69185816fbeb81bbb5f4782da8e437b65b073e0955d58921a1cce3679df5b23d7124eb

C:\Users\Admin\AppData\Local\Temp\DXAEE5.tmp\dxupdate.inf

MD5 8c281fcb5546d1ed3cdaf6e3f7303139
SHA1 de342a17f2df0386f6584e2f55ae43c558ceb6c4
SHA256 7530c6e18dbb522c5f4fbf6714962c185ea318f9eab7aeb833b0cc07cd2fe656
SHA512 344ea0a375c8851fcf413f441a1cac3013b3748d1630a4d677da72e98f41823bf9427d896de7e1fe35bf868279538cf3b8322aa6ef20025bff48a6bb7f8c42d3

C:\Users\Admin\AppData\Local\Temp\DXAEE5.tmp\dec2006_d3dx9_32_x86.inf

MD5 c28f4fd1644e2a20b1c897438e197e1a
SHA1 5178534444ed7dec8c63f02defe7bdb864c47123
SHA256 ef09d783bf5cff2cfba99946e5e71fda577b196a49c88bed1c51b5fd29cecf94
SHA512 7cf93260efb1d794a17ba25b1fa02ba03b0ceeed8131d274b805155072a9a2b92a899471a8b23add8bf46c6a5a3cda63499043eaa754001bb43cafd882c8e708

C:\Users\Admin\AppData\Local\Temp\DXAEE5.tmp\dec2006_d3dx9_32_x64.inf

MD5 39929631df326b944470256c4f9cbbf3
SHA1 932de27abf59c889c02ed747f0ac04f5e494492a
SHA256 ff00313af4a90f426492d72969f5efc6c56a17f2dd91f20cb5c0a38d9f1f2b6b
SHA512 8dd2755a2b2fb90c6880cbbde65d127f55d12df2bab4560ddf86d6793b2cd4733929d97efef5fd8eeb417731a571888c893188df0361ee57eb4437fab331cb13

C:\Users\Admin\AppData\Local\Temp\DXAEE5.tmp\d3dx9_32.dll

MD5 26af232140c88b42d92a88f2198edf6a
SHA1 b62aed3f71d8963227e5021c2222192873ce753b
SHA256 e96693794daa05a75a83c11df2e7b42f2de61567c6ad0b69e353b50f6c88119f
SHA512 54a6a235af4dc3f3c693fba5ac2d487d96c9d7a2bb7deeab35d5a252e723e597226ec84e953625c8808546f91fbcfc42add85076846a63925fd9eabc09dbf935

C:\Windows\Logs\DXError.log

MD5 d0dceef77b60a4556e750704919a99d5
SHA1 fba34070beeb1c35eb2065035d0e50712566cab3
SHA256 6920f9be52735ffa448013c6312a49a590c47fbc23299bfa40d818e16ce553d8
SHA512 3236705c224446bc8c47da2ab37a0f04c8093822a2623689d59e96c646d592c9f60a05bccd01ee30732ce3a6d3e7572d84829a34e709b64a6bc4827e8ca25e65

C:\Program Files (x86)\Common Files\Windows Live\.cache\3ed7adb01da9e3e18\PhotoLibrary.msi

MD5 3e04cec983eaed85e81bf35de71f8bf7
SHA1 3f38e49179b4a5fd9e7704fbb29ead21e139cbfc
SHA256 22a0a57db76c1a2409760d4c9ee59b7ce1ee1a9d0208267cbdfa67579b31b63e
SHA512 789f361e89f292962aad8b2e54146ce252be2434adcae6f093fad66a403e5292916d923610266b76ecadd47f59d878226603c68b03d682b867994ac70af6b31c

C:\PROGRA~3\MICROS~1\WLSetup\wltBCA4.tmp

MD5 89cd9901db2cad003e71b38f4d8e1091
SHA1 1ab795681f702456c0c9e1681dd796e4455208f7
SHA256 18f354f3bde3411c90d948e02e60de5e11faa131ce04da242925dd0f004cd4d9
SHA512 14f0152eab4ec8fdd57dfbe9fb690ae9d0770feb7826224adc2b44bf826d7498a329757ba4a338c92c226cbe8ad3e14dc671d9767a3e13f87606e43af13c5bb1

C:\Program Files (x86)\Common Files\Windows Live\.cache\40c92d101da9e3e19\MovieMaker.msi

MD5 33cfb91ec616a06b8af75e772e966433
SHA1 69ccfa871359a84467d243f280dfc813b428d5c2
SHA256 00c89e20a23be3aa005bc2eb75cc4a6c6fb89b6623cfec017282a6e547ad9790
SHA512 61dcf628e1595169a2d9abd8113cb77ecc0606d083f90f57f964f46abab7949c0083b7d268a3c662510ca4cf3c4a561c89d41f07ca46e0ce8c7080097f6d2fd1

C:\PROGRA~3\MICROS~1\WLSetup\wltC119.tmp

MD5 44623495b671a344259bb39829452204
SHA1 333a5196dca06c815d930e225637db95a8d3197a
SHA256 28af1144633453ec668884b1513d0f5bdfde61333e183b5187634c59d60bbbfd
SHA512 7d4362c833fd4dd3180a7b5f0772f68ddc93659564350e63bf659cccec9507d6ace15d230d0a2965c260325dd1f7bfecec9963ed4b08d7cddb37df2d1e9959a9

C:\PROGRA~3\MICROS~1\WLSetup\wltC178.tmp

MD5 96aec171dd6a4eb4e4ef59b1dc287fbf
SHA1 7675f8808b74f66714ea778774f9b37f5a8fb8fc
SHA256 d4fada7f0157e181127d56799ad85152a500d484f16a2d31058285801ee0fc9c
SHA512 bb9d7769b0a202133a5e635fb185b53593eeffbe1f84e58755bbe14adea77c8a90fd114846aa574c3c78efc119420e573d2fbd2006928b749000f4619678389a

C:\PROGRA~3\MICROS~1\WLSetup\wltC1D8.tmp

MD5 e43daf60216d13bb779d68f36ec06236
SHA1 e7c2409a337458bed4d8dce205126b5681843dd7
SHA256 9e1c07e15326a7cb4a006958183b1e385285887c9517518db64fbf70c8e9a866
SHA512 2dca7fcd0f64834d7393c2d479d2113ad102add13d045cbe2e073b889f868c776575e31e9635d24b7a8e33317570ab25028653c4e8230c22c73a4400252417aa

C:\PROGRA~3\MICROS~1\WLSetup\wltC4D6.tmp

MD5 e03b80e674707a949f63897fd4cd2a97
SHA1 a593fb96e478076ee3e8aa32677a58255fc5a944
SHA256 9048360b66c7acd4d4cfb84a7498421ab6e3fee8db8b41c2b913695ec70dbf78
SHA512 d1921db4517a7ceb210874871b7b2e26dde5102dd9002c46de6be05f98842a5e147741a78ad22c6930efac5ac0e344e6d45629e035567462df946895d9f48408

C:\PROGRA~3\MICROS~1\WLSetup\wltC545.tmp

MD5 f54d7fc813c83b0ecb6f97c86748cde8
SHA1 d04cd09386efdc87595d6c77eb6520e6c3d47dea
SHA256 9a24b75beb1a454e5716b92fae1b761f551d65e9560c000715dc384f5296a596
SHA512 7cec1b0f448f97fd9f5e92214ab3b59aed74108cc9bf82306e6847ba69073974d63ac1bb482c4f2d257c01ffbeb9576baae4cf7cd79604d2408ab247eb3a7bde

C:\PROGRA~3\MICROS~1\WLSetup\wltC660.tmp

MD5 0ad9376291dda10a3b2e0730261823f3
SHA1 88dfbd33f80ae052d21b45a49b3b75fbdbc1a71c
SHA256 99153e43186cc5fe099de68cc19422475d1f71c451ee30a4fcffcfe813c5b7ba
SHA512 9271ef7f46f50c44b2736575432d726ea18df700f3219f10252910a1557dd98ee13699d6eb320e40fb4d1e6c54b14b9221ef0878d70e0c7345bf997fb5054e7b

C:\PROGRA~3\MICROS~1\WLSetup\wltC78B.tmp

MD5 65394a7bdab03c429522cdd490a134a0
SHA1 afe2564e539027cb1e2cf2154e5aedf609cf0bcb
SHA256 7daa30526128109b67310a3581f37c2b112d6e66e74ee2b6b74512378fda30ec
SHA512 579016091d455f75ee0f25dae7eb1a69e1c4fa6773dc739b3954ce7575dff82ca328276e648c0042f16e959502ff5aa24630bdfaf37168ebb15303bc8dbb7032

C:\PROGRA~3\MICROS~1\WLSetup\wltC8D4.tmp

MD5 9971f5592ec6f9f159cd1210da51921d
SHA1 90035e88438350a128773ad22c8a4140a1e4036e
SHA256 5790818fcead57808d9d43ae94ad8c0ef44c7d2e3e89aca2152ffcf3a1cf4c25
SHA512 b0724fb4375e2cf9ca5433f78317cf6a055760165b2caf29b2213427baf5918fedc7e2dc327cee91ccecc1b95c4448a4ecca6f38094e44a49c0b19088decf4ac

C:\Users\Admin\AppData\Local\Temp\DXD28B.tmp\AUG2009_d3dx10_42_x86.inf

MD5 b3a2e761e5da007cc6036c5703e12eed
SHA1 447e852f9bdc357b00864d4dccc7486f1313918b
SHA256 a80a00464775da82c02f628c5bc13cab0d0643ec2a44b28d2acf7c77d467becf
SHA512 28a106886578fb38f144602d2b29c72a906bb24a50b16ea7d3f71f8bd7f194fc0d7c8451dd1c3e9ecc59be3a866c07a23dd394a17d39eb7b55cde7b347bed3a1

C:\Users\Admin\AppData\Local\Temp\DXD28B.tmp\AUG2009_d3dx10_42_x64.inf

MD5 8d272f58bf5ce42962d7d9835e9b489e
SHA1 7e0969289f839b5dfe606f6ce6ed106460f97682
SHA256 2bfdd3d3bf485439013045b3a08942f457385bb89ab76d9479fbdd85f09e9d96
SHA512 0554257a41df07860233f26330020a45e2dab2613a6028f79914aec7552d5c54525b137e450202db1283b602c3d95908acbf9f1eed20dd79c21fda5963fc2b5e

C:\Windows\Logs\DXError.log

MD5 d516fcf555b4922a23bf829d8ebb75f9
SHA1 f9d80635cc434a6ea9500136af804b4582812b07
SHA256 498f5df152d789a7fa9d494d8176934eafd002e9af0b6bb2aa96fc993240cb07
SHA512 71d0066214ac73a1065e5b2c58edd1e8a150c583b84e7ca432f86a72aa2411047c14eb92536cf8e3e9bd2ebeb6984c31d2cbfb9a540668333c0b493b1ebc8c09

C:\Users\Admin\AppData\Local\Temp\DXD28B.tmp\d3dx10_42.dll

MD5 501ac862517c5445742bee8a2b88414e
SHA1 49f3f2df66d357aa84a5e7a0eb368ea595b7d95a
SHA256 46429c4affe041b08a7acfda0e9162ba42de966acb2cbcaf09ef976232073b51
SHA512 08dc13d5ad0a0d2aaca9d3dbfb53304216111da73bf48810df2982650d580757c10c8b9bf80ae5191e06ebaa44b2bf9c244ae141308748c3e7fb9ef6088900ad

C:\Windows\Logs\DXError.log

MD5 dac630c937f865768a74e7cae054a737
SHA1 7044e8e37474879c015e88289ebad9ca83d4f30c
SHA256 423cb092e6ba9bd8cd287d97e781730e396fad09f6bef2a7f7c98b1948a4b3bd
SHA512 ef6737d2de44eda22c6affd71e7eca6e450c479611a41f4f142e7f402197fa605c917b405c37878901e3ddd0cdb21adcc572da2ff5812086c51750ea65a9c699

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\dxupdate.dll

MD5 94202f25810812f72953938552255fb8
SHA1 c1e88f196935d8affc1783ccf8b8954d7f2bfb62
SHA256 6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564
SHA512 65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\JUN2010_d3dx11_43_x86.inf

MD5 fb5d27c88b52dcbdbc226f66f0537573
SHA1 2cbf1012fbdcbbd17643f7466f986ecd3ce2688a
SHA256 3925c924eb4ec4f5a643b2d14d2eda603341fbbd22118cdd8ae04aaa96f443c0
SHA512 8aa2200f91eca91d7ee3221bc7c8f2a9c8d913a5d633aa00835d5fb243d9cb8afa60fe34a4c3daa0731a21914bc52266d05d6b80bfc30b2a255d7acdf0d18eb5

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\JUN2010_D3DCompiler_43_x64.inf

MD5 6494a3b568760c8248b42d2b6e4df657
SHA1 700f27ee4c74e9b9914f80b067079e09ec7c6a7f
SHA256 3e779533a273e3395109c7efac13ba1c804c01b3ddb16938406fbdf90d851216
SHA512 2bf68b123d7823ad7182e132d9e55f8de7580229e8e1b3b40030da50bb9bdeaf67bb9727ce2171fa83b7f804c24d9728ffabb44cb5017b16b771bb19e62b1b42

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\JUN2010_XAudio_x86.inf

MD5 31d8732ac2f0a5c053b279adc025619f
SHA1 c8d6d2e88b13581b6638002e6f7f0c3a165fff3c
SHA256 d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da
SHA512 abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\JUN2010_D3DCompiler_43_x86.inf

MD5 1a86443fc4e07e0945904da7efe2149d
SHA1 37a6627dbf3b43aca104eb55f9f37e14947838ce
SHA256 5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf
SHA512 c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\JUN2010_XAudio_x64.inf

MD5 dd987135dcbe7f21c973077787b1f4f8
SHA1 ed8c2426c46c4516e37b5f9aac30549916360f7e
SHA256 1a0f1b929724f8b71d5ce922f19b9d539d2d804c89af947d5927b049ef0fd3d8
SHA512 f0469c94219b4df99d7b9b693161a736fa8eec88a3f6c7f2cf92fab2ade048dfe61fcde3a4cf4f7a2aaf841d079a46b17259dea22cfb02831983f55bd7f61899

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\JUN2010_d3dx11_43_x64.inf

MD5 590fe1ea1837b4bfb80dc8cb09e7815f
SHA1 792b5b0521c34c6b723a379dd6b3acf82f8afb1f
SHA256 2c4cf75b76203cba6378693668c8c00b564871c8bfd7fbda01e1e841477b2a3b
SHA512 80bee8f1ad5bfaba6b3ac5a39302a1427dbaa5919d76c89b279dc753170ec443924eadf454746ce331a6682ee729ab79bd390a5d3b55db8d08fd6f4869101f53

C:\Users\Admin\AppData\Local\Temp\DXE669.tmp\d3dx11_43.dll

MD5 8e0bb968ff41d80e5f2c747c04db79ae
SHA1 69b332d78020177a9b3f60cb672ec47578003c0d
SHA256 492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d
SHA512 7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

C:\Windows\Logs\DXError.log

MD5 c98b46731a10f82b9d752beb720353d4
SHA1 7b8f0fdf81b3d072eff9f81e6d61edf849743215
SHA256 455f7dadd69271f3590809e437fe15533909fbe9647963dffbafa1a92d6c0a9e
SHA512 50be842d6934cccde88a378b4cd8d3b9ee288fdac3cc9aa12f29094cffc1dda8a9e01156012b761fc025a22eaf9339cc2c5b4204c0732515cb83ae9719f3b5bc

C:\Config.Msi\f76e964.rbs

MD5 4063d60123ac596a10dd091a0386eaf5
SHA1 6e008616a4a65b6eb25042513f7db454bca3a66f
SHA256 0535438622f28fc8fb2c7bb71b19c9f7b16fb1660592656e003adef83b1ff24c
SHA512 37134755147cbbe33933e33fb0f959ec87012ce947ec51bfac863e571e42a062b0ed527df1a013c02f50aed71afaca9002aa69e50e43c6e1951c5c65d15f94d9

C:\Config.Msi\f76e968.rbs

MD5 52624aaf16285b6f7f9a4e0d9d537823
SHA1 ddbcf37dd46ee1b5c2080fc2ae08881c05ded995
SHA256 e1dfb98ff1a635095a944c040f03ce58e5f2240d7d4e8fa40c0e76155e940dce
SHA512 67c3bae3d882694e1cc77967ecca8eb881f13d26b8a491e1aec0c6c1d54f91412654a72526378dc938eed1ff01e5b579dea612a15043649a17293f606b2a5c8c

C:\Windows\Installer\MSIF7BF.tmp

MD5 c7375273a093747bf28851cb7359d9b9
SHA1 3691bbea99ea1b50cc7690fb111f1fdf9de15e53
SHA256 74f518d88b03d77897eea20b2f701ac146b88795ceffdca6cf632186ccf33f53
SHA512 2beed7eb43abf259d663bc0c2b9518bc65274d6ff8a05d566ea91ec23d5ced068cc9e658435ff7fd134aa08d685c21a7f63f91a89d54ff077ecd187f0fe2f56a

C:\Windows\Installer\MSIF76F.tmp

MD5 154426e66361ce1b0f9a52eee18f1576
SHA1 15ada007dbf6e47710c05a8006020ca5f1c53ba2
SHA256 827af890fcc70f86db1bd0394b2fe6c76bb9df201fb7df05067358a6f349cf6f
SHA512 7ee4002fbc226df072247544dffa582df9eae25cde6e2d9841fc7d565b25e71c6b4d1626e87e5c6a406c3dfddbb401be1d0996ac4ba3fbc705ea211df9fc7bfb

C:\Config.Msi\f76e96c.rbs

MD5 fc1dca785b8ea7977d918c23f03a9bba
SHA1 6a98d906fbe2e017b317931a61238436ffcf9f00
SHA256 b3ca917085a37f2d057712595a9894a4309225c0deb361e9f56d8c2a80e66954
SHA512 3991c8bf30c74433e9d36b64fd4a801980ee8543b6e86b6105bcaf4f7ed4dfd94c35fe5f5bfb7a7869541be2fae4251397b6f302775de8bab57ef0d61d6e31c9

C:\Config.Msi\f76e970.rbs

MD5 5b231ecd90811ce77a9d2ec0ff0b8e10
SHA1 1ebc9f931e142e09c7cb5ece1af5435d91e39386
SHA256 ea33438c5b153fdcd2cb8953ddaadc28a93f09d9c6b70f93a6d80198be089f67
SHA512 9c363720ef72d970f2cb49ae098319d6c42343b96e5628c560867051d667303e6876d0b7b41edea6fe9473c3d6307ea4b18747223ec1e04c960954b6ab546f24

C:\Windows\Installer\MSI1767.tmp

MD5 afa2262aaada580a74e1dddaeb03bc58
SHA1 5738eb9ba190361390d97725f90a71c6bb5bf5b0
SHA256 1deffb4fd70c9c346e1c5121b5069f758198ce12cdec5c2151127658bf12e460
SHA512 86099269378b31483480c36107f357f06d27e4c9e4892ee184438f7a3730f67853b5d44bf0bb7049242ad9ae262d08b07052bcd9f9f72175e754185725787f99

C:\Windows\Installer\MSI2122.tmp

MD5 331caf579a41951fb7462bc8523de15b
SHA1 74a0cd632915e55028a398223dccb91050368258
SHA256 bedbfb71cba5a06ae38b38eb84da2e1a8ae99000d2cfeb49ee80e114a5e5f34c
SHA512 fec47b6087d38bedbb7000cb733cf9fbcb4adceadb088da5f6d4b8a325a458264c45e00580f3d15259874f79d395cad31fa6590117b738838804cbee3972415f

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_atl110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 b80876dc9ed199aae1ecca79fe268aef
SHA1 0247f430077691b06635396605635cf768992e26
SHA256 4d7a75b644b307abe1667b7e5def00cd61690ed2b780d1a263a9323f4cd34041
SHA512 0efdfa08f9daca1e197456b5a834edc7b5dc69eea454cb2eb197eb6844742d316fdfc992a9f4b6a6d573a67a466379745d7936ec0c56f9ef15cf6bfc80ec43a3

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_vcomp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 f9cae234ef87430c809addeda386b609
SHA1 80976f9bc0fdaa9d405f8d3a4d857db8e3e3b93a
SHA256 d65c6324e62585e92d2098d2abc9bb23597c3a86ff52fcf509ffa58b1650ef10
SHA512 93b7b5f7d299b0565aa4294d67399a39b8387faa2e888dc0e857cc16b187e90b624063d36590e0d3d6c2a58a94fcc920404f0fa84f4e618a6ec27cfdb3e8a32a

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 f660cf07ec1d5704aba37ece8e17f0e6
SHA1 2b99e853911e7e32d920d035d89a044ee367e67c
SHA256 64e47a6aba8b14975236cd0219dd3b853fbccb5a2c044c8b94ee5ac586800385
SHA512 eb8b8e9fb5b53baee4b71ef851393e32cfe0d875efefe0309bd237f489e262d5ead5840244bafe0f6391251b1758b73d8f067b3dd0008f9ee5f4aedf2d2ae4a9

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 80e987dbe08677e2ec09615cd4358607
SHA1 d2109b7a238ae75545c7a43f863ead710b00b323
SHA256 8a06500612ce1bb0aecf052dcccce619c85be7732cbaeac4d6b26b6ae2cc7f7b
SHA512 cb876bcddb2abd97d247efca8fa602d9edf0b63fad12ebb1f4f3426e227b0a35f35db19cba2a51f4f8124df435fdcf8844728dc883ebf3662b20393958345a45

C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55

MD5 ab09ce954c647f3c2b4328b57d519996
SHA1 63f3de90362bba6f106367bac56566f952666d39
SHA256 0de1e28796f709d24758ddc6bc2c779f6ff4b20c51b163e2ba77fa7e52942070
SHA512 7c55060f782552d239500b9300c79c95726498fa7cf73250d22ae95ec0db1086b3012e19e066e3b0e9b22ae86bb5a8bb4ec2ed5cf2c03f2734bf2e58bef67fb4

C:\Config.Msi\f76e99b.rbf

MD5 21438ef4b9ad4fc266b6129a2f60de29
SHA1 5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA256 13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA512 37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

C:\Config.Msi\f76e995.rbs

MD5 602a80176b83c16eb908466cdd14dd93
SHA1 02ccece887bee47cdced17ec9e57bd121522fbaf
SHA256 8c6c8b2abccffad4b4ec4643d0393f528b682503632e16e320775bdfc641b03a
SHA512 fdde3b81287c1539547d5339c3bbc280c3ed00c1952e93a7da4ad2317c9939cc7e55cf13aee5c855b694570d7f2ce399c488600b69aa3a5e99a36cecad96b36a

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_atl110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 3a72fa7ad0289cd0bcd1f4e3613766e9
SHA1 ea6c5cd5a2a17514b9f066e48e19b07df524508a
SHA256 0773677d1a9ad31e3f1bec74030ab1c867c627ab2f67e519e0243c02dcc12d45
SHA512 b65540e99969cd2a0d22ac7788615dfb13b0826f5afe87836a01d5df544c473c57d95003ca688b45f361629dc0507e5551106473813f6c9b1825321a3539e80c

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 349b1d5d8d1b5a7b10bcd01470bd5f64
SHA1 cd6f2f507f9481803d6d808cef09546a44f96e21
SHA256 f0502e3d58713044f62f539b8738694e4ce9c619c665515f5ed2500c843c0c46
SHA512 f7d1bd3f661bf09e2ba84488b617a8dab61983854a2689e0fa7e5abc121eef784c13c8e1bac8ee6d3067486220730bf3bccb619de0ee93fc158f0f59b71553c3

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 c72abc6b7b90a61364b6dd889b5435f3
SHA1 dfe74e40da0bb442aeec448b2b3e447067d610bb
SHA256 0cbbd9691f08434da3617874f99c6dd87538cbd65b5d8bc39fce378d4ed29eed
SHA512 f91b1eb81af15812311542c663a4af976003a522f0ceed056e7e3732988efba8e03d4502c3d59e1cd71e01ff5014fe95fbe3eb4996fb3811a68413626feccb8f

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vcomp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 a24611da798edd02242ae618050c4ef4
SHA1 28b29814033d3921939cbc96f8aec6234401f8d2
SHA256 f48c9f347c0fba69247f1c85569a21e0d6282ac02469366c79588f896d57b277
SHA512 ce86a35f2e29b130cf4ad4312c3f920758a2a4837d8e725f7d95ededcc8156387576b3a782c4603b6f229b403d0d1929b43e384fe95a3eb6c799d350b2a5a223

C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C

MD5 ca969d6fa6c19758d48c664b2d1ce08d
SHA1 3eaf3564b5957329c7c84e217fbc26ce5f8e938a
SHA256 9e76c5a9e8358589cbdd06efa426ed0f0fa95b65377b976ff7d056d21a0f1f89
SHA512 edeffe548003147c37464fa687680a8f1751835aba070d118c2152fc616e06e8b1733e7f0f7d7947889a6cb46938e254a71d915dba4eadf142ff4788523147fa

C:\Config.Msi\f76e99f.rbs

MD5 759bd721a142353286cb9cd8e979b5ac
SHA1 13812d264a2c67bf5e9a764029d5a976129c87e5
SHA256 bfbf1f3da7c21b3338da53fc93b752557b4071174992f74f7b63ff2f6660a0f7
SHA512 bdf0f849782feccca8dd1b77a5221f0e3ebada7c07cf1b3c3486dab7183d435a11e4fc5f9737478be159e7a206c5ef98c42cc284b68b7bf813c857ed11227110

C:\Config.Msi\f76e9aa.rbf

MD5 19c334982160e2e9b65f65fee9fb2f1b
SHA1 8d28c230fd4c29569a721ecee64f87795b9891b3
SHA256 716f505e8dbdc2ef87ee40df85cee2e4df1321404960d4502f4c59095c0b25f4
SHA512 657a0e828bda7c457e81ab7d5c1effd867f5047e323fc197aa1de4587e8b51dbf9a99e9064f086d00dbc9c777fdb1b668612b5c0704220a38c6e8c7c009f511a

C:\Config.Msi\f76e9ad.rbf

MD5 4631116763b745f833b7b038109ce117
SHA1 3405589b8f9bc7c60f562108a35908743529a6af
SHA256 31c6b41f131b83cd811f5cd7ec51c4da9aabffdcdb544f32f880b4eba352db6b
SHA512 d3be284773802270f316a7ffe5796958cf3531f336007dae6d6a749f0fb3d8c0b31ef444451b2150d6d444a60a92a4fb3df4e031ca8a70d7fdf8aa16ded916fc

C:\Config.Msi\f76e9ac.rbf

MD5 8a1e15b5d2f3c15b1a2371c280328bc8
SHA1 b6200087c87a1c784a6a6d02a16998a1934cff6d
SHA256 f231ff5322bd34defbebf4548c2ce7148576481f52c9829f51e75ebba653c491
SHA512 3006e39dae75fdea6719fb2ac28f4eee4bf2588582bbf50ec921ac8eb0f59a06eaf024a5d65dbafbb9e792fef86c0e4ee0d78cee736a20a0eee61944bd43cb92

C:\Config.Msi\f76e9ab.rbf

MD5 f8fabde2101eb374d55299062a1956f3
SHA1 b064168929d67805cc7346b8f3a0fbca23e69b5c
SHA256 06d44d51aecb6d43911d1b8d23ce08a796dc85407ae46f68f00d8e433054d37f
SHA512 463efa2ec2f7d30ca285ce468b2910a98e39ee67ea0eaaa6f4d772f390207178377c8f42b455fea563e5ec51ac1c0e91e15e8f0ce6d5d2a56037519c3b1df5ef

C:\Config.Msi\f76e9ae.rbf

MD5 59412225e43ffa632061bc4af6c23a29
SHA1 2d3c2b0c00d402c174dd862250e2f0bb26b3e085
SHA256 06305cd4ce3608d7a72a7d3ac824d815324e8bc8fad52f58fa2095aaac39eb17
SHA512 11704d4d62bf028671d5483b075f70075125f462b10f089bfd70ff109a3ba2c133e112b4af71b3f805d1c31481adef065e731222285d92ee5eb22d31f541cbce

C:\Config.Msi\f76e9b0.rbf

MD5 750d64660645311559524a8c57c02dcf
SHA1 eed3e34d144556640d3cc843a31594219ab1ecd5
SHA256 3976b799208f9053afc453e95f0fef5c3b010845b571ecc674885f2121d2bcaf
SHA512 65c06035fdb9b3322690260ee347a4097576ac90d82593c6aa263003101c15c3dbac4d14e44cd948596aea9c4ceff9e9ef5f2e5ba3f8a14bebaa206cc42e840d

C:\Config.Msi\f76e9af.rbf

MD5 d56f4d98f6078295ab1ab0670bf2b9a4
SHA1 0e323bf6db23597c13091db97c2b9978e119595f
SHA256 38a8a8442b967038e301164e27561dd79ed8cdc7efadb89e440fa2da929345ea
SHA512 072fac60f5c2b3bece23dff6b3d7a69330f349ccd7b04fa1db0e811145a468a9fd5aeac052e52ac13e24fa1b3ca3bae17e59442e381c8636e1e9505eb7cf8342

C:\Config.Msi\f76e9b2.rbf

MD5 d475bbd6fef8db2dde0da7ccfd2c9042
SHA1 80887bdb64335762a3b1d78f7365c4ee9cfaeab5
SHA256 8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599
SHA512 f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008

C:\Config.Msi\f76e9b1.rbf

MD5 833011ab151a76f4063f0155b4c2c156
SHA1 49fa4318a8aecfecb0e167515aad84c9fe8b5c14
SHA256 409449bb4460982f38a717d0ad4f94ab4d3662968c398282a78095a554a592cd
SHA512 4b9b3f81f93a4fa495b26e27bb3b9666de3070ef6a0ba62b3e4095264e1abc13ce8ce85e91e5390e8b7a3a0b08e064ae4311312e7e0c67e02ad9c01545676c57

C:\Config.Msi\f76e9b3.rbf

MD5 ddb7181b125abdc6d2b2831b8be6b3a2
SHA1 20b12d3f59fd427429ffbf6ba3edd82de0365921
SHA256 8aead63e2d39a64c429d5b79a13d73d6c133b19607c3d3e32a60262c8574caba
SHA512 30af739cc615542fd1ae8a073ace0e1690d4a5d102595416d506dffa158f9610c32d63b7c5ad335715c76f2262d2df6e8f850812e915adb4a9043a0ab90ff6b0

C:\Config.Msi\f76e9b4.rbf

MD5 36c3ff7ed2592e97d9a01bae095a037d
SHA1 b6a2c49c8481969283c2e3eaca78026adbd1f524
SHA256 b226b3f204026c41878073f62b5210d9a81aea255e4ad8d24b611ec37bc39b77
SHA512 0b8797dc15dbbda12f3aa75ebae88d336fcca7f76a62461dfde4a371c8a8281a93dcd25dcd32710eab805988dcb71f9a35af284294d5021c26b29407eada684b

C:\Config.Msi\f76e9b5.rbf

MD5 d718132c57d5f9433bd4dbc76dafcb3e
SHA1 910ff15d0209427a0beed450cdb60e9851fb083c
SHA256 b7107789317b87463abd8dc2d4c10d22d8bbdb5e59f3f3332e7627eb0919759b
SHA512 e2a17881a2e1f7418073f5649db52c9889798c143044c0d3b100089fc245ed3201051fe5d34463b43e23beae057340d4f49244e338f9c68c059851aee1d05548

C:\Config.Msi\f76e9b6.rbf

MD5 144e67dd00d5f958d34c7341a4748512
SHA1 fe75888d1abb99d49d368e50d954f1fa3307122d
SHA256 2203532ba8e256d6c6037da6e73a79238fb3a84cf37e26a8d209fde1a43dbdea
SHA512 82044a755d7a4c9ddaa676b92d3acb15b055d9b553031157b1ff07865dff87827c20766de9ba5b1dae1240b796e393f944d14e95d0d3131ee7f6697104be6a9f

C:\Config.Msi\f76e9b9.rbf

MD5 0b92e34cbe0f5a2fd1d4623ac1adc70c
SHA1 dc3ff919983d79e3b96f9c7d274cb3e88652503a
SHA256 a7b6259921a56ea44d3560dbe99acef787f4fb6e785260f0601f13dc2d3c887b
SHA512 417fde41ba6ded8759a30e3078b2df801b2c578901a3367c4e49976f9a3a20902d758b0741b9b64779f52acbe692841bfc7dd4b057bd98f60ae249334e98bcb2

C:\Config.Msi\f76e9b8.rbf

MD5 68f9dc456607f5e4ef2cc69fd52da031
SHA1 8da5a56199921d2a15839f7ac924c6dd394a65dc
SHA256 f9621117f4c50b57e0b0a6b7b62b2478b8b6469439810eb5ff40c1b65958a4d9
SHA512 74640dbf8f66a5ed068ee8019edc0800c096cc8f14a8d7294a435644be54785e2083cb1bc9311ce0b3a45baf5469ce27eb10977e3aa4b0817b652ac65e3e1b01

C:\Config.Msi\f76e9b7.rbf

MD5 189254e2323732285405ef21024f77bf
SHA1 ce3a7b03c7385c4025f4b310d2674c7b5485c28a
SHA256 5505cbb3db5c57e63492c78df45cff9ad4da97d9ef0c624b0fd062b8de9c2482
SHA512 ed799ab56b31553d8823cfbc284898708e9d6a38659d9ca5096049447e8a2c78c30c9a35faf4869c20b0c1b4208c17756da6df0e24440c0295dc6cd5cc60c4c4

C:\Config.Msi\f76e9ba.rbf

MD5 5e65ed1f7efddd406ce16aaf90d45eaa
SHA1 27c0bea0fb39245c95650e6fc404cc69053bf61d
SHA256 f792d18a252aa7b8cdf604352fc871b5346212e442c1785da8dc15657a4dda80
SHA512 ca4318127fef1a5a9adfc7aa7323219a2060c13f6bc5d8a8b892dd05f806eadcfd756318fe37c6f70f5a1589b733742360b7dcc9a8b2c694a4d5d0e6ffa98034

C:\Config.Msi\f76e9bb.rbf

MD5 9b6728e20ab8bee1b196b1b52bb21321
SHA1 89d58441380a25083b5e90dd30d74de8af0496bb
SHA256 959b8d276f0b74f902379d05f0a825b0b2118e96554ac22e6e070bcd650f0ab7
SHA512 38195d1708e375f955b5924c37fd0fdddb88e22c29793c42b867ba4438fb1a7b48e45dac05315bfd7c9079039d8668c0aab3d4c74b69fb46b04d276477514aa7

C:\Config.Msi\f76e9bc.rbf

MD5 ec62f94fd38011803a5d7646874780c7
SHA1 2eefa5d657078c2608c994cb63e20992274fb4a7
SHA256 295f491d55b4b265d7b8184e0ec379f51bc30aa424f15961687e2ca4ab1a223d
SHA512 25e06909ef92cf26d945760a75ff880401f0590b7e6e9bd32c1552634df33b2705ff9e810eb5d39757b0c985299c73f799e204cbceab5ce9b51644df3f664701

C:\Config.Msi\f76e9a9.rbs

MD5 cf4b7d499c0b990a24648b99856f2918
SHA1 7057cd1bb233056f2cb7a884a9db9e7d0fa9e87a
SHA256 8898e73155aa6ebef015e7e218b9e8c1ffc440454843872bef4ab7eeb529f2ba
SHA512 d3b7701b83accc5a99cba2d51e78fef9515f066e8fa6fb4c176190354e9f5d4cfa49ec0563479cce77f13afc411c4e2bf4aff1a1b8e222c988b7fd7a5ebf4bb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 6f02f9e2323056fb1df63ec9e55f1ac1
SHA1 f6c141375ea9074561b2902e71ca9ef22cbd9f99
SHA256 a7a2b519dc20054a217995380471abb483f410bae2c5f40d95feb0252fac1f78
SHA512 c599cd0e9cc88deb0bc7c7ef5587556d0c1c9e6fe77b8f17748bc9423735c6a4e2ee86b60504d0985f85a7ec2f36ede93d8e93498f6ce7ddcbc213b837f637ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f9d54766ffe5c82d549440dedb80e397
SHA1 11d5127f08a817a68d158acc92f6256a3c57f5ed
SHA256 fa817941d9a4208996d04bbf6ff756244d18fa74dce182443139772b31cf3802
SHA512 ebe674b5508e6c48184c13708c138d6f0df2cadbeb67e1a9223edcf7477128551b3433f808fce9bdb6c5a86ca25e2068c2d4d8d8449f9d00f56c161e4eaf751b

C:\Users\Admin\AppData\Local\Temp\05041616-00000414-jlrwg9gxop\Files\2024-05-04_16-14_414-ezpbbfwr.log

MD5 d70f97f6c648087efb1642b0d5f26f79
SHA1 f94f1ec6e15df4d7c048932ca2663401bf2b46de
SHA256 3f41c356b0b9542b3cd9de3fb0ac470890535af49e8048fa2b3e6ce3bf4dca12
SHA512 33ced7e139dc33f24cbb60dff8a95e06fc4863d946b89470158a45c5335519cf77396a11ec89bfc3b36c92b682fb38372eb193addf6c089b4364283e4ce59f11

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 16:13

Reported

2024-05-04 16:17

Platform

win10v2004-20240419-en

Max time kernel

168s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

Signatures

PrivateLoader

loader privateloader

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe\CWDIllegalInDllSearch = "4294967295" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe\CWDIllegalInDllSearch = "4294967295" C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\dzm43vn7.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mvwd8md4\c9mobvb7.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\yd2q9l0v\6hc4oexp.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iv2mf8t3\qgl6aveg.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\trfon5lq\lk7q6bta.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\80ekmzzd\pgcuxb1r.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u9dses31\aciesvql.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a651xm13\wllwku5j.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6rbcqq0d\gslo520i.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dv0v3jmf\00qcczhw.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4m5y173c\ifywxmy2.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hn05mxxh\qcnvbskc.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\q5pn1w36\matyqiai.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\twz8nsrp\ydigqjxj.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hlen194g\ib2cmhg9.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uhnd289z\ile88lke.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\8dwdbzf7\ayjb2bl3.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\jlc847cg\vd8tqval.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bf9gncmo\fycrce4f.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\inlzsdyl\q9ksrbs0.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gmsrrrwc\nkn72wfc.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\86q92wo8\ynb5fkke.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rdqwfs32\c2ksv993.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4g2o52od\ky9pp339.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\znfe9bku\xdqw7a2h.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\t0vyr514\tpdbefwm.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uo9uil0l\cul1rqy9.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\11bfdpu1\e0ot2rn7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\infinst.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\716dnkh8\vrvhb1xy.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\v8djdouq\b08m2yck.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qhsedwx4\b3qczo98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\infinst.exe N/A
N/A N/A C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qxk8efg6\hx0bgwvb.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
N/A N/A C:\Windows\Installer\MSIB717.tmp N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Installer\wlstartup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Installer\wlstartup.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4DE8551-2C38-4D43-AD16-674CE04A2081}\InprocServer32\ = "C:\\Program Files\\Windows Live\\Mail\\wlmimefilter64.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F30F90-3E96-453B-AFCD-D71989ECC2C7}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F33137-EE26-412F-8D71-F84E4C2C6625}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F33137-EE26-412F-8D71-F84E4C2C6625}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4DE8551-2C38-4D43-AD16-674CE04A2081}\InprocServer32\InprocServer32 = 4c007700480075002e00300037006b005a003f00630041002b0077006d002d005a005400410061003c0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4DE8551-2C38-4D43-AD16-674CE04A2081}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F4DE8551-2C38-4D43-AD16-674CE04A2081}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32\ = "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE -s" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F30F90-3E96-453B-AFCD-D71989ECC2C7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4DE8551-2C38-4D43-AD16-674CE04A2081}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\PhotoViewerShimx64.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F30F90-3E96-453B-AFCD-D71989ECC2C7}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00F33137-EE26-412F-8D71-F84E4C2C6625}\InprocServer32 C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\d3dx11_43.dll C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\D3DCompiler_43.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET510A.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\d3dx9_32.dll C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\infinst.exe N/A
File created C:\Windows\system32\SET4561.tmp C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\XAPOFX1_5.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File created C:\Windows\system32\SET5138.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\sirenacm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\SET50BB.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\XAudio2_7.dll C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\D3DCompiler_41.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\d3dx10_41.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\SET4BE9.tmp C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\D3DCompiler_43.dll C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\SET50F9.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\SET5138.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File created C:\Windows\system32\SET5139.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\SET4513.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx10_42.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET4FE0.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\XAudio2_7.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\SET5139.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET4BE9.tmp C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx11_43.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET506D.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx9_32.dll C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\SET4561.tmp C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\infinst.exe N/A
File opened for modification C:\Windows\SysWOW64\SET4B8B.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
File created C:\Windows\SysWOW64\SET4B8B.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\d3dx10_42.dll C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\SET50F9.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\XAPOFX1_5.dll C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\SET4513.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe N/A
File opened for modification C:\Windows\SysWOW64\SET4FE0.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File created C:\Windows\system32\SET501F.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\SET506D.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
File opened for modification C:\Windows\system32\SET50BB.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File opened for modification C:\Windows\system32\SET501F.tmp C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe N/A
File created C:\Windows\SysWOW64\SET510A.tmp C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\DiagonalDownRightTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FadeThemeScript.wlms C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\InsetUpLeftTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\TextEffectCinematicCaption2RightTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\4c64c87f1da9e3e1e\MailLang.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\wldcore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\CinematicOverlayRightLowEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\wliduxhc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXQuickTimeShellExt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\CrossFadeTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FadeInFromWhiteEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\SlideDownGapTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXImageTranscode.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoSqm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\WipeWideRightTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\en\startuplang.dll.mui C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\CinematicThemeScript.wlms C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\PanAndZoomEffectZoomInFullToCenterWithCWRotationTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\BWOrangeEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Shared\WLAVRes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MetadataSys.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\html\map-preview.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FanOutTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\ZigzagHorizontalTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXVAFilt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\CyanEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\FlyInLowerThirdTextScript.wlms C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\WheelTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Mail\Proof\prf0009\8\mssp7en.lex C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\settingshc.thm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\WindowsLive.Writer.BrowserControl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\RollTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXMP4Parser.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\SplitVerticalTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\PanAndZoomEffectZoomInFullToRightMiddleTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\LivePlatform.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\WindowsLive.Writer.Controls.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\PanAndZoomEffectPanLeftToRightAlongMiddleTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\ShatterUpRightTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\en\wlsres.dll.mui C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Windows Live\.cache C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Common Files\Windows Live\.cache\4236de081da9e3e10\d3dx10-x86.msi C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\WindowsLive.Writer.CoreServices.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\HueEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoAcq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\DiagonalCrossOutTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\SpinTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\WindowsLive.Writer.FileDestinations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\WindowsLive.Writer.SpellChecker.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\DefaultThemeScript.wlms C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\PanAndZoomEffectPanRightToLeftAlongTopTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\template\defaultstyle.css C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\Contemporary5TransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Contacts\livetransport.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Mail\wcsync.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Writer\html\map.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\DissolveRoughTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\ShatterRightTransitionTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\LangSelector.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Installer\startuplang.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\BWRedEffectTemplate.wlmx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMakerTemplates\ContemporaryFlyInLeft1TextScript.wlms C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows Live\Photo Gallery\en\MovieMakerLang.dll.mui C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e5853cb.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853d4.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585404.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853b9.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853bf.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI737D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161539989.0\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE85.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID503.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58540d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7815.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853ec.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB6D8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853c5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C86.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853c2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240504161545545.1 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853d7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240504161539989.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853bc.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161545514.0\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_069f922e.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F3F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853ec.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240504161545529.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9715.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBA83.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{07AAB66E-4718-422D-9218-4AFB3C922A71} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240504161548232.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI72D0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{1D6432B4-E24D-405E-A4AB-D7E6D088CBC9} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\31HNPFWR\System.Data.SqlServerCe.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853f8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853fe.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853d4.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853dd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853e6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161548185.0\msvcr80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58540c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\8CDD41E806AE81E43B3E917301D4B5AD\16.4.1108\F_CENTRAL_atl110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853ca.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853d7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{00F9DB8C-65D7-4D47-AB5F-F698EE38580D} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853fa.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853d3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585407.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853bb.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\F187AF9E08E3993428A5DAE3112CC877\16.4.1109\F_CENTRAL_atl110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161545514.0\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853c8.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161548185.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE9EA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161540005.0\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240504161540005.2 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8368.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DB2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{0BE9E708-5DC0-4963-9CFD-0AA519090E79} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB4A4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB717.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240504161545545.0\9.0.30729.4148.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI96D6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DD67BE4B-7E62-4215-AFA3-F123A800A389} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000066def5a81497f7c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000066def5a80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090066def5a8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d66def5a8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066def5a800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Windows Live\Installer\wlstartup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Windows Live\Installer\wlstartup.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D81DFEC-5610-4a2b-9B57-FC33D21366F0} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F81CD990-910B-4bbf-9CB3-6A77F3D697B3} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6FBF8DD5-9E03-4af5-B779-FEBEF6754712}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{43ABBB95-C0E9-497B-8BB9-B5FA08861705}\AppName = "wlmail.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Installer\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D81DFEC-5610-4a2b-9B57-FC33D21366F0}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D133B285-8A43-4EC7-93BE-9B909C2370F5}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\msnmsgr.exe = "6" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{111C85E9-BB62-4528-A806-F0BE908E02F0} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{111C85E9-BB62-4528-A806-F0BE908E02F0}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppName = "wlcomm.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F4C30BB5-D7FC-4d60-9D49-7C6B67C3592D}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5F545A6-39C4-40b5-814D-B45040A89FB5}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D133B285-8A43-4EC7-93BE-9B909C2370F5} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE\WindowsLiveWriter.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector\WLPG = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F4C30BB5-D7FC-4d60-9D49-7C6B67C3592D} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{43ABBB95-C0E9-497B-8BB9-B5FA08861705}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\ = "Windows Live Contact Database" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Contacts\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{43ABBB95-C0E9-497B-8BB9-B5FA08861705}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Mail\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{323C0F99-820A-4e0b-B714-57942C6D9678} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F81CD990-910B-4bbf-9CB3-6A77F3D697B3}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DB9524B3-24F4-48fa-91C5-B8EEF1C0A14F} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb}\AppName = "wlstartup.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5F545A6-39C4-40b5-814D-B45040A89FB5} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DB9524B3-24F4-48fa-91C5-B8EEF1C0A14F}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DB9524B3-24F4-48fa-91C5-B8EEF1C0A14F}\CLSID = "{7C51BCB8-fB03-4C2E-9BD6-487376B9CFB7}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{43ABBB95-C0E9-497B-8BB9-B5FA08861705} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{323C0F99-820A-4e0b-B714-57942C6D9678}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6FBF8DD5-9E03-4af5-B779-FEBEF6754712} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{25914AE5-2F57-40a5-A804-966F1E4959A3}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D133B285-8A43-4EC7-93BE-9B909C2370F5}\AppName = "msnmsgr.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{25914AE5-2F57-40a5-A804-966F1E4959A3} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{380689D0-AFAA-47E6-B80E-A33436FE314B}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9019d14b-638d-4383-bb95-441b7f57eafb} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Version Vector C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D133B285-8A43-4EC7-93BE-9B909C2370F5}\AppPath = "C:\\Program Files (x86)\\Windows Live\\Messenger\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\wlmail.exe = "1" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\43 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\46 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\36 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\36 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\38 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\39 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3c C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\42 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3e C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3d C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\42 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\46 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\35 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\38 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\40 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\43 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3B C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\41 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\41 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3f C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\45 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3D C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3C C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\44 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\40 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Clients\Mail C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Clients\Mail C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Clients\Mail\ = "Windows Live Mail" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\44 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33\52C64B7E C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\35 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Clients C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3b C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D683055-CB8A-4861-A25A-20B08DFA4B33}\InprocServer32\ = "C:\\Program Files (x86)\\Windows Live\\Contacts\\abssm.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C8BD600A-7498-4ACD-AF57-84BABC97D0CB}\TypeLib\ = "{79AA1567-79A4-43C5-BED0-F330F8325673}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{13F99D17-B89F-4E00-B766-B2045AF2B13D}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6126F664-B01E-4E86-AD3A-98990F902B63}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64905A8F-D85E-4CD6-A1BB-C4445878766D}\ = "ILiveTransportSignalServiceCom" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ = "wlpg: pluggable protocol" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62844001-F25C-4C03-AA85-82ED31730C06} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4E9641E9107F74FFD70FB770A9E35168\C18BC956E45B1FD46B813F757793A345 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.nef\OpenWithList\WLXPhotoViewer.dll C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WindowsLive.PhotoGallery.video.16.4\shell\preview C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5ABE8E9D-FC0B-49A7-B548-01545FAE3096}\ProxyStubClsid32\ = "{70F99035-3722-436A-B19E-735401B32845}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0F5F61C73107FC3409A85B0584ADCF14\A8F1162B7EFE88E478D5910FFEEA784E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF9E04D9-1C43-453e-BD39-86D39CB63DBC}\ProxyStubClsid32\ = "{0A8E9E0A-10F6-4bb4-A076-D89D1C446CFF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{51A01E38-7505-401B-ABC9-F460E1499728}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF4B4853-6A83-4EB8-BDBC-3890889753AA} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLMail.Url.Mailto\shell\open\command\ = "C:\\Program Files (x86)\\Windows Live\\Mail\\wlmail.exe /mailurl:\"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{97B9EC02-C47C-4996-A479-DD3DD31D572D}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.bmp\OpenWithProgIds C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A75F0AACC8AB8DA4AA303FB2E0F46532\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8A9C8EF0-8AC9-4E8A-A08C-16CE70F90364}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{600FA301-4E2D-4C85-989D-5CA19A41D121}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70F99035-3722-436A-B19E-735401B32845}\ = "PSFactoryBuffer" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{528F3194-13EB-4F23-A0DE-D3486E668221}\NumMethods\ = "7" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40979A59-08CC-48D0-882B-24581A99C3D7}\InprocServer32\InprocServer32 = 2900580077007a0063006d00460053006d003f0046004b0064006800720060003d00440070002400570069006e004d00610069006c0046006500610074003e007e002b002b004a00450066005200630059003d0073002e005f0028005d002500450057004900330000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FC19ED7E-BE5D-4C2D-83FF-B3B82F017E7D}\ProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D8851A32-AE00-43E6-ACA1-A146384C18B0} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{600FB328-4E2D-4C85-989D-5CA19A41D121}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE9495E4-76C2-487A-85C0-2F7127CF359E}\NumMethods\ = "15" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03DFA498-BD30-467b-9E41-B69F8DD252AF}\ = "IMSNMessengerContacts" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B1A232A-4A09-4A43-A7B3-E367D1C3B4B7}\ProgID\ = "Microsoft.Photos.LiveSlideshow.CinematicTransform.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C}\ = "Windows Live Photo Gallery Editor Drop Target" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WindowsLive.PhotoGallery.tif.16.4\shell\preview\MuiVerb = "@%ProgramFiles%\\Windows Live\\Photo Gallery\\regres.dll,-3043" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.WLMP\OpenWithList\MovieMaker.exe C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll" C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EFF299C23CA9AF4CBA91F36B7E956D5\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{380689D0-AFAA-47E6-B80E-A33436FE314B} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSNMessenger.P4QuickLaunch.1\CLSID\ = "{E13AAC70-70AE-4988-808C-B267F2C20E79}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{312B9567-734D-4A21-A8AA-F319BD1AAA6F}\ProgID\ = "MSNMessenger.Hotmail3Control" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WindowsLive.PhotoGallery.ico.16.4\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.raf C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EFF299C23CA9AF4CBA91F36B7E956D5\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96530F83636A3FC4DBED30C2C8523140\ProductName = "Movie Maker" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{380689D0-AFAA-47E6-B80E-A33436FE314B}\ = "CContactDb" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3DB5BF0B-EF8A-44FE-BC55-9081D81D868E} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34CD8C45-56A0-4200-933F-38035ED7F7FC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{833C2961-83F0-4C4D-B823-8A1C6A124E06}\TypeLib\Version = "10.4" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B62C577B8AAE11A4CAFB675ED26F8B50 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler\ = "WLXHWEventHandler Class" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A6C64DD86500CEF47BA082BB611A1FF1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD494F5F-0E16-492B-97FF-88A551479460}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{508B548F-252D-45C2-91BB-2E6E9164D81C}\NumMethods\ = "33" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{9B5C97F6-B3A5-4A6D-8B03-993EC7291A22}\ProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WindowsLive.MovieMaker.WLMP C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{833C2961-83F0-4C4D-B823-8A1C6A124E06}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{03C514A3-1EFB-4856-9F99-10D7BE1653C0}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WLMail.Url.nntp\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E0F72DAB56155A94EB66FAB57FF3F2EE\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Common Files\\Windows Live\\.cache\\4c64c87f1da9e3e1e\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35C08979-C203-494E-A780-A5ADC524204D}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E02AD29E-80F5-46C6-B416-9B3EBDDF057E}\1.0\0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SSCE.Replication.3.0\CLSID\ = "{C1843338-0C08-4dd5-AD13-B6871EC80AA9}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WindowsLive.PhotoGallery.video.16.4\DefaultIcon\ = "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\WLXPhotoViewer.dll,-1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BAFAC61-5B04-413A-88AB-2DF100BF01D4}\NumMethods\ = "18" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe N/A
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\dzm43vn7.exe
PID 4892 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\dzm43vn7.exe
PID 4892 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\dzm43vn7.exe
PID 4892 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mvwd8md4\c9mobvb7.exe
PID 4892 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mvwd8md4\c9mobvb7.exe
PID 4892 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mvwd8md4\c9mobvb7.exe
PID 4892 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\yd2q9l0v\6hc4oexp.exe
PID 4892 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\yd2q9l0v\6hc4oexp.exe
PID 4892 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\yd2q9l0v\6hc4oexp.exe
PID 4892 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iv2mf8t3\qgl6aveg.exe
PID 4892 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iv2mf8t3\qgl6aveg.exe
PID 4892 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iv2mf8t3\qgl6aveg.exe
PID 4892 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\trfon5lq\lk7q6bta.exe
PID 4892 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\trfon5lq\lk7q6bta.exe
PID 4892 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\trfon5lq\lk7q6bta.exe
PID 4892 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\80ekmzzd\pgcuxb1r.exe
PID 4892 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\80ekmzzd\pgcuxb1r.exe
PID 4892 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\80ekmzzd\pgcuxb1r.exe
PID 4892 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u9dses31\aciesvql.exe
PID 4892 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u9dses31\aciesvql.exe
PID 4892 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u9dses31\aciesvql.exe
PID 4892 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a651xm13\wllwku5j.exe
PID 4892 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a651xm13\wllwku5j.exe
PID 4892 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a651xm13\wllwku5j.exe
PID 4892 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6rbcqq0d\gslo520i.exe
PID 4892 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6rbcqq0d\gslo520i.exe
PID 4892 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6rbcqq0d\gslo520i.exe
PID 4892 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dv0v3jmf\00qcczhw.exe
PID 4892 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dv0v3jmf\00qcczhw.exe
PID 4892 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dv0v3jmf\00qcczhw.exe
PID 4892 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4m5y173c\ifywxmy2.exe
PID 4892 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4m5y173c\ifywxmy2.exe
PID 4892 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4m5y173c\ifywxmy2.exe
PID 4892 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hn05mxxh\qcnvbskc.exe
PID 4892 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hn05mxxh\qcnvbskc.exe
PID 4892 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hn05mxxh\qcnvbskc.exe
PID 4892 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\q5pn1w36\matyqiai.exe
PID 4892 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\q5pn1w36\matyqiai.exe
PID 4892 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\q5pn1w36\matyqiai.exe
PID 4892 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\twz8nsrp\ydigqjxj.exe
PID 4892 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\twz8nsrp\ydigqjxj.exe
PID 4892 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\twz8nsrp\ydigqjxj.exe
PID 4892 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hlen194g\ib2cmhg9.exe
PID 4892 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hlen194g\ib2cmhg9.exe
PID 4892 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hlen194g\ib2cmhg9.exe
PID 4892 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uhnd289z\ile88lke.exe
PID 4892 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uhnd289z\ile88lke.exe
PID 4892 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uhnd289z\ile88lke.exe
PID 4892 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\8dwdbzf7\ayjb2bl3.exe
PID 4892 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\8dwdbzf7\ayjb2bl3.exe
PID 4892 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\8dwdbzf7\ayjb2bl3.exe
PID 4892 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\jlc847cg\vd8tqval.exe
PID 4892 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\jlc847cg\vd8tqval.exe
PID 4892 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\jlc847cg\vd8tqval.exe
PID 4892 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bf9gncmo\fycrce4f.exe
PID 4892 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bf9gncmo\fycrce4f.exe
PID 4892 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bf9gncmo\fycrce4f.exe
PID 4892 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\inlzsdyl\q9ksrbs0.exe
PID 4892 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\inlzsdyl\q9ksrbs0.exe
PID 4892 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\inlzsdyl\q9ksrbs0.exe
PID 4892 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gmsrrrwc\nkn72wfc.exe
PID 4892 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gmsrrrwc\nkn72wfc.exe
PID 4892 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gmsrrrwc\nkn72wfc.exe
PID 4892 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\86q92wo8\ynb5fkke.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe

"C:\Users\Admin\AppData\Local\Temp\wlsetup-all.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\dzm43vn7.exe

dzm43vn7.exe q7etyxig.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mvwd8md4\c9mobvb7.exe

c9mobvb7.exe yl0jop25.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\yd2q9l0v\6hc4oexp.exe

6hc4oexp.exe ybj7qh83.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iv2mf8t3\qgl6aveg.exe

qgl6aveg.exe rvdfpkkq.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\trfon5lq\lk7q6bta.exe

lk7q6bta.exe dap87tcp.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\80ekmzzd\pgcuxb1r.exe

pgcuxb1r.exe lr15w0f7.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u9dses31\aciesvql.exe

aciesvql.exe v76r2kev.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a651xm13\wllwku5j.exe

wllwku5j.exe pjaqlurl.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6rbcqq0d\gslo520i.exe

gslo520i.exe rwactbac.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dv0v3jmf\00qcczhw.exe

00qcczhw.exe twgi5slx.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4m5y173c\ifywxmy2.exe

ifywxmy2.exe 8iozzxw6.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hn05mxxh\qcnvbskc.exe

qcnvbskc.exe 7hsi6avm.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\q5pn1w36\matyqiai.exe

matyqiai.exe 7pu9l0z1.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\twz8nsrp\ydigqjxj.exe

ydigqjxj.exe kg197o2r.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hlen194g\ib2cmhg9.exe

ib2cmhg9.exe hpapfbdp.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uhnd289z\ile88lke.exe

ile88lke.exe pdk91tk7.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\8dwdbzf7\ayjb2bl3.exe

ayjb2bl3.exe grggj1r7.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\jlc847cg\vd8tqval.exe

vd8tqval.exe dlza8o9a.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bf9gncmo\fycrce4f.exe

fycrce4f.exe 3p27e541.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\inlzsdyl\q9ksrbs0.exe

q9ksrbs0.exe h8t0b3cl.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gmsrrrwc\nkn72wfc.exe

nkn72wfc.exe k1856m4i.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\86q92wo8\ynb5fkke.exe

ynb5fkke.exe 1wygwry4.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\rdqwfs32\c2ksv993.exe

c2ksv993.exe m4de52nq.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4g2o52od\ky9pp339.exe

ky9pp339.exe 96l8t2hy.tmp

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\znfe9bku\xdqw7a2h.exe

xdqw7a2h.exe kqv8kozo.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\t0vyr514\tpdbefwm.exe

tpdbefwm.exe tia65gj7.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uo9uil0l\cul1rqy9.exe

cul1rqy9.exe m6uj9yu3.tmp

C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\3e279d7f1da9e3e01\DXSETUP.exe" /silent

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\11bfdpu1\e0ot2rn7.exe

e0ot2rn7.exe fphyeof9.tmp

C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\infinst.exe d3dx9_32_x64.inf

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\716dnkh8\vrvhb1xy.exe

vrvhb1xy.exe o9zt1jkc.tmp

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\v8djdouq\b08m2yck.exe

b08m2yck.exe 06dmzy3v.tmp

C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\3e9c6f761da9e3e02\DXSETUP.exe" /silent

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qhsedwx4\b3qczo98.exe

b3qczo98.exe q7evk6jx.tmp

C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\infinst.exe d3dx10_42_x64.inf

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qxk8efg6\hx0bgwvb.exe

hx0bgwvb.exe e17a65nt.tmp

C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe

"C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe" /silent

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe d3dx11_43_x64.inf

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe D3DCompiler_43_x64.inf

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe XAudio2_7_x64.inf

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3B196B6CB2076C3314E88D3F54D3C0DD

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 18D6EE7AE8D0D9AEE7EC9158925B8741

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BBE3F8C143E7AC9B52E40E29FE1036D3 E Global\MSI0000

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /Create /tn "Microsoft\Windows Live\SOXE\Extractor Definitions Update Task" /xml "C:\ProgramData\Microsoft\Windows Live\SOXE\updaterTask.xml" /F

C:\Windows\Installer\MSIB717.tmp

"C:\Windows\Installer\MSIB717.tmp" -i

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

"C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe"

C:\Program Files (x86)\Windows Live\Installer\wlstartup.exe

"C:\Program Files (x86)\Windows Live\Installer\wlstartup.exe" -QueueRequests -firstrun -context:messenger -hs:dk7oi5odvh

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
IE 68.219.88.225:80 g.live.com tcp
US 8.8.8.8:53 www.msn.com udp
US 204.79.197.203:80 www.msn.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 225.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
IE 68.219.88.225:80 g.live.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ls2web.redmond.corp.microsoft.com udp
US 8.8.8.8:53 ssw.live.com udp
US 40.90.130.194:80 ssw.live.com tcp
US 8.8.8.8:53 sqm.microsoft.com udp
US 8.8.8.8:53 194.130.90.40.in-addr.arpa udp
US 8.8.8.8:53 signup.live.com udp
US 13.107.42.22:443 signup.live.com tcp
US 8.8.8.8:53 22.42.107.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\050416~1\tmp5F27.tmp

MD5 8274c233094ab59f40135619f32848cc
SHA1 cb588154fc7e951e0199d2a56dc494010e7a994f
SHA256 ac1a5b92fc478ed69aec3d94c6c0ba328789bb4e44a9c56598a4f961edfcb09c
SHA512 08434975e41233ac9efe507d87743fa3962321b2b556b1066514745d9a885f62ceab2d0bb6eb8d045186e5b9d1efee561851a7fdd5726495658ebf4d7693d105

C:\PROGRA~3\MICROS~1\WLSetup\wlt613C.tmp

MD5 cbf9a63a3faccbb98f8056b9ee1118e3
SHA1 2a1404023097cdfc07a578e0a8b5b5abe4db7b90
SHA256 21679dca7b22f90fb864b4a30d7ef032710804b04bfd9c369305f50d8ad6e81c
SHA512 b20458b6c80503e62a282c872dfa4fb40b53bbc079ab43ce721f47910b72cc7e5cb77123b5da8e4b72fb0a2b87b4151bd5467ef7fa2f7424ed49762b25184d47

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 6bba5a7ea205b00474d9073b1a75f67e
SHA1 6f501f39be35fd6e29753a7e648d1f040e733bcf
SHA256 e63258d9621253183e15b4ae01438f85cd94f2391493d127134e3b4d4e00f0b7
SHA512 95d23a109c61bac6ca1ca7d6c77ba26d6221f078548353d0c62bf4e9897b3ab7bc3ea3eafe5e2458852f37ab733dc92a9bb4101eee01a67bf6c8f67c761158e7

C:\PROGRA~3\MICROS~1\WLSetup\wltEB9C.tmp

MD5 6df4dd5ef40cdb035d1851ecb495d498
SHA1 5c8752da038c7218d6d3bb2d0217f1a40a2a2da3
SHA256 cd4a58a31dd7dbabffbff3a16f1771e500480b6054581ab9f5c6c029807931df
SHA512 8f6ed579df5822869c9f16f579ffb32be3c2218b7b898b97976d1f9099fc47d6703740fc9e6894328eda42c8f141b579c8ea3f074214a5b73a3284d67279a75e

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\dzm43vn7.exe

MD5 b3695953f17eb4ef1c67422007304546
SHA1 a4915419b346f11d304f337f4e9bb627be5171ea
SHA256 650b8d8737e5565709c740508b41b187720eaa32edd12f8b66bacc27f2270953
SHA512 73b5aab985ca473b88d2efb3386a0c22eec12c035bf6f89e23905d58e6e5cd83d71ecf2909e06d661011da4987badc1b5a071613980260c5bc75a9e48ee93db2

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\q7etyxig.tmp

MD5 a6bcdb8f4c2995fdd878db23f9d800f1
SHA1 3d58e01f26811095e7ab09ef7ca117ffbb831276
SHA256 ef36704ed00de8491b983b191968fbb8a06d17af675de19dcf0506edee8f26be
SHA512 5f6fcf82275b567b56b59f1e9485102a6c7fa94b63d3b1f72501f498d82802b5d9d1f8650cd82e489d0616573a58ce808e1c9021ac01b2e9b8f9ec5d3e567812

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\qcl84k9z\D3DX9.cab

MD5 692b02ad89ed82727a47247556320ea8
SHA1 cfb54a9792ca16d8fb8c35513015abd5ae996ea0
SHA256 ada3f11e2be0f1e9faf4634de6cf5f95eebb65d24ec6b9220b479b70fe584be2
SHA512 1a9165fe1001671ab3d3f8bc9eb7532b95848c7b0582e3aad8bad53ed90dbbca0a6df1fa154afac9f4d18184a51422ca72131e92cb977ec3e25d2d860814229a

C:\PROGRA~3\MICROS~1\WLSetup\wltEE9C.tmp

MD5 02136a305a5fcbc5b31373cb489a1a34
SHA1 c6d9d7390c781ddce4d972bc92f57a00952f32b4
SHA256 0de72fad2d446e5a49da3e8f2193dd20eedc5efc15de5f628b6f84cb58d7b00f
SHA512 1bc2e54b11e6eeca047804d77eb7f7ec9f0f3dd539e5a8ae2b7dced5653c985dcc25eec9f0f65153935f06b8d4b36f21d00c53cdaf32773e93a4bb3e244e36f5

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mvwd8md4\yl0jop25.tmp

MD5 0edc6461b2b7af6dcec4a152c6d12797
SHA1 0c0f0df6223a061e7661d772761020ac2e2e06a2
SHA256 5a754fc90bfa2f60b3a0fbf45e9ff7658f77daa08debb2bdb6ca6c26304bd627
SHA512 54a540e6e410fc7740317e494f60c8b12b2b824fe5ede4d5339e79c0cde4ff8db09f1c9c4350cf175cd6898a77e74e8efe5973dc526e3d990380940c01e0a99f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\mvwd8md4\D3DX10_42.cab

MD5 0a1d01413e017982e2d9d819e94b6a11
SHA1 9fa93226a928772754a0e30e8872d961a013a7d9
SHA256 b77ba929b68ba8fdd40209ddf39ad6443b0513b7be639c87f69d8afba90173c7
SHA512 881b22755fb56f38cef0d668ef23df14e3ee0e85218cfd485add3d102da25eec5aa00931dea3ff6934077e03d8eb4f93e688518a37ecc7b308c23d443e47253f

C:\PROGRA~3\MICROS~1\WLSetup\wltEFD6.tmp

MD5 5fb8878a81b4814ccbaa4c9c1a8b5702
SHA1 f53bcf0dba7960a7e085a4283d8aac8488459e15
SHA256 4cbac23a4d6e893d1038bdbe33775924ed9c48ebb6c1e43e70074c8d8b571c21
SHA512 9fa503ca6682db982e0138f81972dcf700c7264a6c3f280c68860b10aba68132a9d5a6b60f195e40b971572dbdb0e52b391cd70120c326f2ab7a6ab1c671d43b

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\yd2q9l0v\ybj7qh83.tmp

MD5 46869c11974313746173fa325517d5d5
SHA1 ee07cc2700fd628cd55a9083b440efd394803172
SHA256 967c62f26e6556453e5a38ec192f02fd25bbb983fdd2c9ccab012528b9001dd7
SHA512 f273ac7affd55675711335e3d948d94aeb86ef8a06db0b972017f2d08ee6d3efe9ffa5ae0c10d4c3acd32a13895a4b4753a457c11f2a0ac59c1bd49eab528b29

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\yd2q9l0v\D3DX11_43.cab

MD5 169d9f118ff7ddc6fd8388e673c0b72d
SHA1 23c5bcfdc3e8ea04951805bcf8736f4dfd9b11ae
SHA256 82670e1c9092db7e00b9c91cf73c7b12251e4714ec66926f3bf616b2ce8df98c
SHA512 31b02fb847c0c9ac1fd01ff8e802f61d83a9e3197813f181395c7fe53d2e7096be6617ca169af1c827be97fc44c080f2b23d4a4f78e026a6d785ec4552af2ef0

C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DSETUP.dll

MD5 9e0711bed229b60a853bcc5d10deaafc
SHA1 2bea53988bd35c5df5c9edcef0bc234c37289477
SHA256 def6f245762be36cf18b435ba8b7ebc224b9c21d1a1db606a8e8fafdaa97bba0
SHA512 c0b31872e52c8f4270d991c70d1a1c9ef9a4bbee4807c54c05a449cd1607506ab16ff1e74b378651b36e3276322c86cd843565c8a1aa33a49c47322ef4df0185

C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\dsetup32.dll

MD5 0f58ccd58a29827b5d406874360e4c08
SHA1 ba804292580be6186774e7f92e6dfb104e46bf25
SHA256 642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb
SHA512 3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 341ff6422af7542a7b67ffcd67437f75
SHA1 0ed66db883a8f7e8f64645853b4bd98c8652ba15
SHA256 c95ee2dfa7b56968ba057020ae8c3f634d3a023b521417616808d4916c973ed7
SHA512 cd18710575881a3777b27845aa33cc2f5ab570e8267c0514174b2c49d0f0ab0d05188eb450ee55537f8db667ff922a827458be3992dd51fed820cf84a3e12b43

C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\dxupdate.cab

MD5 8adf5a3c4bd187052bfa92b34220f4e7
SHA1 b52be74c4489159bd343d3c647f28da1fd13d9b9
SHA256 13393a91201e69e70a9f68d21428453fff3951535dec88f879270269cfe54d6f
SHA512 3e2f2fe4b5742a4cf6ee2f6b8c0ca734fd0b3c5431dff112c907231846dd3eebee7b9b8117f0256119614282cc7a4896474a199563078481d48a1204ca96f92d

C:\Program Files (x86)\Common Files\Windows Live\.cache\3eceacdf1da9e3e03\DXSETUP.exe

MD5 ddce338bb173b32024679d61fb4f2ba6
SHA1 50e51f7c8802559dd9787b0aebc85f192b7e2563
SHA256 046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de
SHA512 7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

C:\PROGRA~3\MICROS~1\WLSetup\wltF315.tmp

MD5 c70d9646c09c2f27ee53b5788419d7f3
SHA1 f143de048873e4dba0eecb2a34a98ed5998d12c1
SHA256 21f718f04df5a024b8db72f5995fd53a7aec14198977d7b418925040af233a0d
SHA512 6ef9e829118880a9c1c77a36302b8f5305635fe738edd36134fb136c242580fe7a7a3532880364342caf8ce36d0cd17ee97f2de387faac197ce0cd37d5de4ecf

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iv2mf8t3\rvdfpkkq.tmp

MD5 4ed866061580d42f96f09c16987462c7
SHA1 ee69d20909acec25024fdb8680a9dda03ad51d2c
SHA256 225a26cf9670ab0344b052474fe5ff576c808b53eed275d66efc51d16a149804
SHA512 4f9c871a138729e8af4970f7259ee44375de6a949452d0a768938d263b095fd76ebcb4354ce437d96c6c84d0562ff08cb2dd4fa5ace3fa497fb039113dd76e90

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\iv2mf8t3\crt90.cab

MD5 575a2172466e1a8b0f17bb3d64f0fc94
SHA1 86778234f14757b95f475dd6cb7fec32ff179cd8
SHA256 a2ae8965a8502654e7e8458c301dc0225d893a55d3c71b1cbbf6e9c0f3204a8a
SHA512 a79a9e7e2f101487d80de9ab6e4990502fffc932abd41549894bda32ac5707574e9b5ffe9f40f9f075915bb6a4c7d2215c28d461c1cdf45246f202c1121b6cee

C:\Program Files (x86)\Common Files\Windows Live\.cache\3f4cdd411da9e3e04\crt90.msi

MD5 1c26a77f50bfca590760bdac24e84e03
SHA1 856b931bb34ef8aabdc924c0e017a18c78430aa7
SHA256 184f0e66df21a08c25afc6b7243d1f38feb19b5a45d2b2bd5963037c4fb908b7
SHA512 638573cbb2c260e9ee8a79e39bb095fb43be9d31641fc7f4ce906378811e6c2d77175c6b39c3ff9a877236bddf5a42b1000adf8acfe95d0248e8b2a2cd263bf2

C:\PROGRA~3\MICROS~1\WLSetup\wltF49D.tmp

MD5 447ecd02b6dd7367994fdaf6ad40f1a2
SHA1 41e5ad502ac8f903ffd143fa6626ad332b9e38d1
SHA256 c840030ca34878f7205ef9ff19ac1a3bc904f46ca31db8606fb04f81d986e8bd
SHA512 10971224c4b9263ba22c4bf62dee73fc51e9c7d787ff02d0cd02ad3adb598acf79f6130e48131ecc1032d01deae35e889db45c1b39ad2e6b6875bbf86a5f325f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\trfon5lq\dap87tcp.tmp

MD5 6971afaa9cc2552c74fdb965c2fb76d0
SHA1 2a384297c92a41f12d467642adc72b9b585374e5
SHA256 0dd513040077b5c7e1a869f1e1e1f709cc669d21105650e6515ceab34627d468
SHA512 af3a47a32f0c5f01623c1d280159995ae6102f986ff4c7b475b7235cddbf32296e726f2be4203de293095fdd18a5065c9d6855f1e4d072142ac793152f318055

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\trfon5lq\crt110.cab

MD5 d119aaf4bf4085612e9af0518bef08e2
SHA1 06a029c35d3161aeaeb7189f3cb27fa855c6fbf6
SHA256 d7161a6d9176ed76ecb13b0931bdef32cb3239e9559c875ebd9cd485a2e31d39
SHA512 015b19f5894c09df2a553f56ae3151a2ea0671020379dd818d1a7c1b9fe69772d67daed4e6c6afef5faf1aa9994a061345f816ad191ca0e20988c67b9c02ef58

C:\Program Files (x86)\Common Files\Windows Live\.cache\cache.ini

MD5 a01e46c40302fe5a0785fe83e4c50d3c
SHA1 b0ab45376e8a60b6e821005c0a29ccae0d5517f3
SHA256 86551b77a3ff358b32694742ec1cd9449160538a4f37ab85d3a9d9f1615560b0
SHA512 2b6b1d470fb210db05411acbcd1f10fe5653c83745822da836edd25584d47181eb03abb4af22fbc00955907d11d880be6118732f18f3651b93e3e35b638dfc1c

C:\Program Files (x86)\Common Files\Windows Live\.cache\3f8d3c851da9e3e05\crt110.msi

MD5 b6874af023443ad4bff84ddd4a219aa7
SHA1 358e1c9245cd0e916712586e459d038e3e6807fa
SHA256 e66c187e6633b82bcb64201600bbe6eade67e40bc23aaecab71c0c130d3a4c30
SHA512 b1588d6f69b2537090eaaa198ca46ba697c0c704ad2a2c81d56040095840e21860a0f714abe37ace67b08d4251b27240bc183a62a11e3ae7a6c091377cce7689

C:\PROGRA~3\MICROS~1\WLSetup\wltF5D8.tmp

MD5 222a19d7053676738a56fd3705303200
SHA1 10756e87ed956adbc8b3a73e3b4b1a0f62c06545
SHA256 430dd49b0fead20b222985ededc24686e254f171c4d7abd3a009d725f3666681
SHA512 3f125562f99a200aae441414d5d248550715cf1421fb0dbfe0f9052f0ba70482004596aa0532037d5d605472be722dde1181b7ba5e0b3e416bb1437d7a74f58f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\80ekmzzd\lr15w0f7.tmp

MD5 3ffdc68017839bba5212426593646e16
SHA1 d159eab8ad10eb07cf15f55c52220748fe1d30ed
SHA256 cc40009fe1e528af8bb5f24687324999d36e948d69197b88761b0e93d704eb0b
SHA512 7cebe2dfe1384bee8dbbe0afef02b11b0c70fb612eed85ce3d53228a629338b250922fb93f503195734106fc83aa7a35961c1caf0a12d41e92e068c79afa10b6

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\80ekmzzd\crt110_amd64.cab

MD5 52eeeca22f1c4f393702ab75ca4a0c7f
SHA1 188c56555be4bfddabc1bdfbee827e47ec6b64b9
SHA256 bc1671181fb9179dbf6e326b23030e0ffc19c9a2b084c7c28ad80152b40569a3
SHA512 cd6feb5535807253b64923029d6d4ea4c2a7464eee1ec2ce07af5c224ee3a714f537ba7327f105b223fddec08b1297b0a61150537222b19b061ed06fa2abb624

C:\PROGRA~3\MICROS~1\WLSetup\wltF6B4.tmp

MD5 f8c160aa1ed8c06de7fae3375d784cdb
SHA1 d4d2fb9740f7e63e6a2091f322a6578779f643d4
SHA256 25f6e796666c5e8529fa2ed8954cfd8e4982cb3b498d761ff1a6c8ae3dbfc555
SHA512 74df878961bd04de93699cf4e700cf98d1fd0519d11d60b4cb7c67d5ac336dbfa3869a981fc490ee55d3d0e4597d10aecadafc6f46bb96e5d60e63b49b4b4a12

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u9dses31\v76r2kev.tmp

MD5 687db3c1547f83f3f65ce6aa8d230293
SHA1 8243cc311faf8b477e0a0e1b61fa7d12a178e5b0
SHA256 34efdd985fd8525343f80b15305f59149f2ff764a655bf045c42f597a7d98fb0
SHA512 872b18717b20b6449c05dc3364a5862a39dae81ec76cc590a3ab842e3a3affdae614daa8935ef43a0e3dd7ef4d649d6fcc44eff5d0338d0ec4e08e1c52feb5a8

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\u9dses31\crt90_amd64.cab

MD5 6ad524024eda69be12344c4b7e578ae2
SHA1 71418699513caba5354e329ea5d804752e4603fa
SHA256 1271fca2ae74c41ed1a17aa87749bdd95586266e05825c14794586b9e6293b2d
SHA512 e4db5666130714dc566a8ca0478d39be85e666b058fa8fc0c25f2b5526f9b5576a574eb560b5e46d330fd2fe48b8542fc2f9497df641a44767a1a6085e595580

C:\Program Files (x86)\Common Files\Windows Live\.cache\3fd725831da9e3e07\crt90_amd64.msi

MD5 7787432a872051f91e0c8226a51e909d
SHA1 0812252e7119ae0c6bb0a79b340f57894aa8ad75
SHA256 f7238333ee4d24f76ac983b06f92fe3ad6ede5586b54e40d6a123d51246e3ace
SHA512 42d7b95749d5aac0a61b552549afb855dcabf1375249e8f84c7276db4318273f0a47c3d5b446172ab1dcab71d7288d2a96b338e91d9efe8b6ebaee79f2324cfe

C:\PROGRA~3\MICROS~1\WLSetup\wltF81E.tmp

MD5 f9f7f6c1ee64179ac24c2797097d5706
SHA1 8c17d7f8efbf19b76d3d843a2a2e8a7828cf314f
SHA256 696f86945af7fcc7ed0fef9c95c7343e44db8c61c14ffeb5f35381664f1f5191
SHA512 2c3fd69f1db6ef20c115febb912dadfa9e7048743837f1dc5fffadff42efdb9a751fdd99390ce0e2cb54c1519f9183c8ded6fba4cea5433933cd73a023304e50

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a651xm13\pjaqlurl.tmp

MD5 a6b1bf5479520ded28fa779a66c14dad
SHA1 1e14710a9e9c58ce227b9d4b2c960997a5577815
SHA256 b0cd17b8c87e89a17743c8f1c75e401984b4ba2a8127f38aaef62c83cfdd4df3
SHA512 28063d56c23123c38d0bbbf8a9ba5b5dd2630c379ad8592973bf84139a91b392a8b32f8a9ec4fa82adc6426192c85b9c15860b87880a4bcb459cb3cdcb063758

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\a651xm13\Watson-x64.cab

MD5 abc26cf06709db3146c92e0c8377a8b1
SHA1 2125a3554005ece8524b919815fdd9cc1037a66b
SHA256 cebe84014bfea44543c3c956d665b2d3d30c0308b80ca90a831b9c7d846356cf
SHA512 48906552f9a7b90ac76a242601739e3533859117125b912f02c40a38a756a9099bcc291cdbe98e1a9bc832bd734dbad610d9994223624127c8a28cfe0829c9d9

C:\Program Files (x86)\Common Files\Windows Live\.cache\400dfbbc1da9e3e08\dw20sharedamd64.msi

MD5 2459308b46fde807b05e541ed484af4f
SHA1 6d6732af93fce1f5f4bb8f9e41cab2c70c1b7bf8
SHA256 46a2b00e630d478780bc0db5c312811ed0e194f0680ecb1df769cd3103bcd422
SHA512 ceffece9a3d10f88194846d463c95880b2af203d65d1077415f433c3e657b501cefad07410ce650ce534485a6bd756e8937151b67714045b528bc88979864a87

C:\PROGRA~3\MICROS~1\WLSetup\wltFA81.tmp

MD5 fd61bf6ae58ec3aa09157fed71f14492
SHA1 eed13224b402129767d24ed82d09d8473eb5e806
SHA256 08d2e9ee6fe16a67242176d218b6423a1be21fd81c1ee60d45cbf0651647fb70
SHA512 20a2c4f5c19b931c1367a095ab65e50deb16fbd4bd4e98f9ba1ebf6d7c776d975dc6bd4a57ff9f9952569c43c01bf2f8f100202e4aae0ae7d61d2ae22a4aafea

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6rbcqq0d\rwactbac.tmp

MD5 6b0e1c4a026558ebd9b7adf2478256b4
SHA1 09d4806b572891dec18f8ea36fc783ae3fa2f333
SHA256 f4d56250a6ad6ebe6d16444e7bb65daf8cadc94e12be7d7f4a156acbb52f1059
SHA512 a8e8f71b202a4ae1bdecdd7ac1b96e791d6663aa731def39bb561c89d350a1029c41a7aaee133bb8c8d68502a45ca4fef16d2192df6592db711011a9523150e0

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\6rbcqq0d\WLXSuite.cab

MD5 dd4976b6bbde52aceed41ea0e619c7cd
SHA1 eb0d5db7445bfcd5254c0b1e95cd60aa0f16105e
SHA256 2e14e58be3fa84b292bd49be75a053340c878956c5f7eb76bf1d68464e0b9648
SHA512 a7502c2e40a99aa508731c0cfb0fe6317c64381816ad6fc0a3524f7540559d762261e0a957235bbf128ab75adabcd8dbbc425e71d577376e859712084593af2e

C:\Program Files (x86)\Common Files\Windows Live\.cache\406d76bd1da9e3e09\WLXSuite.msi

MD5 9f91bd1204abad23916cea89e0a6502b
SHA1 9b23bcadaee6fc61d02ae5b0aad060cdeec61023
SHA256 f213e44352caa38ae3b443b76377d62a686a6697dd55fd3120e0b86cdd571c87
SHA512 95b313aa1e7bc71d13f82f3219f7e03f076d08cb8f5cdc31b1858af1791b745fa7cae6bd2513ef8614abd186fa9f3f8401d882e5d1d9331259910fb2f3c679fc

C:\PROGRA~3\MICROS~1\WLSetup\wltFE1D.tmp

MD5 ea97299a6ca38bca1acede644e42e701
SHA1 7930b08655a834986d68c317d003290ccd3a7025
SHA256 575b69bf46cf9bbd7a1bfe954827a46dc21294e593d96899902f93e36ee698f1
SHA512 aa33609e7b58d851b6f4c229e26d89b6a24b732e78a17afcf4f1f5193b383259e6cdef875b5d4e0bcd965e6995c354d31ee9dc9b161c00faadd8fe9e4aad4266

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dv0v3jmf\twgi5slx.tmp

MD5 f273437319eacfe6980b8b509f5da862
SHA1 05f81d8954108e07a4d78d4ffd6b2d3367f0c4ee
SHA256 f01b626d3931848e8ac2c7d646523e6609a71d91da4c7fa6c2f5248984e529e6
SHA512 6fbcf76d6f76c47b39287fc379672fe2545ffdbcd30e1e092a5d65abb52bb018a9da19c1211763926b3c8025c12e2dd231b12cf76775d667ff7283f5ea623839

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\dv0v3jmf\WLMimeFilter-amd64.cab

MD5 884151b8b5afc0d83906dc8ee1a6f7e9
SHA1 841185a41287ccba75e47d894da3e74b9be22283
SHA256 31ff81d5c58140dfdc900c33fbd23bf9546b67b4e45b436da357a7f19ffef607
SHA512 0995cd15a11ffaf6841b93cda3ef1f07930a7d6519a338d9b0267a948c5232fbcbf9e4c33bf0638e8b0397f427ce5a1e01182e2eac1a8bc85335d2725aaccc59

C:\PROGRA~3\MICROS~1\WLSetup\wltFF67.tmp

MD5 10b8dd1e4ee0a05ec2e1e31510b37d61
SHA1 672c7950d93f23e7b100a2fc5bc8797adcec95ee
SHA256 a94259c2dfd6f0422a31494bc0474189605883ca10bfd2a8b9317b6381c170d7
SHA512 d08d34098d321847c330ba132181d2ede1c8a5d8aa845c7bebdabab1596beaf1a92889c5824f48b370e2c3471dace1b6ba92c85b6715d284d0c4ae27bfecb4a4

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4m5y173c\8iozzxw6.tmp

MD5 7b68481c3758c89baf84408ca6a516a9
SHA1 50bfcb68317aa5c41bf163b1e1d6b9a3e1b50d45
SHA256 7a6ad74823dacf11e46e4b9d720bb610ddf0b0653963d616671e926748133e0e
SHA512 ad4b42ec85c977f31ee552bb51287e46333ce163e2652f3d640d87431e059cd8e5426241e34c37ac3d23806ecac05b042311db5ebb1b0553016c4353b7baca1e

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\4m5y173c\soxe.definitions.cab

MD5 3bd00551de772995f7671a6ba45d65ab
SHA1 8249b2c28c73cd3a0bae4067e5cbd8c0e65d6923
SHA256 23c26ddeb0a3576c50d7ebae995a807163c63fdd5e8319aa071d13fa9a0a6496
SHA512 4e40ad0e7a414911b578ec515666475f9ab981723760fb6aa0b697e417a004cbae725f1ab295ac3026d22323dddab9db7f298d2cfebba854a1f2bf5ff5a6b6eb

C:\PROGRA~3\MICROS~1\WLSetup\wltFFA8.tmp

MD5 5ac50acb23e095fc4a3b3754b7e67e29
SHA1 c5f5157c33924313787f007a1f54406d2cba16b8
SHA256 83a4fc7db344ce7e7225e92ee0a3b8df86549a0ae43d3d536acb90ffdebd9ba3
SHA512 e5daea306d18b2b6ffc0f2554ff3bd2fcb1119b693125965fc780c7d89d47355f041b0747d133eb2e7ee82b1a60a7f0549005fb972161222c8821a01ba862d00

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hn05mxxh\7hsi6avm.tmp

MD5 6fee869fb755bace369d1ab411e7b378
SHA1 c7f5a525cab44441e30de2fcd2b17d60c099d40f
SHA256 ea894ba961f35cbd34f63a5569a8fc9642bf82ed5d6cf2df2618d84e7328feff
SHA512 c6175007077dab80a11e2bf4606735fc382d602f60c2ab26e90e221ae1aaeca9e782c8698e589e0e4299b43e02b1c68b59297737ce820f870742dbf141560107

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hn05mxxh\soxe.core.cab

MD5 22ca63e33ab582842692359e8178ef1f
SHA1 da6d9d58e849cafed8a58a331ef1ffd17ee085a4
SHA256 48f7e9437dc980c37c284e3157f5651663725cbae5e4341f70e6672972cb87fe
SHA512 caebfa50b3c1f8b64bcd08b08d6f3b41ed6e4683767b5764ae2b636bcd67bbe845aa38747c0bd6bc9f552d24dc89a00e43cdc2668d1645ea7b4540768be702a8

C:\PROGRA~3\MICROS~1\WLSetup\wlt27.tmp

MD5 7fa4c347edd4745f69e50e04d6c759fd
SHA1 4d65e4997b62bacbfb881437fe69bcc11c868ad3
SHA256 474ac624b9291612f7d3870ae1b972dd2cff6b4e58d36e68fe57e4c9dbf1d4fd
SHA512 fdc6bd74509d8f7264bc2afda8da88fcbc899cce1d27772121dfc43d3166f105adcde311fbf279235e2e0bdf0debf8eff1be593226673acfbfb522bee4423d0a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\q5pn1w36\7pu9l0z1.tmp

MD5 34983f6eb1552b4805a6766c9461cef3
SHA1 7f52a185a5c10c1291be7907731d1e990f8a4a90
SHA256 c4d4ce3d9a3a8c881281858045075997747a4ce8ea953a1f5f301e60a09093b1
SHA512 9f8e41f3b79cbf9b56b737abb779a6c4ab95aec07e9961240fb08efd1ed78fa677be9a9e841bc2bdd185631ecb986ad8820fb6ff098fe7866f7ce74f3d5ef6a6

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\q5pn1w36\Contacts.cab

MD5 5f26b195ce2d0e31cee1efc7005eec86
SHA1 d7b8aa59ee38748d843033c066c6b61da57ccf64
SHA256 35debf728fc1abcbc96048e4d386b81c12bbe7ad1558e4ccee0002edd6b7da09
SHA512 55b037584949ba68993646c3fc49938890cc08c4a98766ee3d9e53d651db3dd2cb5a6399709690dc042ae1c9236aa26113ea416c333eb50b1218cb194615ef38

C:\PROGRA~3\MICROS~1\WLSetup\wlt21D.tmp

MD5 35cac173c2b8032543c5977e34277238
SHA1 28930a5c72f00723d1f471004f4b2a4bcdd63573
SHA256 b2ad5d9c9d9df2d9aaec5e00bd8adceb36de0d3fe66c23fe6567c084a7107ad4
SHA512 aeb83d0d8e293c90ffcdb2157431c6566c8c69487067e96755d17de4383d0d752760f66b8a1c666175317b3c7260f1291503504c08fed910f5b0969e50b1716a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\twz8nsrp\kg197o2r.tmp

MD5 ee3ac9d9b218516b43d3a2b8f2a24508
SHA1 8f0e3f8edc39a816f2c8edd171a7738c45bfb6bb
SHA256 98f6006ffb554539cf1cf6be46795e7e6b9b1592ae42a97f780a467badb07ada
SHA512 0048ffd26aad92b1545414c99c5825315f8538a34d46017629be49e9ebe817cb5a5bfa3aa699afe4316f886bb2791d84609cc7e10b589a2e2584be51788e28c4

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\twz8nsrp\PIMT.cab

MD5 801f96ac4b7e12b9691c12e94c7abe2d
SHA1 05b2618a84a080d3e41725bdc6f73632cfbb4a8f
SHA256 a030b62c1da3ba7d8821e60fb4427c9041fbc077867b59a528371b5e5cdc419a
SHA512 a75d0e8074f55bd1cacc3f6b7938fd111d5328963dfb6573f0b2f1e8ab9738887b2f55e657893d37319feb922e4bd998e20a91a516d7783f472bc8fff5aef95d

C:\PROGRA~3\MICROS~1\WLSetup\wlt357.tmp

MD5 81a7886ba27f04ce9d4905c57df4963f
SHA1 7cbc155539038abcdab731aa7afb8843ff504fa6
SHA256 2973ea30120ad3475971e4f96cc73f32176ce29204deb1f1e62eadbfb5f7576f
SHA512 861a73c358a74d985cff144cee7370dce97bfc1de182431d7d0acea6f7161acc1b7a32abccc881511819d6b06acf59fe12a427a56f057506565010e5a8c64289

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hlen194g\hpapfbdp.tmp

MD5 1d71f23b16a5fa228583e8d43861b114
SHA1 947a1bbd7478f586bc59c42962dd3a0ecffc5d1d
SHA256 fc75b41a31b7d2d91ccf1b49c801ec6233af8f83bb98b10247a65041d5b58f2d
SHA512 a2ee87cd8da55f4ce7f81cbe7a15f08054478ed8222e71019fc7069e6cf8acd6f63b341557c3439b833d4fe69ed84688beea08fabfeba04fd7603fdac9f7a591

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\hlen194g\UXPlatform.cab

MD5 c012292727bb374cfa9dd557ee29d2b4
SHA1 123197276bae304ba78ee833dc6f9d9e59a0b0b8
SHA256 6e2eb5f8da9c05983c68c9e9df6d3a449bdd940526795564f34381d254e30766
SHA512 38e34b21c60c3f5055e2e844266dc1a52085e3036f11fcd589972dc75ac68cefe777a6a2947de3a9a002271b7ad3e7bae5f3d49e133a34f4af615c32ce488a51

C:\PROGRA~3\MICROS~1\WLSetup\wlt666.tmp

MD5 6733a81b51871a2a23b55a3701647aed
SHA1 1d954976870df0085660db7333a70e5c7badf54e
SHA256 071ab4216d435c8e1b65e7c7193067a3ab02b70b2b5eff1c2a0eb505b86f1129
SHA512 541131798086fa172be0810adde06c5a4a94449e0c222fd40070c570f409c8a11b342c6e243bf295221e868a53fa77c09e25c45d5ba69d59ae88e4806e154ef7

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uhnd289z\pdk91tk7.tmp

MD5 5a9d80b5422ab12c962cb2e62e865485
SHA1 9a0e76535e25e71bb9225509a32ab95df5c0703d
SHA256 e05f4900a6c6765a339a12fbe2d4a163413c09432d9845934ad9e0ffc032790c
SHA512 ddd059f2435e113c3bcb3cceb2224dee2b566ec6a1283a18f50861ef9499df73cdc6fb7ec88a11285b0a431bbf98ba678b8f0c17868214a34629c5b9066d082a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\uhnd289z\d3dx10-x86.cab

MD5 e2c883cf5af7ffd177c2e885e7b9211a
SHA1 1133cc73222ee105989ef10ac06a421f62b77ab0
SHA256 100f6fdade69a4efa4e315154046b13e5dd6af2d091a573f27dd922f242c07dd
SHA512 bc9e8304cfb131ac300485d9b2a221da434733b23a9b7235b044ce22fdaf0c0ba22ed74caedfbdfb1a044345bbb04d954e2d6cb3b74591c4c5df324ea99c679a

C:\Program Files (x86)\Common Files\Windows Live\.cache\4236de081da9e3e10\d3dx10-x86.msi

MD5 141021890289016535d5d12741a0cbec
SHA1 67cd42ff9e9cf6433b16eb638fb08d6d77c9fb3b
SHA256 66dfe4c288e800d098e8ee5c02c7fb8d8279ace5e105a946f2517877ef550fe0
SHA512 393af5d625ef751a986ed2b90a4edcd5ae7b842d228dbc5e41ecbc5d7ecb4d176264f80ac951ad1b698c1b49b435befa5117e77778aec5696f031db85349992e

C:\PROGRA~3\MICROS~1\WLSetup\wlt7B1.tmp

MD5 d8a9b1c6abe93f16baa3488dc0f47050
SHA1 945e4f4f1729d963138a8209a97eea65ac1e019d
SHA256 5dfd9ddc848cfff6c7c1074e0e2ad2110abe7e7f0854cf1306570fd43a8f033b
SHA512 2c6e95eb1709e5bc4ca1c539f522168c5c68e636a7229006658d45f40888ca65853558494954e2172258e8782d14d653d31b09d22935931bd0df22f53675e59f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\8dwdbzf7\grggj1r7.tmp

MD5 6df970283c8a63f0c3c96bcd8a2e16cc
SHA1 397ac5cf014b1e2cd0bc1194b7d43fac6792ba25
SHA256 a10016d35de6b62964bc9ddb0bb535afbf7797954a3e9e7c8ffc483ff1ea9feb
SHA512 ca6c19c06ac2c9efa8da9fa30e0d4b1f60ad7ad15e8136f3a76cb21e316e9a105d178aa203b70fcba281bb694e36d1eda2362038102851bfdf9eed584e35cd8f

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\8dwdbzf7\Messenger.cab

MD5 2c1afe7ccebb3383cda41220cb5fcb44
SHA1 8dc889d3b9cbb1f2273be5a49ee9ed83b8aa8f25
SHA256 105a9210eab1d20046b25c49cf8f57672968a565c055820f8b02a07b9787e5ae
SHA512 b8fe418e7f4465102b9f50be6b8e1dbff8f2605ec51dd29f89a9aea019fa47e0b5ea1142fc1737e6e64dc224745d2dc5b522331dc4acffba7d78f15818ca6807

C:\Program Files (x86)\Common Files\Windows Live\.cache\427c023c1da9e3e11\Messenger.msi

MD5 9f222663d193f608b227c2e3d2f71564
SHA1 25af647b1ee8ca73f07e326f39ded537cbf561d2
SHA256 b10407019a89f7ca0069af07548d1fbcd12e54d1109f87c4f1a6fbaec3c8e7c8
SHA512 5997a317025b9734f16e11f3c97148d5f1b0e4f00b756e6116487e0bd98bf2744f4c49ddfa14b196123f2dc1299ff17795eaaca529a388fe0e4677e9830aa9cf

C:\PROGRA~3\MICROS~1\WLSetup\wltF73.tmp

MD5 68aefb6ed3bf7aa1d1993ecda73b05aa
SHA1 34daa72e1a210d7366560deed0ff06ab4d01bab7
SHA256 23c33b9cca2501a9dade1827fea716ccfc2ceff590b7aaa5d58e4a44d4e79d12
SHA512 23a21ad23edfe3fd1f52893bb427180d6e97b43821391519b522c7b6c75cb10b505bf5dc033e8694102094ebb972c16dfa19788d3e02f714d74fe04cd2e86b8a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\jlc847cg\dlza8o9a.tmp

MD5 482282c1d8b97485791896ff1d5de587
SHA1 187adb3cceaeb7c566af159e1fb832d555e9b50a
SHA256 b9e4292c40d759cf1fd235463429912fd70a9e5f0d4bd8fb8ac9f0a6cbb8dd9e
SHA512 e05e1982b8aa9259127e8966dfd5e085b435b114253133fb417fd50985c13ec9a0f0bd58dd52a82ce695a11e697f7f21e96bf40a00cf6888b16e8689139d325c

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\jlc847cg\PhotoCommon.cab

MD5 b37655c4d63f411a6b23eaf89bf981cd
SHA1 09cb0a0f7bec9b62db44d24a1aa11b4fdd40c7c7
SHA256 108c6d632199dfb6146d86c35b7aaa29443ba869d46dd99605ca9a455f0c7217
SHA512 2169c6e9a7482643003a41fdc3dd27d67bafac415cf393c4b75e53766ad68e13616b790a7e1d7933499c1b86410e5f8ef5e1413fd93ae0ab0462b5ae526770aa

C:\Program Files (x86)\Common Files\Windows Live\.cache\439a1c561da9e3e12\PhotoCommon.msi

MD5 ff2a751d2b5e41a1451d2fb6bdfd13e9
SHA1 8c625401a9b1ef7a5143c704dce8c24b7c888bbb
SHA256 02a76e8a58daf828e774c1c78206db50bbcc24a735b0fd26de4a9c99cce5486d
SHA512 beba30d47a25b573751df37431a4397e3506671709a571bf62cf6bc20fdfa0bb410f463d9f87affade4a9e98964e6a67221341aae79c496ec8474938bc67c880

C:\PROGRA~3\MICROS~1\WLSetup\wlt15ED.tmp

MD5 e864cacc389c08aee3246fc32c9b250c
SHA1 f58c9f1e32ff15885591cbc9fe9449b89fed74e1
SHA256 34a1190038420476e5fc6983d285aeefc5d13567d12289744b6503afb038bead
SHA512 1071b990bd925099a4b0d6ed083f8cf73a52a032f27d7bd10ad7b9835beb9984274f71cb9c15b61afe8380267664940ad843788932f59402c35794dfe43ea803

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bf9gncmo\3p27e541.tmp

MD5 58597683b7f1a2e899639f3938ae4b23
SHA1 e20fdc898917b93f43b89fb73f35e426bc59b424
SHA256 671d55ed8726d53b9773f1efd2d89ac7f0bbd084dd80dbfac1bc3aa12625c3a7
SHA512 2303c6c6ff96d8b261f1b02455614333efa182e0ebea979bff93af241432ff83a5d6fced1608cacdca427e144a4f8547b5d22a507e6a034c3b00d94e4c5df10a

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\bf9gncmo\SpamFilterData.cab

MD5 80be60323e164f434442a367f4a8d963
SHA1 cdb5ac81eff9a1cb3ab38c6f7894b08552d824f8
SHA256 5098194ee02d102d35af5329e11fb4be450dfb957e575ce3de5649e6fbcaad99
SHA512 383db2da04b5738b0cf80b87c4e449ce20dbda4bd566bf9cb68178fcbec5903499383ecae99b01165d048b1516d24556a0c474934ba9da2e004345ace0c39ca2

C:\PROGRA~3\MICROS~1\WLSetup\wlt1979.tmp

MD5 d1073dc49cc8e9cd443900fe927113f2
SHA1 58808905f6b510900c9930fbd284b2c8b1d603b8
SHA256 66d47558a04d7065b87df4644dcccb5a612da26f3ee21936a6c0060c978c8497
SHA512 0bd1969503a4dd951ca7224d3522b81573e204c9ea8bcf76151bfbd0aba36e649149573661abcd2daa9f5ac572915a4895a869d14cac6322a425b4bd276622cc

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\inlzsdyl\h8t0b3cl.tmp

MD5 82561b917b3952246227d3706dec0ba8
SHA1 e7c91e2b33e49ae6b6cf1293f3a0c8c64a90b5d2
SHA256 93db78ad4bd2ab93a5162c47d8d4a45ddcdeb760b7c1cafd98bbd866c1ca0f77
SHA512 f3d56590b2831e5aefec8a5b933080fe3507d3e2a44cdc0971cc8aee0d1822583f57ece824c8fc5dca0064b583ef411ac5a8b702459bf94420cab521927f0c5c

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\inlzsdyl\Mail.cab

MD5 f92a584528763aac5555455bdd183ef1
SHA1 5f602ed60dbd23b11312466ee0db5facfe4b688e
SHA256 24bdab9814e586970687bb26434d401963bd683f57cf99a542be11b1c8a429dd
SHA512 72d23e402a43a1c13a7f2572366c7ad089fa4a08c05ae4d8533537f0cc847dd06d5879e86d7f2777f92d12b1c0998d2b695edfa922f35d9321f11c258ecfa2e1

C:\Program Files (x86)\Common Files\Windows Live\.cache\45211de21da9e3e14\Mail.msi

MD5 a41ccf591e8b170521cd1501a2e5aca3
SHA1 39acdcb93a6904eda38471662873a12b367eda5c
SHA256 db4140e239aedbfa51fedc4eaf207ececcb48c1878e8f3a8ad3971a8e3c04a3f
SHA512 44df558b7b754a8e90ee965b693c88b6dd8f821d07fe202ba3bedfcf1c0caf761143f7aa8f349dccb9841d3595264cafcaae4d7a18679fa4bea848bfabe2fd97

C:\PROGRA~3\MICROS~1\WLSetup\wlt1E1F.tmp

MD5 d1f5aaf5952b8ab8bc00c2050b0f7b17
SHA1 6ddf870ac98ef74628b843fd1d55826469ecb15a
SHA256 f134e280ad2376d8ab260663f4411d2c5795aa1d46d61bb70b241223c1ffa07b
SHA512 5ce822e3040204f41a546979134155d4f3f51365b83c412d320e9e022d7db4282f3d29875a70a8f05f4e9f25ef8ae4e5f3cabb3f4a83e09832ebee4dcaf98d1b

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gmsrrrwc\k1856m4i.tmp

MD5 15b6c63a96afb7046b5a4647bd42afa3
SHA1 f44ab9202277891e7d0b5c6dcd6034ab15b0c2ae
SHA256 a57fe9702b3f706f723f5dce75d6ba41cdd1aff71119691e49745f19559a911a
SHA512 0259c29a3e24b7a5cab10c41e94e421a7b2947e4933ca1bce1a2a7b37e6c9442792fad0bd1d391675fcda49f212b0b991c41a73d57acf88e0946af0b061f5ba8

C:\Users\Admin\AppData\LocalLow\Microsoft\Windows Live\Setup\tmp\gmsrrrwc\PhotoLibrary.cab

MD5 0e858e55ff6d484000a15b127b327b2d
SHA1 99e9f82cec40ffe800dc40aac3aff679987b16b5
SHA256 2df461dc570aacfb03320d402e99472d7b1010ef2d30d17e577ee6a1b371da95
SHA512 480c69713b6e335d28e4628bca6475e108808983e4a63ddb3a65e583581ce9d9bbd5bf17f7dd1f85b5c9dea5d2e738bdc249c2427845d2579221bb07470dfae9

C:\Program Files (x86)\Common Files\Windows Live\.cache\45dfdbdf1da9e3e15\PhotoLibrary.msi

MD5 3e04cec983eaed85e81bf35de71f8bf7
SHA1 3f38e49179b4a5fd9e7704fbb29ead21e139cbfc
SHA256 22a0a57db76c1a2409760d4c9ee59b7ce1ee1a9d0208267cbdfa67579b31b63e
SHA512 789f361e89f292962aad8b2e54146ce252be2434adcae6f093fad66a403e5292916d923610266b76ecadd47f59d878226603c68b03d682b867994ac70af6b31c

C:\PROGRA~3\MICROS~1\WLSetup\wlt2A37.tmp

MD5 c7dfea23eb31c8502846e7137815a37b
SHA1 7d4538cdabb86c174e98e3cee8ef98e8c032f62f
SHA256 48c15aaf7cd3a2dc1a901cd27b227d6d325b6bf3d50959118e141f34c8c846c3
SHA512 ea7e79a78d9bfc0287430bc0d0f24f2a6338cefbec3d8f64d6e0ca53ebf2ce79522f5a8a71b5a4823d88a1fa3ccd04e05ee28ecc293c2daec68e405f92d857ba

C:\PROGRA~3\MICROS~1\WLSetup\wlt2D84.tmp

MD5 a1ca671aaacab805e8f2abcb395ff9e6
SHA1 c76bf6223557be1b66a315dca5689f1b52c35fcd
SHA256 6a4f1cedad70d61082136d23ec223e0dd8d8ce0ced4fce5865411e73ff6be43e
SHA512 e765f1c9638239fbed86ba40b16c0b58639a58ca4133fe78600ccbfc7e7e2946a7c156fee455285b7c0e0f0cd170c54b790645b023a010801557cfa84d7d8f3b

C:\Program Files (x86)\Common Files\Windows Live\.cache\482f21541da9e3e17\SQLServerCE31-EN.msi

MD5 54854bac91e616bf8f71184c05ad0355
SHA1 73b893c66a58b3b581bbdb50cf069f9e44c7e657
SHA256 f14f64c25cbdc7e06f2ea7f08170305a5990fa0449d9371056ec59441e24476d
SHA512 7cf8114350b2d6e6e4c7940601f6b3da28f8f5397895033f2d82c97d2fc8c6ba71bc46b12abe254be521906fae0422b1084567cb70332103b29d851803b46c99

C:\PROGRA~3\MICROS~1\WLSetup\wlt2F1D.tmp

MD5 89cd9901db2cad003e71b38f4d8e1091
SHA1 1ab795681f702456c0c9e1681dd796e4455208f7
SHA256 18f354f3bde3411c90d948e02e60de5e11faa131ce04da242925dd0f004cd4d9
SHA512 14f0152eab4ec8fdd57dfbe9fb690ae9d0770feb7826224adc2b44bf826d7498a329757ba4a338c92c226cbe8ad3e14dc671d9767a3e13f87606e43af13c5bb1

C:\Program Files (x86)\Common Files\Windows Live\.cache\486d1fec1da9e3e18\MovieMaker.msi

MD5 33cfb91ec616a06b8af75e772e966433
SHA1 69ccfa871359a84467d243f280dfc813b428d5c2
SHA256 00c89e20a23be3aa005bc2eb75cc4a6c6fb89b6623cfec017282a6e547ad9790
SHA512 61dcf628e1595169a2d9abd8113cb77ecc0606d083f90f57f964f46abab7949c0083b7d268a3c662510ca4cf3c4a561c89d41f07ca46e0ce8c7080097f6d2fd1

C:\PROGRA~3\MICROS~1\WLSetup\wlt3FF7.tmp

MD5 44623495b671a344259bb39829452204
SHA1 333a5196dca06c815d930e225637db95a8d3197a
SHA256 28af1144633453ec668884b1513d0f5bdfde61333e183b5187634c59d60bbbfd
SHA512 7d4362c833fd4dd3180a7b5f0772f68ddc93659564350e63bf659cccec9507d6ace15d230d0a2965c260325dd1f7bfecec9963ed4b08d7cddb37df2d1e9959a9

C:\PROGRA~3\MICROS~1\WLSetup\wlt4076.tmp

MD5 96aec171dd6a4eb4e4ef59b1dc287fbf
SHA1 7675f8808b74f66714ea778774f9b37f5a8fb8fc
SHA256 d4fada7f0157e181127d56799ad85152a500d484f16a2d31058285801ee0fc9c
SHA512 bb9d7769b0a202133a5e635fb185b53593eeffbe1f84e58755bbe14adea77c8a90fd114846aa574c3c78efc119420e573d2fbd2006928b749000f4619678389a

C:\PROGRA~3\MICROS~1\WLSetup\wlt41B1.tmp

MD5 e03b80e674707a949f63897fd4cd2a97
SHA1 a593fb96e478076ee3e8aa32677a58255fc5a944
SHA256 9048360b66c7acd4d4cfb84a7498421ab6e3fee8db8b41c2b913695ec70dbf78
SHA512 d1921db4517a7ceb210874871b7b2e26dde5102dd9002c46de6be05f98842a5e147741a78ad22c6930efac5ac0e344e6d45629e035567462df946895d9f48408

C:\PROGRA~3\MICROS~1\WLSetup\wlt42BC.tmp

MD5 e43daf60216d13bb779d68f36ec06236
SHA1 e7c2409a337458bed4d8dce205126b5681843dd7
SHA256 9e1c07e15326a7cb4a006958183b1e385285887c9517518db64fbf70c8e9a866
SHA512 2dca7fcd0f64834d7393c2d479d2113ad102add13d045cbe2e073b889f868c776575e31e9635d24b7a8e33317570ab25028653c4e8230c22c73a4400252417aa

C:\Windows\Logs\DirectX.log

MD5 56d5ae41396885576b4096a567b8f913
SHA1 eee2fe3803fa1d49ccefae87a93158f7087d9960
SHA256 9f227c8a61fce86c6539ad0dfc339a1224e5ab73629687b2728815b25eee0ef3
SHA512 30af7ee6f41bc96e17ad9714dd8d1aca5f38df4ee4c4813f80e0c5972ba6a3119da0344f1cecd150d94df011f5851cc7a2b91330963089d094d484140486091a

C:\Windows\Logs\DirectX.log

MD5 dea8657d7057cd207aac3ba5cfaa5352
SHA1 85ce1d2b4b823697c4537dfa7df0247b79967193
SHA256 6a1d7f414548bd91f6e553570167b1793732a169ca9f2123fccdd97ba030bc71
SHA512 7f693884e208ca2edd6bceeffda9c140ee366714c79a22ae3ca532fa35ff62a771858432e8a13abfa81d842269f3663482d21c309bf02bb4f157c12321ddbde3

C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\dec2006_d3dx9_32_x86.inf

MD5 c28f4fd1644e2a20b1c897438e197e1a
SHA1 5178534444ed7dec8c63f02defe7bdb864c47123
SHA256 ef09d783bf5cff2cfba99946e5e71fda577b196a49c88bed1c51b5fd29cecf94
SHA512 7cf93260efb1d794a17ba25b1fa02ba03b0ceeed8131d274b805155072a9a2b92a899471a8b23add8bf46c6a5a3cda63499043eaa754001bb43cafd882c8e708

C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\dxupdate.inf

MD5 8c281fcb5546d1ed3cdaf6e3f7303139
SHA1 de342a17f2df0386f6584e2f55ae43c558ceb6c4
SHA256 7530c6e18dbb522c5f4fbf6714962c185ea318f9eab7aeb833b0cc07cd2fe656
SHA512 344ea0a375c8851fcf413f441a1cac3013b3748d1630a4d677da72e98f41823bf9427d896de7e1fe35bf868279538cf3b8322aa6ef20025bff48a6bb7f8c42d3

C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\dec2006_d3dx9_32_x64.inf

MD5 39929631df326b944470256c4f9cbbf3
SHA1 932de27abf59c889c02ed747f0ac04f5e494492a
SHA256 ff00313af4a90f426492d72969f5efc6c56a17f2dd91f20cb5c0a38d9f1f2b6b
SHA512 8dd2755a2b2fb90c6880cbbde65d127f55d12df2bab4560ddf86d6793b2cd4733929d97efef5fd8eeb417731a571888c893188df0361ee57eb4437fab331cb13

C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\dxupdate.dll

MD5 57f0c80414609302bfd4dfbb61b69ac1
SHA1 f077266250833d2af729df9c00983d7f4ad2663a
SHA256 dd8903faa5244492fdb8868dbca66d74aac98c394ca5382a0c24bcf621e7a16e
SHA512 2f171feb76b6014b10e493755c0138cd9edc12941b4f35faf2e99a49f08801b58cad8b4de5ef12fcba19e9261c864b911ace23c290f73384bfc378b6d9c1881b

C:\Users\Admin\AppData\Local\Temp\DX432E.tmp\d3dx9_32.dll

MD5 26af232140c88b42d92a88f2198edf6a
SHA1 b62aed3f71d8963227e5021c2222192873ce753b
SHA256 e96693794daa05a75a83c11df2e7b42f2de61567c6ad0b69e353b50f6c88119f
SHA512 54a6a235af4dc3f3c693fba5ac2d487d96c9d7a2bb7deeab35d5a252e723e597226ec84e953625c8808546f91fbcfc42add85076846a63925fd9eabc09dbf935

C:\PROGRA~3\MICROS~1\WLSetup\wlt47B0.tmp

MD5 f54d7fc813c83b0ecb6f97c86748cde8
SHA1 d04cd09386efdc87595d6c77eb6520e6c3d47dea
SHA256 9a24b75beb1a454e5716b92fae1b761f551d65e9560c000715dc384f5296a596
SHA512 7cec1b0f448f97fd9f5e92214ab3b59aed74108cc9bf82306e6847ba69073974d63ac1bb482c4f2d257c01ffbeb9576baae4cf7cd79604d2408ab247eb3a7bde

C:\PROGRA~3\MICROS~1\WLSetup\wlt4939.tmp

MD5 0ad9376291dda10a3b2e0730261823f3
SHA1 88dfbd33f80ae052d21b45a49b3b75fbdbc1a71c
SHA256 99153e43186cc5fe099de68cc19422475d1f71c451ee30a4fcffcfe813c5b7ba
SHA512 9271ef7f46f50c44b2736575432d726ea18df700f3219f10252910a1557dd98ee13699d6eb320e40fb4d1e6c54b14b9221ef0878d70e0c7345bf997fb5054e7b

C:\PROGRA~3\MICROS~1\WLSetup\wlt4A92.tmp

MD5 65394a7bdab03c429522cdd490a134a0
SHA1 afe2564e539027cb1e2cf2154e5aedf609cf0bcb
SHA256 7daa30526128109b67310a3581f37c2b112d6e66e74ee2b6b74512378fda30ec
SHA512 579016091d455f75ee0f25dae7eb1a69e1c4fa6773dc739b3954ce7575dff82ca328276e648c0042f16e959502ff5aa24630bdfaf37168ebb15303bc8dbb7032

C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\AUG2009_d3dx10_42_x64.inf

MD5 8d272f58bf5ce42962d7d9835e9b489e
SHA1 7e0969289f839b5dfe606f6ce6ed106460f97682
SHA256 2bfdd3d3bf485439013045b3a08942f457385bb89ab76d9479fbdd85f09e9d96
SHA512 0554257a41df07860233f26330020a45e2dab2613a6028f79914aec7552d5c54525b137e450202db1283b602c3d95908acbf9f1eed20dd79c21fda5963fc2b5e

C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\AUG2009_d3dx10_42_x86.inf

MD5 b3a2e761e5da007cc6036c5703e12eed
SHA1 447e852f9bdc357b00864d4dccc7486f1313918b
SHA256 a80a00464775da82c02f628c5bc13cab0d0643ec2a44b28d2acf7c77d467becf
SHA512 28a106886578fb38f144602d2b29c72a906bb24a50b16ea7d3f71f8bd7f194fc0d7c8451dd1c3e9ecc59be3a866c07a23dd394a17d39eb7b55cde7b347bed3a1

C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\dxupdate.dll

MD5 94202f25810812f72953938552255fb8
SHA1 c1e88f196935d8affc1783ccf8b8954d7f2bfb62
SHA256 6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564
SHA512 65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

C:\Users\Admin\AppData\Local\Temp\DX4A91.tmp\d3dx10_42.dll

MD5 501ac862517c5445742bee8a2b88414e
SHA1 49f3f2df66d357aa84a5e7a0eb368ea595b7d95a
SHA256 46429c4affe041b08a7acfda0e9162ba42de966acb2cbcaf09ef976232073b51
SHA512 08dc13d5ad0a0d2aaca9d3dbfb53304216111da73bf48810df2982650d580757c10c8b9bf80ae5191e06ebaa44b2bf9c244ae141308748c3e7fb9ef6088900ad

C:\PROGRA~3\MICROS~1\WLSetup\wlt4C69.tmp

MD5 9971f5592ec6f9f159cd1210da51921d
SHA1 90035e88438350a128773ad22c8a4140a1e4036e
SHA256 5790818fcead57808d9d43ae94ad8c0ef44c7d2e3e89aca2152ffcf3a1cf4c25
SHA512 b0724fb4375e2cf9ca5433f78317cf6a055760165b2caf29b2213427baf5918fedc7e2dc327cee91ccecc1b95c4448a4ecca6f38094e44a49c0b19088decf4ac

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\dxupdate.cif

MD5 b36d3f105d18e55534ad605cbf061a92
SHA1 788ef2de1dea6c8fe1d23a2e1007542f7321ed79
SHA256 c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae
SHA512 35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\JUN2010_d3dx11_43_x86.inf

MD5 fb5d27c88b52dcbdbc226f66f0537573
SHA1 2cbf1012fbdcbbd17643f7466f986ecd3ce2688a
SHA256 3925c924eb4ec4f5a643b2d14d2eda603341fbbd22118cdd8ae04aaa96f443c0
SHA512 8aa2200f91eca91d7ee3221bc7c8f2a9c8d913a5d633aa00835d5fb243d9cb8afa60fe34a4c3daa0731a21914bc52266d05d6b80bfc30b2a255d7acdf0d18eb5

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\JUN2010_D3DCompiler_43_x86.inf

MD5 1a86443fc4e07e0945904da7efe2149d
SHA1 37a6627dbf3b43aca104eb55f9f37e14947838ce
SHA256 5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf
SHA512 c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\JUN2010_d3dx11_43_x64.inf

MD5 590fe1ea1837b4bfb80dc8cb09e7815f
SHA1 792b5b0521c34c6b723a379dd6b3acf82f8afb1f
SHA256 2c4cf75b76203cba6378693668c8c00b564871c8bfd7fbda01e1e841477b2a3b
SHA512 80bee8f1ad5bfaba6b3ac5a39302a1427dbaa5919d76c89b279dc753170ec443924eadf454746ce331a6682ee729ab79bd390a5d3b55db8d08fd6f4869101f53

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\JUN2010_D3DCompiler_43_x64.inf

MD5 6494a3b568760c8248b42d2b6e4df657
SHA1 700f27ee4c74e9b9914f80b067079e09ec7c6a7f
SHA256 3e779533a273e3395109c7efac13ba1c804c01b3ddb16938406fbdf90d851216
SHA512 2bf68b123d7823ad7182e132d9e55f8de7580229e8e1b3b40030da50bb9bdeaf67bb9727ce2171fa83b7f804c24d9728ffabb44cb5017b16b771bb19e62b1b42

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\JUN2010_XAudio_x86.inf

MD5 31d8732ac2f0a5c053b279adc025619f
SHA1 c8d6d2e88b13581b6638002e6f7f0c3a165fff3c
SHA256 d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da
SHA512 abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\JUN2010_XAudio_x64.inf

MD5 dd987135dcbe7f21c973077787b1f4f8
SHA1 ed8c2426c46c4516e37b5f9aac30549916360f7e
SHA256 1a0f1b929724f8b71d5ce922f19b9d539d2d804c89af947d5927b049ef0fd3d8
SHA512 f0469c94219b4df99d7b9b693161a736fa8eec88a3f6c7f2cf92fab2ade048dfe61fcde3a4cf4f7a2aaf841d079a46b17259dea22cfb02831983f55bd7f61899

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\d3dx11_43.dll

MD5 8e0bb968ff41d80e5f2c747c04db79ae
SHA1 69b332d78020177a9b3f60cb672ec47578003c0d
SHA256 492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d
SHA512 7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\D3DCompiler_43.dll

MD5 1c9b45e87528b8bb8cfa884ea0099a85
SHA1 98be17e1d324790a5b206e1ea1cc4e64fbe21240
SHA256 2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
SHA512 b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\XAudio2_7.dll

MD5 81dfddfb401d663ba7e6ad1c80364216
SHA1 c32d682767df128cd8e819cb5571ed89ab734961
SHA256 d1690b602cb317f7f1e1e13e3fc5819ad8b5b38a92d812078afb1b408ccc4b69
SHA512 7267db764f23ad67e9f171cf07ff919c70681f3bf365331ae29d979164392c6bc6723441b04b98ab99c7724274b270557e75b814fb12c421188fb164b8ca837c

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\XAPOFX1_5.dll

MD5 8a4cebf34370d689e198e6673c1f2c40
SHA1 b7e3d60f62d8655a68e2faf26c0c04394c214f20
SHA256 becfdcd6b16523573cb52df87aa7d993f1b345ba903d0618c3b36535c3800197
SHA512 d612e2d8a164408ab2d6b962f1b6d3531aed8a0b1aba73291fa5155a6022d078b353512fb3f6fff97ee369918b1802a6103b31316b03db4fa3010b1bf31f35fb

C:\Users\Admin\AppData\Local\Temp\DX4E4A.tmp\infinst.exe

MD5 a7ba8b723b327985ded1152113970819
SHA1 50be557a29f3d2d7300b71ab0ed4831669edd848
SHA256 8c62fe8466d9a24a0f1924de37b05d672a826454804086cddc7ed87c020e67ff
SHA512 60702f08fb621bf256b1032e572a842a141cf4219b22f98b27cb1da058b19b44cc37fb8386019463a7469961ca71f48a3347aaf1c74c3636e38d2aea3bca9967

C:\Config.Msi\e5853ba.rbs

MD5 ec4da96cefa003299409f54f4e023769
SHA1 c6918268b2d0363b52e3aeb15989d1d2b7802915
SHA256 531ee94faff9899dfe5acb75cec0ed2fb47a9e8380459c7770a8e8ea9a6002cd
SHA512 7291ba421f2767003274ab7415f74000393a54c63c96f009fd2ddb7291af4574cd2f3f9471620a71788bdbaf43e869c88332cd74da8f3287d5ea521cc63f27ba

C:\Config.Msi\e5853bd.rbs

MD5 201624989ef9e0b50e5095e3b87d345c
SHA1 86ee3963542c4db3f7485a03c857a28959bead92
SHA256 0110ec2085dc3d2a5524d0945a5592f02310782b80f5cd682b82debaf216853f
SHA512 d95c75ad47ee19155b59ad2b3b32902ae04b00e6a1c434612eb38a50b7a0e37ffa561c2e4db118b3ad017d2bc65a895142ae5dd2e4503a00aca988c6f1d4906f

C:\Config.Msi\e5853c0.rbs

MD5 3b2a9f03562fe750df5e17a10eb49a2d
SHA1 5cf96bef5c4ec05fb306dd80f2c9f56ee264bc46
SHA256 b5d9d6d0ff3a33a54888ad85d34ae95178d36f68210671e7ce7a762c12097281
SHA512 ceb0dd5509e061d97c1b7c470ff02c12373ff0fa60f62e399399fdf2ebf167bd19c0615c761eea411323291cf7de5f26979e50179bf2fdab7778bd15ac673dd6

C:\Config.Msi\e5853c3.rbs

MD5 6f038c791217a1cc42fed0ec8bb47e65
SHA1 7c40d907256a9560fa90a2bbdd6cb3f8518069b6
SHA256 4ed009b8baf274446647efdd144e80467f3540db594874d359466387b313db08
SHA512 166fa6973170d2f55b8c6d2de086adf2751127055a97b0ea6780a5b006a398abbd9202766bee53e4edeeedb0a25cb5bf3b141f2a9a0dbc27407254aad7b074a0

C:\Config.Msi\e5853c6.rbs

MD5 fcbc8bf1accdddd0be8082b47dc8134e
SHA1 2d9e5671da5fa07b5774ca964a683a1c4cdba8f2
SHA256 42d7614a26523b0ebb80f2de7d176f92596a439c461ed756186f8fc00cd284df
SHA512 7bce72b5743ef3e05f5dfc900717a98a082a3d7ff2121039395469cd70e2199ac89d2911bf3f12c57218e8f65a357b74419d2d4164be057e11bc0e053aa51a54

C:\Windows\Installer\MSI83C7.tmp

MD5 afa2262aaada580a74e1dddaeb03bc58
SHA1 5738eb9ba190361390d97725f90a71c6bb5bf5b0
SHA256 1deffb4fd70c9c346e1c5121b5069f758198ce12cdec5c2151127658bf12e460
SHA512 86099269378b31483480c36107f357f06d27e4c9e4892ee184438f7a3730f67853b5d44bf0bb7049242ad9ae262d08b07052bcd9f9f72175e754185725787f99

C:\Windows\Installer\MSI992A.tmp

MD5 6d37510237c55f1bc5b9c725b5f4a29b
SHA1 74bf05bfffc85676902f576c2e98bc0bb5f06481
SHA256 02316d156568ea766e803738db187a83b02c86dd897042e005fc4846f4c489e0
SHA512 906a02a68074a534b1348eb710929bd21ff9d94a83f34df3ab55f2959ea437a613d478be86e2243ad2abc3aa4f6656f5a7e7ff54f0e30b2c6440905b4e0a071c

C:\Windows\Installer\MSI9DF2.tmp

MD5 a0f84c1734d35410025e11ddbef1faa5
SHA1 e16a8e8683f3a058f6c5c50dc827a9b42afcff40
SHA256 d9fe389b7abfcc43648d6130dbd337652037615fe12846522561af5b7a5c7bd4
SHA512 70f729e40b551c154bfb320ac63f22f064e8dd0e729b32f8700889a48a09f909d9d4790db69162c916ff4fd312cbedd290fb7dafc53ff6c98887dbb70896b834

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk~RFe589f19.TMP

MD5 476f1d7eb4f4c2839be2988102d772cc
SHA1 874ed7f14a718d64a26ef25a8027363aa7b9d404
SHA256 756418127cdfa8c46503e4240014575027d6d83581a98a2d4782f44e644d8399
SHA512 e1146c2dc5584a9d22efc58df13049797bdd04cf06fb4a5132d9b37470d43c63eb42f80658a9b6b5133f333695182d48a8c7e1421df33ed765c256fef8ed3c22

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\~indows Live Messenger.tmp

MD5 f8ff20cfa17016edb26c9f5bc3f0aa5b
SHA1 8b2c134b9513afc512f50541e628969dab76c1b8
SHA256 d45072e039227a398d4d80cf48f4205f38d6825307dbcf2e8b605350a18de3e6
SHA512 d747effe0f1753e191de38d93143da79df0494ab4d2ae792a68a846ab2377eb80ae14126d4fb76b993f3d10527dacbbc98a0c7f954aceb6e94a203176f3e0429

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk~RFe58aa45.TMP

MD5 b4c226bf222dac4ae0ec1a298d9af582
SHA1 6d5cbecb23081143de025ed35a1e9bd2c65417b9
SHA256 d542bacc293ef1d0b90a612cae8d40e7ad5c676df8207d7b36dc86435b8cb349
SHA512 b8672bff6e75d23dc3de6672f3f4516312f5c844882414e14b555e65221a4ad0168a0d7bdc1283a0de8d66c6225c90e7515693a2641feb94443962f8d22fd662

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk

MD5 cdfe980c909b28ffa6e6c17deb1a6aab
SHA1 4c7ae98c44bdcd46b179a2aff176a6b7ed715732
SHA256 7efaac35ef77b9f9df96e9d98157f6447407d85d62f1b738beeac9dbb946999d
SHA512 43b98338c1cf1c0397355eae27cebfb4b0f9e73da94c9c3392a715e0f069af8e9d5f7392544c18abb6fefa76b9b7506f4b2e3cd32adb1862beab5ba99eab037c

C:\Windows\Installer\MSIAC22.tmp

MD5 1b6d7430782e671537b36bf170321359
SHA1 9060523a567c9b36706fa5741d122a8e904eb89a
SHA256 371d2f103053cbd3632f1b1b416e85bde0bbafbaf09e091b072e96d5fb5703fd
SHA512 1fc0055eb9f6a1bb69d5c5ec891a56ff9fcfdd71c3672761442ba049aa3452efd99e35500553cd6e39118ddaec74bd6517e6a2ca2e921359ec0f0a1e5a3c98f6

memory/5324-4767-0x0000025D12650000-0x0000025D1268C000-memory.dmp

C:\Windows\Installer\MSIB6D8.tmp

MD5 aca45d29a6d4b8b6f5bec262f10bbfd5
SHA1 adedad9ecfda50861c5f426442d12413a2392c64
SHA256 3ebb755cb7cc4e4f6d62b0bfc0656300941f4ec255fb3128378dd1453f943b06
SHA512 6bf7c048b41479a5521f88926ea3c6048423ab42b950a220f44c79d3d4ae4a3244581a2a666cb6d6d977425f8efbbbb1c9d2ae69c11e59a3bfabb15a9e2d7c59

memory/3832-4780-0x000000001BD20000-0x000000001C1EE000-memory.dmp

memory/3832-4781-0x000000001C480000-0x000000001C67A000-memory.dmp

C:\Windows\assembly\tmp\31HNPFWR\System.Data.SqlServerCe.dll

MD5 a200e7209b42baa18f438695ce45b0b9
SHA1 8a9a7c8d450dbdd1aee86c100a70f651740c56e2
SHA256 14e15167dd36575ddd4ebd99894212c6d1493321c9c261d541828da56b8262e2
SHA512 558337b85e55abe409ddbda86ed86905fd561c91c1007064e8848ee126299bfbdb088dc9d3fe9b0038d96fd5bb0886090b7f06ebece8822dc288d6eba280f6c9

C:\Config.Msi\e5853c9.rbs

MD5 c0ebd8100212b2d045af6df60e0ac112
SHA1 450dc95ccfcf28ec081911052eb08ded530a280a
SHA256 2b5861061256b77022b9a92f3cd2276de3d478a05f34e3f20385047154c486d9
SHA512 83790887e130930655cb8292ac54aefdbec6d84f2e97de06b36309c4bb3637085169bf72bc98a84dac824fe64a5c258df50b2abfa8ddd448ac383e17812cf836

C:\Config.Msi\e5853cc.rbs

MD5 e51f4fffc63e867683044d786f1c9a83
SHA1 c9a81d102496e1033be126ac5858b0f43af7ba6a
SHA256 1f8e24d254f0b84817cfb60c089f2d458e75a738c9c8d1fdf973257f9f4a0fd6
SHA512 1fec20a46c48a7f645f167fcade6bdfc105c1f400d3ba0885281ac4b4ce17f4d30038f6d403869fff6060e711a4312e01d29488a45745fb22a5984275834a404

C:\Config.Msi\e5853cf.rbs

MD5 cf0859853263fbeb8c8daf8fbfd1dfc8
SHA1 7c1df777d951a3713aac10f534d74b214df09f32
SHA256 33d6e9168130cabdbe57f3491c47d82efc4b00713398718463ba03210d7fffca
SHA512 6ee40a6128e247ae197f40e27a37f24aad33d98b2d5733f61edbce2bdff618e6818ac87b0e354b70d13e1158bea908621046e8e08adff2afa653d0775d339e21

C:\Config.Msi\e5853d2.rbs

MD5 aec7e5f203179ec2802603d57ce400c1
SHA1 a3f6de4d8a2ea8902d70d536bea8a2c7e9dca641
SHA256 0fd732a4e9cfa6181ff171d36b209509c2776bc4af3efc36c4734440c73cc197
SHA512 8286be77ac433fcc9f10d1986ed34c303ea6c5c9629e07a6df1601decf1f1429e1924bdd94ef6434144810a77414df26e696d86f11c69b5c47c69366232e490e

C:\Config.Msi\e5853d5.rbs

MD5 ec31adc8fb8933f062bd5fc5402b5a97
SHA1 ca3ea4101f72c2d429d07258be44774239c012a7
SHA256 20adab8aab18059c46d704b60e618abbe3df9086a03aadfffddb68f285e7da37
SHA512 ab94ca6fa701e1cbd739a55418abcfd9d29ec1014b0146c50a683be23558041b73626003c0af3d5724d0b84f392428ac553423a5bd74d7ecf5e5907367cee1b4

C:\Config.Msi\e5853d8.rbs

MD5 0e946866df81ae28deaf86b71c44a436
SHA1 0dadefd08c32b7cd52bdb5a64ace6bdf0debb657
SHA256 dfb3c67c05589d3f8aed0a589004eb128f8f9b74205d8131516899435ca600e6
SHA512 4dabae72d10bac3781b5b77b382813406ae133bce9b4bcf05ef14a4e10ed0d803dab2e4229651470d18c713453822e4dae30d77e50412cd6a60c68210b053c10

C:\Config.Msi\e5853db.rbs

MD5 f0bf07cdc7d7db18032f57f6678eedb0
SHA1 0cdd9d440f5a9fafeaaba5d613967ce50a10d372
SHA256 431f1a2a8ca8a30ff900b147ad6cdbd76da44a20298e67ce003826a63662b7b0
SHA512 fb849cda790b73c01ff269a3928120591cf2a297b40c92bea80fa9c02f8a9a66e0b824cb0a5bc30432ccd13c5484793ed562568bec2ed9fd48896fdc21d4503d

C:\Config.Msi\e5853de.rbs

MD5 bc6482c3da9bcdc4a74c44a46e5881d9
SHA1 8ef2aeadb67f184ae71c1ed11884f92850737ebf
SHA256 ca4bf26afc6b1ce61ec5fcb43c75f9cfb942e3501a99effbb5571b6ee63edea3
SHA512 b565895c9fa3e00f3e4d0253007cdd8c064c2b989447d500631f1c84e30d275952c9182ceeaee7dab8d12825abe48f8fe98d89ccf489badb79a2d70c7ce1582b

C:\Config.Msi\e5853e1.rbs

MD5 d62552230e9e8613746d7d22b824b33b
SHA1 439c7941d2e90ff30498b7e676421872386d42e2
SHA256 d0f647e559e251b8e21f5f74e566849d9c890af99128e7bf3146b3c2bfe6d37d
SHA512 affa41f5adec06980ed2d8b85f7ceda8df8d60006eed244599c52765960f0f11bc4d911a79283f0162a61847d71f74921d3b1bc468ecfe3e485c39b971660356

C:\Config.Msi\e5853e7.rbs

MD5 64f546bf8392fbecb6a98d31ec1cc923
SHA1 e7b883138474d09d02b8fdf856782f3ac8a37cda
SHA256 551f3ed62e5ac8736886008de968d013e99b52cc60fff67f58e79d4785666d26
SHA512 da0dc586c9a50762d2b4e695f8045101ea75c6065430062e89b638ba72b0223d0f0999c8434bbff55e8c387057fb5f294cc9de1fc15d205efe15f43af8579292

C:\Config.Msi\e5853e4.rbs

MD5 26310902f14ec21a7fc91642a2d44d6a
SHA1 8bdcd23456c51c32baad5523397ed8b08592d6b2
SHA256 516a0a83807fe86df62d97d2b9cb5a7e99f6cb2071384cd83e1097826c18b15e
SHA512 192b3a119dd35dccaf15f0150eaad1922306c3c69df948d93eb2b8dafa9e359ae61e0e4a5465e4f3c7ead19bb93bc4d8a2d64f5a439f326d061ece4740dcc705

C:\Config.Msi\e5853ea.rbs

MD5 429c275d1acdde61b37fa8824ef7c5e9
SHA1 6c9111d7e13d6e685dda943d7edcde75c4f0d5bf
SHA256 7f5acbc7c4b17353828e7ced0973f02982c0bdfbf0f7b2532c8dcf63755b28f1
SHA512 eb8226fa47d54e5fbc4f2f9d8c17f5b7e16c4911405f78b3c5ae6da339bfa4619934c1ccd3b49ce02d1759a9795e732f335e80c4949371fc0a3a5ae3027a6d86

C:\Config.Msi\e5853ed.rbs

MD5 370a0dc1f590939a5a3d538e74823253
SHA1 3624105b7b8a9d684999e8eec99f69336f374137
SHA256 c50bda8548e670acde3b347701db56ed797e208beb35dcb65f19c40cdb773bc5
SHA512 4dff78e165f8aa0891cffd5fbce7f939b7f6185319c47ae47fcad6f041157ff6e17b6ddd33c79cd20da0aa166842d51981923257de3c9a9abf4326926f4f21b3

C:\Config.Msi\e5853f0.rbs

MD5 1a62d80462440b45a97ca090d922d7d5
SHA1 102fa425343f39a85a7843a355d7b8cc717c9ef1
SHA256 fa27730a32241eebe4df0174e3d709055722a3fba937176b50f2fcf17a5c3e69
SHA512 292bd8b81eb07428de12c9c4167ac744eac88d9a8d291feb90d30a9d0a2dd8f1aaf37b87785c1df502feb33b287a0bebcaa5af6d53378d60f68f8cf63d48adb9

C:\Config.Msi\e5853f3.rbs

MD5 b1f61f0b0dec9eff2ababbc41d4127cd
SHA1 cd3163a8977a1a2a2baf11c97b05048c98c9d11d
SHA256 05a3b764e14778e4ea4b0ca11d0835b31f40e13b14227010af8c73c10b11d92a
SHA512 122e57fcd67d99b60f387a97d74916a268006edd03fd82868beafaf5e4577db00184c166b2d2871d41851ae6970658bb88b6678c4869993bf60343884703c25e

C:\Config.Msi\e5853f6.rbs

MD5 28d4d907f7c0a91611a55d0a2a86b043
SHA1 592708bb52305b5e26a42be7a4f5142dbf53e526
SHA256 dd94fb13c80991c8978b1ef42e99600d0fbb93a161444f6419adb65b8ce5d497
SHA512 3f89ee9b56abd85d1d07548551a1e7290d82975ace711b01bccc0deb5de83d30b11746fa3f31ad62b37823da3a0f6fa2797d5dcf4db22984da9111865c48b111

C:\Config.Msi\e5853f9.rbs

MD5 84460b04df4f58c6cf7130c0d25e1c99
SHA1 b7d516a68e8dbf9859a91c062673ea1d502cb9be
SHA256 80826e6a3b40310d04f1229aa440764a8390829266d835c97111a347d2d04227
SHA512 c70fe0d6cc357333227c73d02fa776a709aa0544ce6c12d4ff63f6d617bee2cc41b9cd1372650616f2a0e2abd7d124141797d5ce8194ba534d8c5780c6bc9a8a

C:\Config.Msi\e5853fc.rbs

MD5 a0b5c50d8ef811816b814213dce6ef23
SHA1 11e140de28a31103f1d26006295b69118d81e515
SHA256 5ad97e60feffe90bab616464b63ddb26db0582d482879beb9dc30e571641c87c
SHA512 540d6a9af808dedb6ffcb555e82b2881b86da3171bacfe069b6287cf30d67cd63c5f374b138d523f2e4cfee1348e6a61fe24735a9fade139d2e9eb673a9f8cf9

C:\Config.Msi\e5853ff.rbs

MD5 db7aee0c43ce8ba51e18b590f2c526ba
SHA1 55a8cc0c03b4fddac3b070ace2b92265a3711375
SHA256 22b62dc489502e11be059adc59837fd88bc92aacdffdfcd8e111a87cb96a8a7b
SHA512 1cd60513b8374d3ca4a38c69012e822a8943a46c0b1aa3d3ddd80e2c5278b4c751a340590485de77aa8d986a4bc72df5e846121a5462bd5453e33c53acf3c5bb

C:\Config.Msi\e585402.rbs

MD5 db58414fa7a7cafbf09c3a1d29974779
SHA1 555cdd9d0fff0d58e9e8f0985d3c2c35ef2c3f63
SHA256 974de2ea75eabb586b8f48238656d3dbcad40e21ed42d97de6f5e926625887cd
SHA512 ea0ec4b3eaa3ef96f4a9611fdefe5db5a43c92fd39a2b3ac4ccfb8c3e38e8e59f1f1080d7d7fe7d89b6d052cda248b77ccb7b2c3371c038783cf71ed8e239164

C:\Config.Msi\e585405.rbs

MD5 42d42ce3d57ae0242c541ffb318d9140
SHA1 01548fbaba5248e2577e293af7c2ff662f66e7e5
SHA256 8b4980effefc5d7aa84f7b2c366aea0fd3ad8eb62dbb3be3c711844c2eab39dd
SHA512 f39e78297b471cfd60fd14d89c652b9a94684bd5c3115eb28c6a0d153a01504d43d4b29bf85a4b25b51d91c72a6bf4e0a32a501ddabf3f9b0ef28e5c91b2c5d3

C:\Config.Msi\e585408.rbs

MD5 177b1b4d3e96b03af2b6792b4cd2a42e
SHA1 d30a63fa655cdf69c700c9a18d4e539a64e1f742
SHA256 2b0bfc6eb86794ace1685917cf6f23a1142fde4b9baf992013d29ba3dbb4ef8e
SHA512 d4ee2b22cf46deb5d31c3e932069f4084f27b054a1ce81296129f6b9886c6e393fbbcf8136d30addcfb381a680633a61305b7aadb1a185b669e19930e6ed97ba

C:\Config.Msi\e58540b.rbs

MD5 346f1c9585fa126fd97c0d40209983a4
SHA1 24e898fa8ec0a417c13ed754fe081ac6a9eab9d3
SHA256 4e81783ab03f67c0a0ed73d0ac2fb4570b473463d1b748c7db2d2e0131c04df5
SHA512 b5ee60d27b2ac2b3fcdac9e382797ecbc923138e1fb1e05a147a479cb984fef9d840ed86f95f1d0b1dcecac4dd56b0c37843e3028a1f02dce043e64fc30c8925

C:\Config.Msi\e58540e.rbs

MD5 f89bfb125b58ee3a626fc63884fc5070
SHA1 3716e6ad105261d146b0946e014c2e28764dc8ff
SHA256 1609fee49b64e4a18906a588ac480fbc7c36a164e054de5e760d7ead6e3d18a3
SHA512 35811e0dfea80792bb741895e176a986256c582ffccf8707882f7e68aa931c59de5da9992049f06c96725b154ba8cdcc44da548b7c21111ad2300a53422026b4

C:\Users\Admin\AppData\Local\Temp\05041616-0000131c-sxyf6nalvl\Files\2024-05-04_16-14_131c-z9furezv.log

MD5 d8a0bc63492592435fe083ab87a37bcd
SHA1 67433691a356459e5956dfc5fa5bc6f77e9f000e
SHA256 cdfb22f86a9d97552022de0e47fa0f46248e2da17bf58c096e5a4bcb33ba1d28
SHA512 0435ebfccb91bacadbbf4fc73cc70c13fa315291a8c6a2f00e2495e7e49d1db4490247c79b9f31aa69bba746f2b0123c80453c4d33adf26e012898472d0bdc6b

memory/448-5668-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5670-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5669-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5674-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5677-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5680-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5679-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5678-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5675-0x0000015BA4610000-0x0000015BA4611000-memory.dmp

memory/448-5676-0x0000015BA4610000-0x0000015BA4611000-memory.dmp