General Info

File name

whiteclick.exe

Full analysis
https://app.any.run/tasks/b4fc1d5d-99e9-47a3-ac57-8bff6a372ac3
Verdict
Malicious activity
Analysis date
11/9/2018, 00:35:14
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

025429d2d3dea92f37d222cce9c20c95

SHA1

0941b424740a8c0b0b63d3133b13ab27230a42f9

SHA256

0b91ce44b2f19a899dbb4d3dc0a018ed3ea16bac4ab859b7f34307e925ef3381

SSDEEP

24576:z7blE63vLMrZ0lg+I5nKLFzg9WkeooQzkfRD67aRq8Imj4Y3:z75R0igxn+FzggZAkk+sm8Y3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Writes to a start menu file
  • msiexec.exe (PID: 2296)
Executable content was dropped or overwritten
  • whiteclick.exe (PID: 1180)
  • whiteclick.exe (PID: 4068)
  • whiteclick.tmp (PID: 476)
  • msiexec.exe (PID: 2296)
Starts Microsoft Installer
  • whiteclick.tmp (PID: 476)
Creates files in the user directory
  • msiexec.exe (PID: 2296)
Creates files in the Windows directory
  • msiexec.exe (PID: 2296)
Creates COM task schedule object
  • MsiExec.exe (PID: 2744)
Application launched itself
  • msiexec.exe (PID: 2296)
Application was dropped or rewritten from another process
  • whiteclick.tmp (PID: 3456)
  • whiteclick.tmp (PID: 476)
Creates a software uninstall entry
  • msiexec.exe (PID: 2296)
Loads dropped or rewritten executable
  • MsiExec.exe (PID: 2744)
  • msiexec.exe (PID: 2296)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Inno Setup installer (77.7%)
.exe
|   Win32 Executable Delphi generic (10%)
.dll
|   Win32 Dynamic Link Library (generic) (4.6%)
.exe
|   Win32 Executable (generic) (3.1%)
.exe
|   Win16/32 Executable Delphi generic (1.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
1992:06:20 00:22:17+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
41472
InitializedDataSize:
17920
UninitializedDataSize:
null
EntryPoint:
0xaa98
OSVersion:
1
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
0.0.0.0
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
This installation was built with Inno Setup.
CompanyName:
WinS
FileDescription:
WinS Setup
FileVersion:
LegalCopyright:
ProductName:
WinS
ProductVersion:
8
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
19-Jun-1992 22:22:17
Detected languages
Dutch - Netherlands
English - United States
Comments:
This installation was built with Inno Setup.
CompanyName:
WinS
FileDescription:
WinS Setup
FileVersion:
null
LegalCopyright:
null
ProductName:
WinS
ProductVersion:
8
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
19-Jun-1992 22:22:17
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
CODE 0x00001000 0x0000A1D0 0x0000A200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.64375
DATA 0x0000C000 0x00000250 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.74012
BSS 0x0000D000 0x00000E94 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x0000E000 0x0000097C 0x00000A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.48608
.tls 0x0000F000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x00010000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 0.190489
.reloc 0x00011000 0x0000091C 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 0
.rsrc 0x00012000 0x00002C00 0x00002C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 4.57438
Resources
1

2

3

4

4089

4090

4091

4093

4094

4095

11111

MAINICON

Imports
    kernel32.dll

    user32.dll

    oleaut32.dll

    advapi32.dll

    comctl32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
42
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

+
drop and start start drop and start whiteclick.exe whiteclick.tmp no specs whiteclick.exe whiteclick.tmp msiexec.exe no specs msiexec.exe msiexec.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1180
CMD
"C:\Users\admin\AppData\Local\Temp\whiteclick.exe"
Path
C:\Users\admin\AppData\Local\Temp\whiteclick.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
WinS
Description
WinS Setup
Version
Modules
Image
c:\users\admin\appdata\local\temp\whiteclick.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-4hmfl.tmp\whiteclick.tmp

PID
3456
CMD
"C:\Users\admin\AppData\Local\Temp\is-4HMFL.tmp\whiteclick.tmp" /SL5="$2401F8,888319,57856,C:\Users\admin\AppData\Local\Temp\whiteclick.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-4HMFL.tmp\whiteclick.tmp
Indicators
No indicators
Parent process
whiteclick.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.52.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-4hmfl.tmp\whiteclick.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mpr.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll

PID
4068
CMD
"C:\Users\admin\AppData\Local\Temp\whiteclick.exe" /SPAWNWND=$3F01FA /NOTIFYWND=$2401F8
Path
C:\Users\admin\AppData\Local\Temp\whiteclick.exe
Indicators
Parent process
whiteclick.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
WinS
Description
WinS Setup
Version
Modules
Image
c:\users\admin\appdata\local\temp\whiteclick.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-kc981.tmp\whiteclick.tmp

PID
476
CMD
"C:\Users\admin\AppData\Local\Temp\is-KC981.tmp\whiteclick.tmp" /SL5="$C0594,888319,57856,C:\Users\admin\AppData\Local\Temp\whiteclick.exe" /SPAWNWND=$3F01FA /NOTIFYWND=$2401F8
Path
C:\Users\admin\AppData\Local\Temp\is-KC981.tmp\whiteclick.tmp
Indicators
Parent process
whiteclick.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.52.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-kc981.tmp\whiteclick.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mpr.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\imageres.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msiexec.exe

PID
1644
CMD
"msiexec.exe" /i"C:\Users\admin\AppData\Local\Temp\is-VFLQS.tmp\Setup.msi" /quiet
Path
C:\Windows\system32\msiexec.exe
Indicators
No indicators
Parent process
whiteclick.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll

PID
2296
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cabinet.dll
c:\users\admin\appdata\local\whiteclick\whiteclick.dll
c:\windows\assembly\tmp\0latlsgm\whiteclick.dll
c:\users\admin\appdata\local\whiteclick\webclient.dll
c:\windows\system32\propsys.dll

PID
2744
CMD
C:\Windows\system32\MsiExec.exe -Embedding DD518659B6B23317FCAA1825279FA75E
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi37c0.tmp
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\installer\msi38ab.tmp
c:\windows\installer\msi3cb5.tmp
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\ecc5bbc5c2734b2451ced2f668f40911\system.configuration.install.ni.dll
c:\windows\system32\sxs.dll
c:\users\admin\appdata\local\whiteclick\whiteclick.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\4a2a848ea1fea1a74d5aa2f1c21c5ce8\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\52e9ac689c75dd011f0f7e827551e985\system.servicemodel.internals.ni.dll
c:\windows\installer\msi3f37.tmp

Registry activity

Total events
768
Read events
531
Write events
230
Delete events
7

Modification events

PID
Process
Operation
Key
Name
Value
476
whiteclick.tmp
delete key
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
476
whiteclick.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
DC0100004984CDD1BB77D401
476
whiteclick.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
F63EB6B1266E6E115C8072B977C4B244A7D6DB6B0D9FDB1BBCA53475FB9A06DB
476
whiteclick.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
1644
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
52
2296
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\5F\52C64B7E
2296
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\5F
2296
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2296
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2296
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0001
2296
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0001
Owner
F80800008F5518D9BB77D401
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0001
SessionHash
696BFA355AF7C3D9A7DD5420AB247D26BB210D963321C660E4CFAA7C929EE53F
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0001
Sequence
1
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\5e36b8.ipi
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\5e36b9.rbs
30701499
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\5e36b9.rbsLow
3655523296
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\C13D24E318832C39BDB9F371AD5EA4FF
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\otvet.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\8E1CF87EFDFCE348B9E4EAB4AFA2C46D
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\news.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\1961645E786200E6C8184C53575E032B
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\warface.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\963678F7B03F1CCBD897E2EC479260CC
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\System Images\add_tab.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\3BA78F6BB7FF0633689CD6EBFE51F2C1
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\facebook.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\33E63399C1FFDEC746BC5978AF77DEF6
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\System.Net.Http.dll
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\33E63399C1FFDEC746BC5978AF77DEF6
00000000000000000000000000000000
C:\Users\admin\AppData\Local\WhiteClick\System.Net.Http.dll
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\9FD3C1C584FD0AF5E13B16A7122DC6FB
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\worldofwarships.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\DF945244506F40470FF0A28FACAFF6CB
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\WhiteClick.dll
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\6B20110C777D2AB4038135A36323B819
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\ru.aliexpress.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\0E7A8390325BC563B9B24CA0845C7207
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\License.rtf
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\EF6B1203EC40EE854D8C197F01557224
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\System Images\right-arrow.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\CD2D182D52070CD0760A3C760902D212
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Newtonsoft.Json.dll
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CD2D182D52070CD0760A3C760902D212
00000000000000000000000000000000
C:\Users\admin\AppData\Local\WhiteClick\Newtonsoft.Json.dll
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\947734F08C23AEC4747970480E692152
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\twitter.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\53474DBAC8F7671E34C9216F8B6E756F
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\worldofwarships.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\4E52927C1D6C159F9893B02DB754CE64
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\afisha.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\D1D335DEAD89815766248EF85B7F3547
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\e.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\652E3814FCC35F825B7662870728C22E
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\wows.getoneclick.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\FB2395205775FA3525A63E6146CB31CD
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\rev.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\996FD14913A05D90DC5B504BC901CCA6
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\youtube.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\77057B84704F3FDF0C7B356805DEE1E9
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\warface.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\F3C9821B1CD97C2F480D32A174C8B56A
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\wtr.getoneclick.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\08F6B9E0D1E2DBE5E07EB968EB61E1D8
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\6DBD0E72CEC6F87838476B4F181E8CA5
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\wot.getoneclick.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\D8630116D6C65A3BA4769269C56F3BAC
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\my.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\731DC4C2604C8A9232EFB9DE229CCC4F
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\WebClient.dll
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\5DC780113AA56DE42901922D1BF4E541
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\warthunder.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\8754FD1E9008C4C29525C22485637F6F
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\pogoda.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\F741110DBA7520888FACFCCB2FA10148
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\warthunder.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\FE4755FD56B66837F87BABD1458F7876
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\worldoftanks.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\FC10390D7140336E8224C3363162F327
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\System Images\loupe.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\64BA493ACB4C1DB41062F2A0168B4F97
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\active-search.ico
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\D89F928261680F3BAEF31D05F673452D
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\linkedin.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\5EF2CF216DEE97D27EDD55D929DF70A4
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\worldoftanks.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\A4E4B3A8ED9E822644053919FA1E3B37
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\instagram.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\D27FAE36C9CA7664CEE427EFFB2A50F2
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\vk.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\1917CAE5E94FDA46A99C1ACAE430E5B5
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\ok.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\9C6FF47CCA997476732CBB4932D11581
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\auto.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\D53CCA5C38DDC19C7E031316D2520054
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\bing.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\3B55DDF50AB773A608FA8F658B0536F5
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\horo.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\5F0B161C308C2B902B6B37EA9F73E087
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\System Images\question_mark.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\108B4D991BA13D9C22383E014DC8B930
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\sport.mail.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\CAE8AC92FD1F85AF81FB914E113BB6E0
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\aw.my.com.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\AF1922E1103AE0948FF6B3BD512BA798
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Images\ali.getoneclick.ru.png
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\AA08224FAF6950FAD955985D7C779C4B
13757FA0A557434469E6F11FB41170FD
C:\Users\admin\AppData\Local\WhiteClick\Start.exe
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\6C7F579968C3D7C1C930486B3D6FE396
13757FA0A557434469E6F11FB41170FD
<\WhiteClick,Version="2.0.0.0",Culture="neutral",PublicKeyToken="57272E7A64C25751",ProcessorArchitecture="MSIL"
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Local\WhiteClick\Images\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Local\WhiteClick\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Local\WhiteClick\System Images\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\Microsoft\Installer\{0AF75731-755A-4434-966E-1FF14B1107DF}\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\Microsoft\Installer\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
LocalPackage
C:\Windows\Installer\5e36ba.msi
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
AuthorizedCDFPrefix
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
Comments
Cool and fast internet surfing
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
Contact
123com
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
DisplayVersion
3.0.0
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
HelpLink
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
HelpTelephone
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
InstallDate
20181108
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
InstallLocation
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
InstallSource
C:\Users\admin\AppData\Local\Temp\is-VFLQS.tmp\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
ModifyPath
MsiExec.exe /I{0AF75731-755A-4434-966E-1FF14B1107DF}
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
Publisher
123com
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
Readme
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
Size
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
EstimatedSize
1185
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
UninstallString
MsiExec.exe /I{0AF75731-755A-4434-966E-1FF14B1107DF}
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
URLInfoAbout
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
URLUpdateInfo
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
VersionMajor
3
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
VersionMinor
0
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
WindowsInstaller
1
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
Version
50331648
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
Language
0
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
AuthorizedCDFPrefix
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
Comments
Cool and fast internet surfing
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
Contact
123com
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
DisplayVersion
3.0.0
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
HelpLink
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
HelpTelephone
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
InstallDate
20181108
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
InstallLocation
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
InstallSource
C:\Users\admin\AppData\Local\Temp\is-VFLQS.tmp\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
ModifyPath
MsiExec.exe /I{0AF75731-755A-4434-966E-1FF14B1107DF}
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
Publisher
123com
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
Readme
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
Size
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
EstimatedSize
1185
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
UninstallString
MsiExec.exe /I{0AF75731-755A-4434-966E-1FF14B1107DF}
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
URLInfoAbout
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
URLUpdateInfo
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
VersionMajor
3
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
VersionMinor
0
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
WindowsInstaller
1
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
Version
50331648
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
Language
0
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\63F0DC92032321744B32C5C3595AEEE7
13757FA0A557434469E6F11FB41170FD
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\InstallProperties
DisplayName
WhiteClick
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AF75731-755A-4434-966E-1FF14B1107DF}
DisplayName
WhiteClick
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Assemblies\Global
WhiteClick,Version="2.0.0.0",Culture="neutral",PublicKeyToken="57272E7A64C25751",ProcessorArchitecture="MSIL"
^]YT&q&@w9=a5Rvlhrbp>K?HCY*[email protected],Xi-acE=5oI
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Assemblies\C:|Users|admin|AppData|Local|WhiteClick|System.Net.Http.dll
System.Net.Http,Version="2.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL"
^]YT&q&@w9=a5Rvlhrbp>Ag?8YYyx0Pv'&YSMkg{K
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Assemblies\C:|Users|admin|AppData|Local|WhiteClick|WhiteClick.dll
WhiteClick,Version="2.0.0.0",Culture="neutral",PublicKeyToken="57272E7A64C25751",ProcessorArchitecture="MSIL"
^]YT&q&@w9=a5Rvlhrbp>)[email protected]
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Assemblies\C:|Users|admin|AppData|Local|WhiteClick|Newtonsoft.Json.dll
Newtonsoft.Json,Version="10.0.0.0",Culture="neutral",PublicKeyToken="30AD4FE6B2A6AEED",ProcessorArchitecture="MSIL"
^]YT&q&@w9=a5Rvlhrbp>'rn`l2xbK'[IfEI~oDa-
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Assemblies\C:|Users|admin|AppData|Local|WhiteClick|WebClient.dll
WebClient,Version="2.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL"
^]YT&q&@w9=a5Rvlhrbp>TN782p2*I1$+7Gu&Labw
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Assemblies\C:|Users|admin|AppData|Local|WhiteClick|Start.exe
Start,Version="2.0.0.1",Culture="neutral",ProcessorArchitecture="MSIL"
^]YT&q&@w9=a5Rvlhrbp>koQOwo9J9a{AY^m7Vu+c
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Features\13757FA0A557434469E6F11FB41170FD
DefaultFeature
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\Features
DefaultFeature
Cfu!84B[QWKK-P*.KB'{JP!LsEhlRRb&[email protected]%ScrD%+FK+)s?5gI}=bQUy}PP4`ae'J`=kCTeXj[3Wmc39]S4O~A5fy(z',Ag?8YYyx0Pv'&YSMkg{K(xE[EPAOgF&0DDOHDTTf)[email protected]^`&gff&[email protected]}*kVGrvz%=`,P5iO-O&y]z&L*vuO3BDOYDOWCXxLj8=9'rn`l2xbK'[IfEI~oDa-7W}u'[email protected]'Vkv.R857`3fIOqgtL*xlJo2xyDq!ib2..yt)2SlrXUl=o1O?u$Tx^MIwH9VHyyHM}2m'9Rfw115*G]N%[email protected]*5E=gokPI[WBH[1&fs!rbb9YCJELTG?l`e]z{Ya2Sy?cnZ..kxaBCP%wf],J+S!eO^mI'd'6{[email protected]=[email protected]?`wYb.3E^Ea4G[QggbDO9=XOm]0jTN782p2*I1$+7Gu&Labw=lCP(K]hDArhEVlFZMV)R*YZq%Y482B%k=9PPoGxH}0skaa]eSyi-ceu)nMRml7kpHP$.MGg2W,e=F?I^S$&l^.l}r-*!uGit*fLRnpX][email protected]?&[]d4OV}7v0jdhobuTp{AK2zZlLL`+)?lF]22T7XZ`CNl?,YDLT}R]VG3]zkV2qr3MFm_,HunH^=%l4kzj+Z,321HLFyRNFH+j,Q`.K'GEUL~'isHQ4Isl7mW~ABn*g{9Uhp.3_i!Q38Gk^$3=ogvmF7Sf.JRszyCIxt`FGZ{0gZ^y,&_'p(a1dkYNPgQMY83^rimIHL(!?W1$WccL1MA6OySeNBrgIz^'Ji9c,zRpP?RF3OoIOk3TkoQOwo9J9a{AY^m7Vu+c)[email protected]*I1$+7Gu&LabwK?HCY*[email protected],Xi-acE=5oI
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Products\13757FA0A557434469E6F11FB41170FD\Patches
AllPatches
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
ProductName
WhiteClick
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
PackageCode
34746A5B9ECF15144820F5A779831DEB
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
Language
0
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
Version
50331648
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
Assignment
0
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
AdvertiseFlags
388
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
InstanceType
0
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
AuthorizedLUAApp
0
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
DeploymentFlags
3
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\UpgradeCodes\63F0DC92032321744B32C5C3595AEEE7
13757FA0A557434469E6F11FB41170FD
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD\SourceList
PackageName
Setup.msi
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD\SourceList\Net
1
C:\Users\admin\AppData\Local\Temp\is-VFLQS.tmp\
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD\SourceList\Media
1
;
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD
Clients
:
2296
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Installer\Products\13757FA0A557434469E6F11FB41170FD\SourceList
LastUsedSource
n;1;C:\Users\admin\AppData\Local\Temp\is-VFLQS.tmp\
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default
StoreChangeID
582
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default
StoreChangeIDFor64BitProcesses
73
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default
StoreChangeIDFor32BitProcesses
582
2296
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default
WhiteClick,2.0.0.0,,57272e7a64c25751,MSIL
87D319DABB77D401
2744
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2744
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Installer
MailSearch.Installer
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Installer\CLSID
{59B81B70-EB0F-3097-8B2E-483B1C405D0C}
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}
MailSearch.Installer
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32
mscoree.dll
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32
ThreadingModel
Both
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32
Class
MailSearch.Installer
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32\2.0.0.0
Class
MailSearch.Installer
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\InprocServer32\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59B81B70-EB0F-3097-8B2E-483B1C405D0C}\ProgId
MailSearch.Installer
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.MailSearchBandObject
MailSearch.MailSearchBandObject
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.MailSearchBandObject\CLSID
{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}
MailSearch.MailSearchBandObject
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32
mscoree.dll
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32
ThreadingModel
Both
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32
Class
MailSearch.MailSearchBandObject
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32\2.0.0.0
Class
MailSearch.MailSearchBandObject
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\InprocServer32\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}\ProgId
MailSearch.MailSearchBandObject
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}
White Click
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}
MenuText
White Click
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{198A2D6D-5D0E-4C79-9416-AA889D7CA7A6}
HelpText
Mail Search Bar
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{ACB620BE-73B1-3C9F-BE5F-40AF52FC0CAC}\2.0.0.0
Class
MailSearch.Structures.DESKBANDINFO
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{ACB620BE-73B1-3C9F-BE5F-40AF52FC0CAC}\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{ACB620BE-73B1-3C9F-BE5F-40AF52FC0CAC}\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{440949B4-0585-3548-BFF9-62A5623C407B}\2.0.0.0
Class
MailSearch.Structures.MSG
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{440949B4-0585-3548-BFF9-62A5623C407B}\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{440949B4-0585-3548-BFF9-62A5623C407B}\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{589913A8-C2D3-3A2B-AF7A-12C5347C535F}\2.0.0.0
Class
MailSearch.Structures.POINT
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{589913A8-C2D3-3A2B-AF7A-12C5347C535F}\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{589913A8-C2D3-3A2B-AF7A-12C5347C535F}\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{41A27A3D-17F0-3D42-89DC-06CE2C28B958}\2.0.0.0
Class
MailSearch.Structures.RECT
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{41A27A3D-17F0-3D42-89DC-06CE2C28B958}\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{41A27A3D-17F0-3D42-89DC-06CE2C28B958}\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Helpers.AutoComplete
MailSearch.Helpers.AutoComplete
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Helpers.AutoComplete\CLSID
{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}
MailSearch.Helpers.AutoComplete
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32
mscoree.dll
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32
ThreadingModel
Both
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32
Class
MailSearch.Helpers.AutoComplete
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32\2.0.0.0
Class
MailSearch.Helpers.AutoComplete
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\InprocServer32\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2180F68-9C88-3C4C-80B5-69D2D7BBC477}\ProgId
MailSearch.Helpers.AutoComplete
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{AA46CCBF-C618-3ECB-B324-195399841B31}\2.0.0.0
Class
MailSearch.Enums.BandObjectStyle
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{AA46CCBF-C618-3ECB-B324-195399841B31}\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{AA46CCBF-C618-3ECB-B324-195399841B31}\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{43C544DE-67EC-37AD-920D-79E7687D62E4}\2.0.0.0
Class
MailSearch.Enums.DBIM
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{43C544DE-67EC-37AD-920D-79E7687D62E4}\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{43C544DE-67EC-37AD-920D-79E7687D62E4}\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Controls.HostedPanels.AutoCompleteControls.AutoCompleteHeader
MailSearch.Controls.HostedPanels.AutoCompleteControls.AutoCompleteHeader
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Controls.HostedPanels.AutoCompleteControls.AutoCompleteHeader\CLSID
{677766AB-1A96-3B4C-830A-BD67DC4F9358}
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}
MailSearch.Controls.HostedPanels.AutoCompleteControls.AutoCompleteHeader
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32
mscoree.dll
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32
ThreadingModel
Both
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32
Class
MailSearch.Controls.HostedPanels.AutoCompleteControls.AutoCompleteHeader
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32\2.0.0.0
Class
MailSearch.Controls.HostedPanels.AutoCompleteControls.AutoCompleteHeader
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\InprocServer32\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{677766AB-1A96-3B4C-830A-BD67DC4F9358}\ProgId
MailSearch.Controls.HostedPanels.AutoCompleteControls.AutoCompleteHeader
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Attributes.BandObjectAttribute
MailSearch.Attributes.BandObjectAttribute
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MailSearch.Attributes.BandObjectAttribute\CLSID
{734DBD75-7B40-3861-9A98-027D0D2CBA27}
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}
MailSearch.Attributes.BandObjectAttribute
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32
mscoree.dll
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32
ThreadingModel
Both
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32
Class
MailSearch.Attributes.BandObjectAttribute
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32\2.0.0.0
Class
MailSearch.Attributes.BandObjectAttribute
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\InprocServer32\2.0.0.0
RuntimeVersion
v4.0.30319
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{734DBD75-7B40-3861-9A98-027D0D2CBA27}\ProgId
MailSearch.Attributes.BandObjectAttribute
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{A1555B12-4882-3E87-8579-F3719696DE11}\2.0.0.0
Class
MailSearch.Structures.DESKBANDINFO+DBIF
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{A1555B12-4882-3E87-8579-F3719696DE11}\2.0.0.0
Assembly
WhiteClick, Version=2.0.0.0, Culture=neutral, PublicKeyToken=57272e7a64c25751
2744
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{A1555B12-4882-3E87-8579-F3719696DE11}\2.0.0.0
RuntimeVersion
v4.0.30319

Files activity

Executable files
13
Suspicious files
3
Text files
54
Unknown types
1

Dropped files

PID
Process
Filename
Type
1180
whiteclick.exe
C:\Users\admin\AppData\Local\Temp\is-4HMFL.tmp\whiteclick.tmp
executable
MD5: 832dab307e54aa08f4b6cdd9b9720361
SHA256: cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\System.Net.Http.dll
executable
MD5: 28ab7abe312cd7dcec9c5390a9548db3
SHA256: 3d566e051fb3e4bab4553945a5f611ae931d9f8a56b426168abad3ed458da492
4068
whiteclick.exe
C:\Users\admin\AppData\Local\Temp\is-KC981.tmp\whiteclick.tmp
executable
MD5: 832dab307e54aa08f4b6cdd9b9720361
SHA256: cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3
2296
msiexec.exe
C:\Windows\Installer\MSI3F37.tmp
executable
MD5: c0cf88262de2673437f329af951df785
SHA256: c6cf68be4861e61bd2a827178b2fa425bb3e337978078f10d8c94e2c5569627a
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\WhiteClick.dll
executable
MD5: c9b8ac954d12fa1a86afbc28dbd1762c
SHA256: 314a280cffa89bb345581c66c7d6418ebce1ccef6e6b07227245d749d56f75cb
2296
msiexec.exe
C:\Windows\assembly\tmp\0LATLSGM\WhiteClick.dll
executable
MD5: c9b8ac954d12fa1a86afbc28dbd1762c
SHA256: 314a280cffa89bb345581c66c7d6418ebce1ccef6e6b07227245d749d56f75cb
2296
msiexec.exe
C:\Windows\Installer\5e36ba.msi
executable
MD5: 371b1b0685fc6e9d796f23559ca8adcf
SHA256: b57b0301733dee0fc8a9e3d4f9298a47d075df25cb8b322f035971503b727451
2296
msiexec.exe
C:\Windows\Installer\MSI3CB5.tmp
executable
MD5: c0cf88262de2673437f329af951df785
SHA256: c6cf68be4861e61bd2a827178b2fa425bb3e337978078f10d8c94e2c5569627a
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\WebClient.dll
executable
MD5: 26ef9e913d86d55836e57005061580da
SHA256: 97b6d9c17c89855b372e2ae3082ae0db9d56dc9fa2e8159c0f81af35f04d6762
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Start.exe
executable
MD5: 6ff6e2361d16c53a31860f097d3d8da6
SHA256: 0e78a252500a80c808e3db488dfaab0766ac9cbc153608c18cc71450947eaf40
2296
msiexec.exe
C:\Windows\Installer\5e36b6.msi
executable
MD5: 371b1b0685fc6e9d796f23559ca8adcf
SHA256: b57b0301733dee0fc8a9e3d4f9298a47d075df25cb8b322f035971503b727451
476
whiteclick.tmp
C:\Users\admin\AppData\Local\Temp\is-VFLQS.tmp\Setup.msi
executable
MD5: 371b1b0685fc6e9d796f23559ca8adcf
SHA256: b57b0301733dee0fc8a9e3d4f9298a47d075df25cb8b322f035971503b727451
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Newtonsoft.Json.dll
executable
MD5: 916518c706c8954a169b939d38fdf491
SHA256: 588155340ef9b7aa609b71724679b5356ba2ecdaa31ce1de010ae6bb3436fd07
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\rev.mail.ru.png
image
MD5: 31e135768248c09abdd294c7027c856b
SHA256: a084592f420d2f86096799f7098f61c85cde14765e9a6a249afff74c6bea3416
2296
msiexec.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shortcut to Primary output from Start (Active).lnk
lnk
MD5: a2024fce541e2e8f0f3ae382da1bf145
SHA256: 6c384f887bf82984f50af6fdb5986097d15e82e8842121bec297295ca40d7bbf
2296
msiexec.exe
C:\Users\admin\AppData\Roaming\Microsoft\Installer\{0AF75731-755A-4434-966E-1FF14B1107DF}\_FFC73131A0BE20E7818ABA.exe
image
MD5: ce8ee64c66e92bbb46231b1be06aba22
SHA256: d4f066db44f8ec61d8ec183091bead9578022c2385d4f7552b32f1b0c53fd26b
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\ali.getoneclick.ru.png
image
MD5: 45c6dc4fe2b4171ece58480b3ca181a3
SHA256: c582139139ee125e209e7bbeeb926742f13ed605cc0dfa747b580f6015a5c7f3
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\aw.my.com.png
image
MD5: de94cb3ceedd28497504d201caa3a94e
SHA256: 7dea6114d3f5fe0a3f88e6d270844270c932b0cd502efae26d87c341c4e11891
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\sport.mail.ru.png
image
MD5: 97622de253c92bf3194ca4d6f8f9a386
SHA256: cd413f37c0dd9d97c53691a5c8b22a827c3dd29a39002243dbd47dfb483466c0
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\System Images\question_mark.png
image
MD5: 207f902f7ea3c6398d3d0f5cf4f1fd85
SHA256: 007ba35620f41e97e0abc2f6564b1d75a3ad0e23f8072d508844f2f37493e6f1
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\bing.com.png
image
MD5: 3dc073b9d2e11aa07d8ada7a9e290f16
SHA256: 2413a5d9cdc27d0c0249314f3898bd7b76193aebb327849d34257af0db81270e
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\horo.mail.ru.png
image
MD5: d000ac1525e65848289d43cde78bf6b8
SHA256: 7dbcc6cf20ad07f3e92bdf7598c90facb2493e96f9e5cbd6ca289eab0674aac0
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\vk.com.png
image
MD5: 885db64c5c946a31b759bcb56dd736c5
SHA256: 101097cc8c224cefd1b8d77d76ec7bf2ba30d88b7da98e2e619e4721452ae139
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\auto.mail.ru.png
image
MD5: 56f767b739d5aa28f844f83a7a861420
SHA256: f02e9fcaa40cbcaedb884c85109926f2861df9eb42a81db63e0a89b8f5ffbddd
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\ok.ru.png
image
MD5: da4f600102d34023b4c7858f723c9422
SHA256: 6594e55d4a6df502aaddab05d900bffe79676a0abd0b919ca04a1a4edfc1a410
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\linkedin.com.png
image
MD5: 98c582a07793dd351c9753afc8e5b2e9
SHA256: 28107258466686793301791ce664c793d0b272e7a4351a1ebc3911f96a7bc5c9
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\instagram.com.png
image
MD5: 88170c798fc8f08650295ae7773202b3
SHA256: 65361569d1e7d7c94d73d8e76c0c4c2ba234ed8dd1753b6ea7a09c1869517b6a
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\worldoftanks.ru.png
image
MD5: 5cbf5d6b2ca479b56aa77e8a35ea3481
SHA256: 74a1be29611e2637184e9c453c2d3a7c1ed1cc671e73165bab56ddcbdf982e52
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\active-search.ico
image
MD5: bb4ac971a75860052feceb78ee6c8bcc
SHA256: b0a38bf928cdaeab4dea55cc3fc5b87ea4419048772a8cdf530d982ae71a312e
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\warthunder.com.png
image
MD5: d5a685662997e5a36bf351b25ea2fa8e
SHA256: 85361993b893f7919ad03852bfc6771e34500627f19e2f5e60fc62bca38949ca
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\pogoda.mail.ru.png
image
MD5: bd4a8a3c453c04bbb60c1ce7b829133d
SHA256: ccc7e0bd785a5ea43abfdd882d22b40fd007fa33858c2d370cf5c1864b9453d5
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\warthunder.ru.png
image
MD5: d5a685662997e5a36bf351b25ea2fa8e
SHA256: 85361993b893f7919ad03852bfc6771e34500627f19e2f5e60fc62bca38949ca
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\System Images\loupe.png
image
MD5: ffddf71659f10e5a94bb936985b23ae6
SHA256: 362c459ac4d89c140754b95b9dda27aa07bc25c4a15ad7a6c3f3a99107613c93
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\worldoftanks.com.png
image
MD5: 5cbf5d6b2ca479b56aa77e8a35ea3481
SHA256: 74a1be29611e2637184e9c453c2d3a7c1ed1cc671e73165bab56ddcbdf982e52
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\my.mail.ru.png
image
MD5: a6aea445a5c3be7ae025d1d4afa17204
SHA256: 33d46e130aba29b29676765683f4b2e934a43835efbe26f1e358f8ac607759e1
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\wot.getoneclick.ru.png
image
MD5: 5cbf5d6b2ca479b56aa77e8a35ea3481
SHA256: 74a1be29611e2637184e9c453c2d3a7c1ed1cc671e73165bab56ddcbdf982e52
2296
msiexec.exe
C:\Windows\Installer\5e36b8.ipi
––
MD5:  ––
SHA256:  ––
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\mail.ru.png
image
MD5: cd214763f91889685bf60d43a0eebb1c
SHA256: 6b7ccc48bc929a47c0ecd4de3332b4b75558d2dedc8791d985cfb44ac357f89a
2296
msiexec.exe
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WhiteClick\v4.0_2.0.0.0__57272e7a64c25751
––
MD5:  ––
SHA256:  ––
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\wtr.getoneclick.ru.png
image
MD5: d5a685662997e5a36bf351b25ea2fa8e
SHA256: 85361993b893f7919ad03852bfc6771e34500627f19e2f5e60fc62bca38949ca
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\youtube.com.png
image
MD5: db5caabdacee27d1188552627148f3af
SHA256: 09969781d5698b63da9c0284d99574e83c2b7c2584c632261e4c0f4b60641016
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\warface.com.png
image
MD5: 4647c0c12201ad3f41b6df5ee5846e3f
SHA256: e09c5a664df7b58171104544bc541a17aa693ca46b050472d5ba014b9ee958d8
2744
MsiExec.exe
C:\Users\admin\AppData\Local\WhiteClick\WhiteClick.InstallState
xml
MD5: 8340e57c6861aa09b7ac38e04ee8e33d
SHA256: a9e636ffaa636d4fda92bcee8422b7abf8abcf0bcf5ff860ceaf23e327fe0b21
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\wows.getoneclick.ru.png
image
MD5: d092c0c9613afc63e5cec689184c971a
SHA256: a62037f184eddff7417067dd35af16bb223aa5dfe67b2d403f7755d4a9f93bac
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\e.mail.ru.png
image
MD5: 2684a73d86f5860d8a55449215e8809d
SHA256: a94a7cffdfed1c95d830d776148e923fbe0e7898dd2a85c1ca35777d4c1109be
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\afisha.mail.ru.png
image
MD5: c43c1b4f329373c8a7c3205501a16e62
SHA256: ca2d0b51ef7ceb4b461a8d46ff498c4cf854458af2b45d0cfc6efd311412d43c
2296
msiexec.exe
C:\Config.Msi\5e36b9.rbs
binary
MD5: 0fc5274eb97ea87249942b9f7339bb87
SHA256: 3d2813e0965716ca085c97ba9c0e71d217106343d2e08f83e5ceee9dbecfe706
2744
MsiExec.exe
C:\Users\admin\AppData\Local\WhiteClick\Tabs\0\Settings.ini
text
MD5: 423444a3c2ef7996c268a98f00b4fbdc
SHA256: 0cfbef17ee616c4b1771b396dd3fefc85319e53985cf8a7091fe3666aece640e
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\twitter.com.png
image
MD5: 40f4557fcae315b1b5986d9d8a4f23b4
SHA256: 4b8b47d6407c8b2def03c77e46c5512ad32010f70f209890ff98e3e0750ab075
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\worldofwarships.ru.png
image
MD5: d092c0c9613afc63e5cec689184c971a
SHA256: a62037f184eddff7417067dd35af16bb223aa5dfe67b2d403f7755d4a9f93bac
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\ru.aliexpress.com.png
image
MD5: 45c6dc4fe2b4171ece58480b3ca181a3
SHA256: c582139139ee125e209e7bbeeb926742f13ed605cc0dfa747b580f6015a5c7f3
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\License.rtf
text
MD5: 9c594c420a60d21a9a54b79536e9d36b
SHA256: cf6c4ae66eb25b2ff957e493275af7edbd3f49ee4a69345245ea545436ce933d
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\System Images\right-arrow.png
image
MD5: 9a91eacce7828a912e5d1ac3e004f648
SHA256: 3fa7f762f094a8c807dc7a9911e14b7a02048caad5418d117e3dc73e2ce85e68
2744
MsiExec.exe
C:\Users\admin\AppData\Local\WhiteClick\Tabs\2\Settings.ini
text
MD5: 23d372b415fd63b01c80d1cf123a8ed8
SHA256: 4a41a817bf4e2cfc5a36c28161021cd0fdefde3e75081665c4b8dc28e4b1c0b7
2744
MsiExec.exe
C:\Users\admin\AppData\Local\WhiteClick\Tabs\1\Settings.ini
text
MD5: 7585b82fb6b456870a9927203768c430
SHA256: b2dbfa8526c0394324cddff82e13c260ff23c51066b2798bb26cdacf860e6466
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\worldofwarships.com.png
image
MD5: d092c0c9613afc63e5cec689184c971a
SHA256: a62037f184eddff7417067dd35af16bb223aa5dfe67b2d403f7755d4a9f93bac
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\System Images\add_tab.png
image
MD5: a4b3796bb25535765834b91b9f43b261
SHA256: 9996fa8a77b7b45450905d4fe270350e72283d2010a15adab981ee6ae34283dc
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\facebook.com.png
image
MD5: 55a9608a26108a775982f7189a542d81
SHA256: 4a4481577701161da3decbf7f6d5798a36dfcf059bfb9efae4727c333ad3689e
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\news.mail.ru.png
image
MD5: c0155d4e954e8af312e4716d7805b2ac
SHA256: cdb64a3a3bcd723353c1911d18ff505014ae60e299e40da645178682c7971f91
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\otvet.mail.ru.png
image
MD5: 806360e7a2cbf7897fc2baa48c661c81
SHA256: afe979e422a005903ef1f3a4a643986f6d909f5ffdc99c31510522b2348a7250
2296
msiexec.exe
C:\Users\admin\AppData\Local\WhiteClick\Images\warface.ru.png
image
MD5: 4647c0c12201ad3f41b6df5ee5846e3f
SHA256: e09c5a664df7b58171104544bc541a17aa693ca46b050472d5ba014b9ee958d8
2296
msiexec.exe
C:\Windows\Installer\MSI3997.tmp
binary
MD5: 25276c4362bfbf137ec8cd89ee121ea9
SHA256: f859d3f91efc798ef4e2d364a46736dc699b5cbd9cf819b3e2b6b3d708943472
2296
msiexec.exe
C:\Windows\Installer\5e36b8.ipi
binary
MD5: d3c60776b1d694967abcee6bd1c08b61
SHA256: f95ffd8d8e917d451bb746304ccddcd6898cc2848031ae4e3bad349e4f950e12
2296
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF0DF08CAED5737A74.TMP
––
MD5:  ––
SHA256:  ––
2296
msiexec.exe
C:\Windows\Installer\MSI38AB.tmp
––
MD5:  ––
SHA256:  ––
2744
MsiExec.exe
C:\Users\admin\AppData\Local\Temp\CFG389B.tmp
xml
MD5: fdbbdb01ebc78a136a78f17e1e2e40d8
SHA256: a0314ff4cb7d286bcf94cf5b862e96122ddf6fea6af1014b71253e04cf67c94b
2296
msiexec.exe
C:\Windows\Installer\MSI37C0.tmp
––
MD5:  ––
SHA256:  ––
2744
MsiExec.exe
C:\Users\admin\AppData\Local\WhiteClick\Tabs\5\Settings.ini
text
MD5: 781c2280442d87d0b306bfd12efe8107
SHA256: 37dc371980d463be15cd27ca54d4d292051583f27207593bc6b91a4c74a962c2
2744
MsiExec.exe
C:\Users\admin\AppData\Local\WhiteClick\Tabs\3\Settings.ini
text
MD5: 644d395cc5eba5508b01af521f82faae
SHA256: 343e7587ffb839ae457e9a0a43e1001c606f52a14c3fbf2598ec677c70fbabba
476
whiteclick.tmp
C:\Users\admin\AppData\Local\Temp\is-VFLQS.tmp\is-CMGIG.tmp
––
MD5:  ––
SHA256:  ––
2744
MsiExec.exe
C:\Users\admin\AppData\Local\WhiteClick\Tabs\4\Settings.ini
text
MD5: 00e068d8909f8442fe60cd5bbed19aae
SHA256: 0740ce5106846315d441423e67650c351b3b4394619d329d9b22bbc1dc4ad98b
2296
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFC42C8E107E2505EF.TMP
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.