Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\TLauncher	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\TLauncher	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher"	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files (x86)\Microsoft\pxAA24.tmp	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	N/A
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46207E41-25CE-11EF-92E0-EA483E0BCDAF} = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	C:\Program Files\Internet Explorer\iexplore.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\TLauncher	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\TLauncher	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	N/A
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1728 wrote to memory of 2748	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2748	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2748	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2760	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2760	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2760	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2496	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2496	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2496	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2000	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2000	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2000	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\schtasks.exe
PID 1728 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\schtasks.exe
PID 1728 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Windows\System32\schtasks.exe
PID 1728 wrote to memory of 1568	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe
PID 1728 wrote to memory of 1568	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe
PID 1728 wrote to memory of 1568	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe
PID 1728 wrote to memory of 1568	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe
PID 1568 wrote to memory of 1928	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe
PID 1568 wrote to memory of 1928	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe
PID 1568 wrote to memory of 1928	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe
PID 1568 wrote to memory of 1928	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe
PID 1928 wrote to memory of 796	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1928 wrote to memory of 796	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1928 wrote to memory of 796	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1928 wrote to memory of 796	N/A	C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe	C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 796 wrote to memory of 2740	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 796 wrote to memory of 2740	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 796 wrote to memory of 2740	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 796 wrote to memory of 2740	N/A	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	C:\Program Files\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 1964	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 1964	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 1964	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 1964	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2800	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\TLauncher
PID 2848 wrote to memory of 2800	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\TLauncher
PID 2848 wrote to memory of 2800	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\TLauncher
PID 1728 wrote to memory of 1456	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe
PID 1728 wrote to memory of 1456	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe
PID 1728 wrote to memory of 1456	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe
PID 1728 wrote to memory of 1456	N/A	C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe	C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe
PID 2848 wrote to memory of 1828	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\TLauncher
PID 2848 wrote to memory of 1828	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\TLauncher
PID 2848 wrote to memory of 1828	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\TLauncher

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe

"C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe"

C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe

C:\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {638D7D00-B3D3-48B5-BE39-2421C9BF49D4} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe

"C:\Users\Admin\AppData\Local\Temp\qvkvtk.exe"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	listing-trackbacks.gl.at.ply.gg	udp
US	147.185.221.20:15337	listing-trackbacks.gl.at.ply.gg	tcp
US	8.8.8.8:53	api.bing.com	udp

Files

memory/1728-0-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp

memory/1728-1-0x00000000002F0000-0x000000000030A000-memory.dmp

memory/1728-2-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

memory/2748-7-0x0000000002D20000-0x0000000002DA0000-memory.dmp

memory/2748-8-0x000000001B800000-0x000000001BAE2000-memory.dmp

memory/2748-9-0x0000000002240000-0x0000000002248000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5	d766dc4315e2d36ba0ac07947d904a5c
SHA1	57b242b7b978f05af641dd777a6fbb5b01fd3602
SHA256	378ab568095cfac08a7d3f5e197b89905db219d6007f5c1ba45068690d8b2c77
SHA512	59265b60a4ad0571a525c36258db9f49bdbc964ecbcde2a6aacaad5fe164d6c02def8d8b97f5f20d172d4b342cea2e4210d1817c7837e91a0300c47bea731f4f

memory/2760-16-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2760-15-0x000000001B570000-0x000000001B852000-memory.dmp

memory/1728-30-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp

memory/1728-31-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

\Users\Admin\AppData\Local\Temp\ixsjxaSrv.exe

MD5	ff5e1f27193ce51eec318714ef038bef
SHA1	b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256	fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512	c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/796-58-0x0000000000400000-0x000000000042E000-memory.dmp

memory/796-56-0x0000000000240000-0x0000000000241000-memory.dmp

memory/796-54-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1928-47-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1568-46-0x0000000000240000-0x000000000026E000-memory.dmp

memory/1568-39-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ixsjxa.exe

MD5	7eb8c9c1701f6b347721b42ba15c0993
SHA1	13e62637aa5c402383f5665d20c7491c51bccbdc
SHA256	6d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2
SHA512	22572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072

C:\Users\Admin\AppData\Local\Temp\CabBF7A.tmp

MD5	ac05d27423a85adc1622c714f2cb6184
SHA1	b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256	c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512	6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarC06C.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b