Malware Analysis Report

2024-10-16 03:31

Sample ID 240818-gw454ssejq
Target Trojan_Remover_V6.9.6.exe
SHA256 f7f8880582210c104511885f52112ef6bb8977775dd3e3343c62e6d9e196f3e8
Tags
banload discovery downloader dropper evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7f8880582210c104511885f52112ef6bb8977775dd3e3343c62e6d9e196f3e8

Threat Level: Known bad

The file Trojan_Remover_V6.9.6.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion persistence privilege_escalation trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks whether UAC is enabled

Event Triggered Execution: Component Object Model Hijacking

Drops file in Program Files directory

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Checks installed software on the system

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 06:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 06:10

Reported

2024-08-18 06:12

Platform

win7-20240705-en

Max time kernel

147s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Trojan Remover\is-8SQB7.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-1IAL5.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\Win32\is-O6KU3.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\Win32\is-FUEQH.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\Win32\is-REPB4.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-UFPIL.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-E445J.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-8T3JN.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-RBO1J.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-UGPKU.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-R3JNP.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-2J6K9.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-JPT03.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\Win32\is-1GOJF.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\Win32\is-2GV0A.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-D965K.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-75QGG.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File created C:\Program Files (x86)\Trojan Remover\is-0OOLH.tmp C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
File opened for modification C:\Program Files (x86)\Trojan Remover\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\trupd.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\trupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ShellEx\ContextMenuHandlers\Trojan Remover C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ShellEx C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover\ = "{52B87208-9CCF-42C9-B88E-069281105805}" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Trojan Remover\trupd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Trojan Remover\Sschk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Trshlex64.TRShellEx\Clsid\ = "{52B87208-9CCF-42C9-B88E-069281105805}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TRElevationHelper.TRPrivilegedObject C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Trshlex64.TRShellEx C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Trojan Remover\ = "{52B87208-9CCF-42C9-B88E-069281105805}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\TRElevationHelper.dll C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\ = "TRElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\ = "Trojan Remover Shell Extension" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover\ = "{52B87208-9CCF-42C9-B88E-069281105805}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{518932EE-5045-451E-BDE5-B864132BE471}\DllSurrogate C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\ = "IMyPrivilegedObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\TypeLib\ = "{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TRPrivilegesLib.TRElevationHelper\ = "TRElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib\ = "{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TRPrivilegesLib.TRElevationHelper C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\ = "Trojan Remover Privileges Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Trshlex64.TRShellEx\ = "Trojan Remover Shell Extension" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\Elevation C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\ = "TRElevationHelper Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\TypeLib\ = "{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\ = "TRElevationHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\DllSurrogate C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\TRElevationHelper32.dll C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39} C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ShellEx C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TRElevationHelper.dll\AppID = "{518932EE-5045-451E-BDE5-B864132BE471}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{518932EE-5045-451E-BDE5-B864132BE471}\AccessPermission = 01000480440000005400000000000000140000000200300002000000000014000300000001010000000000050400000000001400030000000101000000000005120000000102000000000005200000002002000001020000000000052000000020020000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\ = "{0000031A-0000-0000-C000-000000000046}" C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\ContextMenuHandlers\Trojan Remover C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\InprocServer32\ = "C:\\PROGRA~2\\TROJAN~1\\TRELEV~2.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TRElevationHelper32.dll\AppID = "{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{518932EE-5045-451E-BDE5-B864132BE471}\ = "TRPrivilegedObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Trojan Remover\trupd.exe N/A
N/A N/A C:\Program Files (x86)\Trojan Remover\trupd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Sschk.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp
PID 2936 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp
PID 2936 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp
PID 2936 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp
PID 2936 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp
PID 2936 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp
PID 2936 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp
PID 2420 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe
PID 2420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe
PID 2420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe
PID 2420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe
PID 2420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe
PID 2420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe
PID 2420 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe
PID 2420 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\trupd.exe
PID 2420 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\trupd.exe
PID 2420 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\trupd.exe
PID 2420 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\trupd.exe
PID 2420 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\trupd.exe
PID 2420 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\trupd.exe
PID 2420 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\trupd.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe
PID 2872 wrote to memory of 1564 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe C:\Program Files (x86)\Trojan Remover\Sschk.exe
PID 2872 wrote to memory of 1564 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe C:\Program Files (x86)\Trojan Remover\Sschk.exe
PID 2872 wrote to memory of 1564 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe C:\Program Files (x86)\Trojan Remover\Sschk.exe
PID 2872 wrote to memory of 1564 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe C:\Program Files (x86)\Trojan Remover\Sschk.exe
PID 2872 wrote to memory of 1564 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe C:\Program Files (x86)\Trojan Remover\Sschk.exe
PID 2872 wrote to memory of 1564 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe C:\Program Files (x86)\Trojan Remover\Sschk.exe
PID 2872 wrote to memory of 1564 N/A C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe C:\Program Files (x86)\Trojan Remover\Sschk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"

C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp" /SL5="$3012C,20691785,1103872,C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\Trshlex64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\TRElevationHelper.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll"

C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe

"C:\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe"

C:\Program Files (x86)\Trojan Remover\trupd.exe

"C:\Program Files (x86)\Trojan Remover\trupd.exe" /dbinstall

C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe

"C:\Program Files (x86)\Trojan Remover\Rmvtrjan.exe"

C:\Program Files (x86)\Trojan Remover\Sschk.exe

"C:\Program Files (x86)\Trojan Remover\Sschk.exe" trh89B9.tmp

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x43c

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.simplysup.com udp
US 172.67.179.173:443 www.simplysup.com tcp
US 172.67.179.173:443 www.simplysup.com tcp

Files

memory/2936-2-0x0000000000401000-0x00000000004A9000-memory.dmp

memory/2936-0-0x0000000000400000-0x000000000051B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3IECH.tmp\Trojan_Remover_V6.9.6.tmp

MD5 5eca6b6cd4733323140d8e32cb484355
SHA1 75401d7c0e0f1bc14be20da23787785dbb01e7b2
SHA256 f6861456cacb82a1a999c1233fe67408e8eb25e3c5ed08a516111c9225143e72
SHA512 9910f01b32c65f1fe1f7c3a1eaecd8550a6a229475cbec2090e5524d6f1ac632d0710fa9e9e462ba8538ed1cf67a033f13d2baa500954a08edbda3058a743ce4

memory/2420-9-0x0000000000400000-0x000000000074F000-memory.dmp

memory/2936-10-0x0000000000400000-0x000000000051B000-memory.dmp

memory/2420-12-0x0000000000400000-0x000000000074F000-memory.dmp

memory/2420-22-0x0000000000400000-0x000000000074F000-memory.dmp

memory/2420-70-0x0000000007C80000-0x0000000007C90000-memory.dmp

\Program Files (x86)\Trojan Remover\Rmvtrjan.exe

MD5 57490eb9a715f68ea6f52182b3e639cf
SHA1 2a24774e517008a6d6c38ec5ae6f056fe2fb058b
SHA256 ea5528aea2e54d6721ed0f33cf6a7cb5c4e55ddc6ff6401ae0ec1dfb96156195
SHA512 9f863c51dbb2402912952b2788ea51f78cf86b4d9befc467875542696560a401594c1fbdaa0a64d5b2df065eabc9c4838443ca6d5ac7261f069865f3626ca08c

\Program Files (x86)\Trojan Remover\Trjscan.exe

MD5 0ae2865b8bf7f460f0a352e94dd37ed6
SHA1 21326b2fb72d6c182df39afdcab659c7b2275ea4
SHA256 f3f3af510869982fbaad92b6c36daa11d88805dcb304c04ddf31d81bd1b4b1fd
SHA512 b4aa0564fb50ee1054f01490149453fe721f91f5ae0aff0cb4cf1644ea3b180521e9c16c373f9522dadef93910094b67fe4622de097e721ee074be42cacba97d

\Program Files (x86)\Trojan Remover\trupd.exe

MD5 0c6d014b195761f7c92c74f8982b0a5b
SHA1 45fa5bea10d8bf914fec190f7e33907b02784e76
SHA256 c24f0baeee75ae5bb79bf3ea3315ce75f19192388d340aaacf8ccd2361f904e0
SHA512 53a1c7c3feeecf93af20649a9cef145997aabb3e5e03b9b7d0b038859ff2d81057f730d3c663e8f4df90c7785f924cba2673b6a294c46bd206bc0c4795544132

memory/2420-83-0x0000000007C80000-0x0000000007C90000-memory.dmp

C:\Program Files (x86)\Trojan Remover\Trshlex64.dll

MD5 bc168257a6d847002c942f725e6c4d45
SHA1 252e52be7982fd7cf69ed1ae0d7b9d5246b76cae
SHA256 8332bd218920b6bec2a043ca6409d672335c0269b2d437cd7c1b00456e6f1726
SHA512 3ebad8455a440eb5bb87503fea557e3e30f136a461199bf66aa4ad11307d4dd52914469c59f0c8627310221f80c6048beada8275358c4db5c89eb4de26e16732

memory/328-92-0x0000000001DF0000-0x000000000216F000-memory.dmp

C:\Program Files (x86)\Trojan Remover\TRElevationHelper.dll

MD5 4af801176ac79f0a2a32b2d71d6ef691
SHA1 e4ad5d68fbd01d31d13e3737879c5adfaa05518b
SHA256 f0cd8bcd09a72de3bd900776fb129416877df869f27e8b2a1bb86d04ca8856f1
SHA512 dffb0ad4ea97fdfd58642eeeec6c2138de8cf5f2562e72d4503fe8da40b020595aa3e3cd5c4d1522335b9d64e8b83871f8c54365dbc2b6d2ee50e11df78d42c4

memory/2548-95-0x0000000002200000-0x000000000230A000-memory.dmp

C:\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll

MD5 4214adca95cec26e3cf661678a6c3705
SHA1 57604b65ef8ca91927dcfe2b4cf8ca0b4e0f1286
SHA256 03c6998fc83a8b89deb233e571e0ae1a5c07905578304440a06b5a912cc20700
SHA512 c0e980dab170caa2cad8b04bb34d12a65378e4d925efe2a3d3b9eb8a66ae487c573c6d6ba2d6565005f90defcf93e93273b1e6650b049ad3f250af5d3a14e084

memory/1788-98-0x0000000002360000-0x00000000025BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QRFC2.tmp\TaskInst.exe

MD5 5abd23455548d16a0919e6259479840d
SHA1 22aa3e4418ee276f06928a2e99f4de0804416656
SHA256 0468b4bb783331a3eb69ae07fb09a12cc470df58fe8bfc10cca49da287792266
SHA512 d4a4dd9ee28dd4dcfaaa278824af0a345c5a55f2544ef176a5ac2a4258dad9d146e0e48d87e7b427a76e84e7c8b4ce84bd4af215550d42b4d825880b8f3d6bbd

memory/2852-105-0x0000000000400000-0x000000000067A000-memory.dmp

C:\ProgramData\Simply Super Software\Trojan Remover\Data\dlservers.dta

MD5 11da9dbdee7dd02901cddaed4841802b
SHA1 a53152510c5f81e423355deda4502abc29ea8af7
SHA256 11956755580ed92378df8fb11cccf980ec134943c6a2e08581dcbf6b770411f9
SHA512 137985e2dde65c70056ac618fcb617ead6d9ce75bfadb25310ca45c5c6670663b8ecd8218b7ce2beb8022c7847a48a607f5725df48e05b56282ecc5d2e8992aa

C:\Users\Admin\Documents\Simply Super Software\Trojan Remover Logfiles\updlog.txt

MD5 3752f2c2e34216d032270d090e5d4c24
SHA1 71b9c732a53158d930127eb96b9bd2755584c74e
SHA256 895a1c1971ac8a300a70cb098b4364a5edd673e0463c3f4d36489fe333e5fdb3
SHA512 15b06d721e102f3f3027ebf3a92673ffe72e972d3a25c0b2947954334cef6f761c55b760bc63ae4294414de2bd6ec0372731c81555441b3fe590894bb44c3a59

C:\Program Files (x86)\Trojan Remover\Win32\libeay32.dll

MD5 de66601165d003a7dbe444b128461694
SHA1 b6daca91c628bfeac760fb41f22ac591a6bb98e3
SHA256 ed98fc88dfe77719474dbe680cafdb1ec1ff6311513ac4e2cf233f7520ec59ef
SHA512 21812241e34ff8b3cc98add32df719aa4947d6d7250dbaec9c4135b51c8e017f0d108da22ece878d0a59289433fb286d9ae9dc82ae34f4f5af2b1e8f8f27378f

C:\Program Files (x86)\Trojan Remover\Win32\ssleay32.dll

MD5 9f487404116e9718f3b62bad39891488
SHA1 efedbce65290163364db72796ea38331c605b063
SHA256 e04f10dc724496de19c5201d045e7951e5d508e71c13139523cdc42ed96707cc
SHA512 f56bf9df702a37dd625f5732bf8a0d24c8259d2ba4cbfb3b1ee9d48aeaed27eb485032b3bd4ba28e8d51b102daa5e14712aca40af43d1141b160968303e52d53

memory/2420-133-0x0000000000400000-0x000000000074F000-memory.dmp

memory/2420-134-0x0000000007C80000-0x0000000007C90000-memory.dmp

memory/2420-135-0x0000000007C80000-0x0000000007C90000-memory.dmp

memory/2524-136-0x0000000001220000-0x00000000018C0000-memory.dmp

memory/2524-139-0x0000000001220000-0x00000000018C0000-memory.dmp

memory/2524-299-0x0000000001220000-0x00000000018C0000-memory.dmp

C:\ProgramData\Simply Super Software\Trojan Remover\Data\epack.dta

MD5 8dff7e81d2865623790c9229cfb8aceb
SHA1 68f657d56065b244ac6cbeffad1d5bb7bf85b963
SHA256 34a0be0d7f4afb9763d47df8417eed7f0364bc5c00ed8dc707f5af0fbdc35d02
SHA512 844e0a0603ea2a74ffc54dcbde180df4f969be07e2af54cf39d5b65324c5b85da8dc77433944bd668c4a3a5e7e8778752d026edf86b229d60285e0d3cd3b1af8

memory/2524-480-0x0000000001220000-0x00000000018C0000-memory.dmp

memory/2872-490-0x0000000003D00000-0x0000000003EF1000-memory.dmp

memory/2872-486-0x0000000003D00000-0x0000000003EF1000-memory.dmp

memory/2420-491-0x0000000007CF0000-0x0000000009063000-memory.dmp

memory/2872-492-0x0000000000400000-0x0000000001773000-memory.dmp

memory/2872-506-0x0000000001880000-0x00000000018A0000-memory.dmp

memory/2872-497-0x0000000000400000-0x0000000001773000-memory.dmp

memory/2872-499-0x0000000000400000-0x0000000001773000-memory.dmp

memory/2872-502-0x0000000000400000-0x0000000001773000-memory.dmp

memory/2872-510-0x0000000003D00000-0x0000000003EF1000-memory.dmp

\Program Files (x86)\Trojan Remover\ztvunrar39.dll

MD5 af2b46a3087a6b9512324c42b15bfd52
SHA1 2883e3bf9207c50ed1322db413367d5609e52a85
SHA256 b277af92360d2797f39ace6f6901f90949d78c5287e3af51e87da7cb516e49bc
SHA512 2f5046daa1234dfeda3aa9c30f18217e2109e74235b15dba43d5f3be6a588f6781dcc32be17d30d9be9be31a78c09459e1973e7166451cbc48c9829d4ccb6b17

memory/2872-500-0x0000000000400000-0x0000000001773000-memory.dmp

memory/2872-503-0x0000000000400000-0x0000000001773000-memory.dmp

memory/2872-507-0x0000000000400000-0x0000000001773000-memory.dmp

memory/2872-505-0x0000000000400000-0x0000000001773000-memory.dmp

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist22.dta

MD5 d44d4ad880580dc04e1f65e43237903c
SHA1 5e3622932b465ca96a79eb17fe951b79a7d4591f
SHA256 791b7d0e1ae49ac7665f5aa9fa9df1700a17e0fdcc822455bf186e7a939ffb27
SHA512 39735080d2dd7ec0ec9fc5177db9dbdf0f4f8cc577d88cb753d6fb4d1293c84af950aaf1b800dd1c97358d48ac4dd8330937b07e6f9786ca8c87bf13835d8acf

memory/2872-509-0x0000000000400000-0x0000000001773000-memory.dmp

C:\ProgramData\Simply Super Software\Trojan Remover\Data\reflist.dta

MD5 4862c030cb619bcd5064bab79be7c3c1
SHA1 bf155fe3fd675669b0522f9d30f7c9a4a8ce7f84
SHA256 d2027d66e548b7c6928c0170087b4e240db91f961a9ecccab4e661ce7d194342
SHA512 e0bad8f80d4e3ad5131d184d212a4dfc56f0d798494a49d60905e5ab867b270922eb5fa3e8e74f65681b51bb4177e88067d5af921988e7e51e4369838e2bb45d

memory/2872-518-0x0000000003D00000-0x0000000003EF1000-memory.dmp

memory/2420-519-0x0000000000400000-0x000000000074F000-memory.dmp

memory/2420-520-0x0000000007CF0000-0x0000000009063000-memory.dmp

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist2.dta

MD5 792bc7d977f2111d7f9765be8aa119e6
SHA1 fa2f1029791bff4d94a74eb00967645999b0c07e
SHA256 08af529a1a93c76d464d22d6eaa51d5e6f70144d7a16c31c6c45b0619a430610
SHA512 d1ba2459beb8e6656360c9a07d3c90a8aac915422de60f64acc78d305edf376557fcd555d83511ff14b2b80d19865873072072c7aae4c7f837e12a98ec11b48d

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist31.dta

MD5 b22793860090250432ec27d0b8f6a30e
SHA1 e9029385e2c7b9fd7ed0a5ee976c5ad8788c354c
SHA256 0a248719b54a52a87e22729657caa2d1dd8d3aad949053b8f7b2aa6678ca8c3a
SHA512 fe9184cda2f8283bd20735753691499ef06d3665a3ca7bae322e05027ae6cee2eb2274f98edeb58b2a973b0c1c43fe262bdff23bb0bff3d8af44f9db44a516ca

C:\Users\Admin\Documents\Simply Super Software\Trojan Remover Logfiles\TRLog.tmp

MD5 7539c1eab0f7086eb361731298e0251c
SHA1 374854024f4a4e4c7bbd1c1bb17e6c9d311a41cb
SHA256 3f991008556fe5e674953f8bb4ced676a45fb99b3ac075fa85d073ed04bcf7e7
SHA512 dba96671fa7f8d3a2f655b368dd9d0f28fdf7abac89032d839a77b5d0b3d728814ed54929b9361aaceb8eb3367795f3bdc25aaf1126582883c59d1a6620a4ace

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist7.dta

MD5 1b44043961c5c7bbe3222560dff74103
SHA1 7cd8809cf1978c0345b52187b814903be6202840
SHA256 d95aa3e90d499b39bd823abf69fb2e0223adaeba61d6260d4791dc239c1f4e9d
SHA512 f0556a72eacbb55901afedd1b3c791a2540102853637a013d97221dfa2f7ad637bbe81a41e3e717a83458609574b930429a0b0800b017a36835494214be4f8be

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist6.dta

MD5 5f9e3abbd7831ade0f80c0f6f4a76545
SHA1 6f86c0cd24b196e75f8f181fc2d1d0511a90e15f
SHA256 99bc614f4952b7a55bb9b38b78b7bc0176f119495bbf41e8c4857b71e86df45a
SHA512 8b915cd731df13000bf365f1bd9f02c5520530580983dd2e19a7c7fafbcbedffd8639ad41c70551698cda2d10be902e2444bdbda4aa40b40ceaecc07c0803e25

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist5.dta

MD5 85214ecff84537055e1df1cb02cf7f03
SHA1 10f42244f9c9e79bd50a25086d81ce8abc4221bb
SHA256 da1834d29ff387ed0fc45f67fdb2f9d0567f87c3b44b8c38b97c08cec77b1a97
SHA512 d0624900a3ffc631cdfbe1b5c43a95450bdeabe52ea8cc7a57f406ae86999ea3032faf094f9047a6afddc64c91e4972c91bcc5f850d9664895e8f2ad486f4c98

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist3.dta

MD5 3330d1570014d10354af8729c3fba9ad
SHA1 19ebfe14dd1b54b96f981ca544b1b45fc7a0e7fe
SHA256 630a79660cbfaf8b6fb240b5f256d2349fc7fc230ba0a30f30bdde21512be36c
SHA512 546944f9231236762d77e528d78cd557fa8af0fb1498b0a9847d7c8ae5712fcd8d6efcb55cb341d8b7df8d0e624cba5822a1dd8e6b0f93a7f3adbb9c833d798f

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist4.dta

MD5 7b8fc6b65af0fa741889dcd52acd30fb
SHA1 d499ef936090293f51c0592452b54e3f551d1986
SHA256 73d59cac1180c1ceb68bed21cfb19f3f1c49eb5f9adff4962b26aa195af7ce4b
SHA512 7200acec100d528db24106f331f3d2da6f202936519c36c2c78cfc3338888736c022e7fcfc4f8aa2d7a18990243ea5b3dfa026f7fcd4c50f00922206abc714f4

C:\Users\Admin\Documents\Simply Super Software\Trojan Remover Logfiles\TRLog.tmp

MD5 9c14602394db432c1c28652a65befcc1
SHA1 9125715a356328c3082dc20f6f13dc0e8cdd2531
SHA256 0a1023728a7e2c5342056689b6522b6bdcfc49f828bd92c9a1d3acc575b5ebd2
SHA512 a6151e79eed6295909a6ebc32cfb30e689237eeb06a8a8db2af643ecdb591e662610b7306bdfb312477a88e06a688c2dbdfd7c058173ed40d6b468ae78985104

C:\Program Files (x86)\Trojan Remover\Sschk.exe

MD5 45cfdea1dabe6f4b48281e4ce61a241a
SHA1 073eb8ee933617628367bf079c77bea6736c1dc7
SHA256 8701091bd868c17ccde76c0333e42b866b73c96b3f4ebe5f979f194d8b9b2c3a
SHA512 d90597dea5ae9d78816c4891f0ec6fef6fc364b0851005f870a7d15b72a6f75e6c80250f5d4a1bfa3b88c4d83eb90a46b1d1a5f896706f54dbc6e59f2589b73a

memory/2872-552-0x0000000000400000-0x0000000001773000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\trh89B9.tmp

MD5 6e82e8b9e2940f399af4783be3ecefdf
SHA1 fb54c3246b0ec92aba57fe65ae8ef2debbdb2300
SHA256 c1e0d65d3b7fe56ba28a3329603449b2a0434b6084c1e8aa61e8bd23203b2d7c
SHA512 557a28a0644e8e3263ba0c55315130d97628b77839ffe5662310865468374e788f9eb017a9fe925e1d02c9aa050d6b4ade5f1e4aa658dd84fad9b64fb5e9e32d

C:\Users\Admin\Documents\Simply Super Software\Trojan Remover Logfiles\TRLog.tmp

MD5 3b585c5097e0c5bdc5269f0e0a084bf7
SHA1 1ab2786f394399fe18555159f6afc42079c1b091
SHA256 ebfd0f646b1b61295f918cab40209d72b18e0a38e63e28782d025589faf67b20
SHA512 3a2ce8e248c9849cc79f9e359d47837ae6c469e99b5384956523f59031e12b988ad62dcc441189aa5faea89d9edfb25cfd8699ee109eb8558c20eb60b4d9f188

C:\Users\Admin\Documents\Simply Super Software\Trojan Remover Logfiles\TRLog.tmp

MD5 7291c764627e88b87591566d0a660cd4
SHA1 6f81297a18777419c06e4874f63edeb5af51c616
SHA256 88c29ac05d3cc91750f41916450e740ea80fec23e033f51d13902f181d653aaf
SHA512 9d754c871ad20b6a77bc8da2cf9f7bc19f478c6dc39459ec2fc1a924a14ab182ba3712a23aa07920851582ed5ec424c16c4624bb36d06426999764c663c5f702

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist29.dta

MD5 21fc270f152e79fdbd6d9be43b4cb494
SHA1 6ac28d0470a00bbc128cf8ed057646a4ddbb1a1b
SHA256 b2d45f14ece1bb79380b2717014d86434ddfdabd71cbce14851fcaf6c654ee88
SHA512 dbc4df59a905a9fb0caca0fd008fef654355b897a5a2b15cede63cf6dcf42fb32aa0ef07f221c0819d165dc8028f2f941ef2696228f929ed4aedc4a97dcfcb8d

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist77.dta

MD5 8fa4172fd3907367645f89b80ee0d493
SHA1 64cf1deb7388eb31e2623d62930105f5fc6de609
SHA256 d1a3fb2495412eeebd5e9b77e6fc7d64a73e46e09e0b938467a73cb31e150268
SHA512 32c1dc2bb35778f6931ff500e6a1f91cf4db3e8fc1e85c20dfc2a3613e78ddbc6957bb420eeacb1793b3b60aa4dc2a6d67c8c3ac3c33576789762ac7dd15d3d4

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist107.dta

MD5 a18f99de1a9ec9c4152444634dfa14e5
SHA1 c5f79129e693d379848a435eb60dd3feed265a0c
SHA256 5387a98ac1be647e16fca3f050af790f2c1d85f8807b459d8b56fa123241daf2
SHA512 404e52328167e229e655e8dbf2a8e4b069419578a2fd7cb1ce27a8d8740dfd6cc3623988354abf8f09c2ae85ec8fe021d4621dbb33efaa69fafbaf7cd4f567ac

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist33.dta

MD5 4fd6d0fdcc632d03fb2c938952fd5f64
SHA1 00664229fc988d4fa99208d1ab52aa9095653040
SHA256 43d449f352d10536e5fc02808754c3bdd0780c56429a519246bf4e66ad0f857e
SHA512 c401603ec901db4de6d5dd35fd31185f837522d6682b0b987d9b063e899ed8d96950fc60f0c07750fcbf6ea3eb0592bfa197dfc3cae1c5310a39395444a8b6ad

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist34.dta

MD5 3fbb24a6e135bb59bb27d591bc0fe7dc
SHA1 ca80ec99fbfaa368d1d422691e18fa6a31b3657f
SHA256 a17c79284d6f33d86069d53bc7dd4f4bde0f05c1439328aa40bc414d6484108c
SHA512 b0cae16f35fb7a503c3f392d3ae57be6fadbee79a9583eb35bba89d2cb086b24005af7771de92db85bdec426adeca1ac0579d3cffdda9e4035a2fca01494fcb7

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist43.dta

MD5 a0b042d0a59ef14fb98b6cf00e420e46
SHA1 3b1c4044a0d9097e64849f215e965a56119c6de7
SHA256 299553e7fad1fbd89a26814a528ca9b894b13174176a058da9de28beb346a61d
SHA512 0129d03343ca03b94542ef55cae26b9dfb5637ca7cbac4119c025a035757ed9aa28ca220635f973d56d11e79a6ef9b3f43a506f2ded6c9d836e601ceeb9354a8

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist35.dta

MD5 e503cd4677a29399743176752b419fc7
SHA1 17c35774fe36141b89951535fdb4a11764a1571d
SHA256 3bd9a646c1c61ffc3bd3f301f0b9293016992556c6f35f3e1bc33613942eaa26
SHA512 08d33d765d99fbd78298cedfb2809f1775fed0dbe349043051da1c2580d6c58e4f9832396c39a2e1e5b5be9a67d0c75aca87367135d5298344e508edcc5b0e08

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist61.dta

MD5 1dbf507c8a81e74958de13de7a000eac
SHA1 191ec62e3ae80973ea012b9310d1147a9b9f096d
SHA256 6bf12ed0a76c4f6b7044be997ec4865a1cdb1d4b0ad9cc87a8d6057c3710a77a
SHA512 aacea6b87d39f2707dc6b3361ad7fa8098b02c867783cbb81dab38c5409e17456846c09137e1a7e29e0fa148b1470349ae47506754e333cf9654863b30d5c1d8

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist91.dta

MD5 ca25bbd8b10c3d286c76ef29524208a3
SHA1 2adb72ba8fb817f49bebceeffe0dd75841d47acf
SHA256 8e9b18a3e4c2dd0628bf53cb6d411e8a390ed4a01476788cd460ba2cded2c6c7
SHA512 cdb83af7056577d7c429228b591de5932403d73e14ff56e30e903557002bb61632899c0baa97234dad7bcda01192d704def2881b3b8792d5aded1dc3d9a832a6

C:\Users\Admin\Documents\Simply Super Software\Trojan Remover Logfiles\TRLog.tmp

MD5 7aaed89cb5a67e348e0f42f7c90c8eae
SHA1 3ddf67935539cb3eba38eba3d988204d0cf59ffd
SHA256 c562fa911824d5829e873a27068060fe71f73274c3b2e59be9a5a1011685f00e
SHA512 499b6ef35a3a1f8763d69da2d41af1553d3bed741bea2df02d907aeb40a49fe773d04bb75288050b0d5a4b96cbcca8e167f00fedf44de980195642ce729b0eb0

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist79.dta

MD5 dee4237f9de139ed7d7e8d42d464cf1c
SHA1 4f2bef1e06715701bbe9da9ba71d48fcbbead4c4
SHA256 34f62b9e49515ad38f820f136268907ffa8bd4f66fff277abc3f5b76ca26a544
SHA512 25a0cad8b0204776e5e654752a28688fe69e9e0e57617cccb6f44adceef2855cac01deb5320bb172c5059798045a67fc56d431ed72de0df57f774d94665e7431

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist109.dta

MD5 4452cab8a424e786273a09d2ff17491f
SHA1 1d80e961f90931207c05cad28f86c47337360a0b
SHA256 6cabeda016f1ca02fe9c6bece071692fc013a3db8068a0558ce341136f0b1e79
SHA512 9f0d719242e05044cc11b9f16bfbb0fe44657e2286e270d49b7757587a7ac66109a2154926416ae6f9b8fbfea0c0972a38ce82dcced255726056011516336708

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist60.dta

MD5 fdb5b6df1bcf2010266f0b64156c7834
SHA1 d33eab45316d5046b4c999b2579fd203d175e956
SHA256 75d98eab3910e4d262e7d8f74b70ac5535704b1eb860b2ffcb27d7b07519e8b0
SHA512 ba666ae380fcb533212a31d0270f668df780f3cf4ee2ed8852aad32c020d772b095a74ed865981c5657a0cd34c06f81ea1d6b5697f34b528ee0a1564587cd722

C:\Users\Admin\AppData\Local\Temp\Cab9A40.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist78.dta

MD5 369f82a82a58628f047f1369ec3ccd2e
SHA1 d13d9a98fb8f0fd63c622dfef731179d053b97f5
SHA256 c18e204d044545b593b934d06ab566cf7d541f7eaa7dfbd5734d1f38ce969e2a
SHA512 6ba496e9a5208b44c8b951dcd52c59b15d1a3beb049f31ca3ba24e202194df27c8230a54553a07ddb3717cb47dde807cb86fa209344e5becfdba82fb52121f05

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist108.dta

MD5 6f81c53414dc584e751ed53a64f722fa
SHA1 cc9789e2ab1485bd5d4fc74c96df73c004c01e8c
SHA256 51d82d8c36c334b3b478e0b162cc5ce09320ee4be4fec824a6ad547fe2a72ab7
SHA512 0488e644bb53bc436f481650596dfec32d181e45e789d970eaba48722321c91852506bb0d7076a12f4c1f499054bc17d0099cb32de04c3238931247a01c94f35

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist57.dta

MD5 42f5a081b4307e0ab365eeebd0221701
SHA1 56bbbee7cd3d05d2d0a160918ce7cc67a35abe5c
SHA256 ebf5fdbde8abb00357942ea615b23c47f868fca9398fa57a517aca774fc6eb4b
SHA512 a00c779d0a5dc8139f29c0183dfff11f1b9baa4a9c1555edeb75466937cc10a5849e380dbd4aa8922c2a561fc7b362da9afeecbfa4f55fc35b7aa0e92009c0b2

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist52.dta

MD5 59e0c111dba55dcad60dd6b69821a12b
SHA1 ac400737d2d690399b4e6c548461331bd6ec167e
SHA256 3523ff6498add733a5f5421437f6deecfd25d835843ea3a18588c7585e93b89a
SHA512 9fd33a19c3fb016b08125c434b6cb687b814c4a488abfb71fe35321c4296ce9cb50b2262f8995bd73522f1d648222b2e28cd69fa999ac4db2c3fb731667bdf99

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist47.dta

MD5 b026eb2ba7fdc833c5588c60964638d5
SHA1 c4b9998c9c8b72519f43f58e428cac19cd3b8ffe
SHA256 7017d6eb6c25048b35b0232ab2d7dee12f627569a5c4a0a4e6d696417f10e296
SHA512 685f9bf8796b24c5b40c213b151a82003682de9f360b232118b9e8a72edd8f97ec673bc835c738efad6a8dee2213431bda6bcc1065b3ae43a2cb9e48536874dc

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist51.dta

MD5 f7e856487e03ed72cb3c6be2b4e894ec
SHA1 79a9f4c99b1658c50e404a118be5b3e1dfca78a4
SHA256 0e6cc44ad8f4b7eb688a71403918aa98fb4891591fa80eea8c3bc922ee9df17c
SHA512 411a3de0f8e6663ec7d5aadcb686479fbba33ccf9bdc2e60dbc57bea49631aec1a5744ef5546b6593b4ff643d4383d04e3de25a3797b6807b9f8ec10b8e1e979

memory/2872-715-0x000000000F860000-0x000000000F89E000-memory.dmp

memory/2872-714-0x000000000F860000-0x000000000F89E000-memory.dmp

memory/2872-717-0x000000000FAD0000-0x000000000FB27000-memory.dmp

memory/2872-716-0x000000000FAD0000-0x000000000FB27000-memory.dmp

memory/2872-719-0x00000000046B0000-0x00000000046BA000-memory.dmp

memory/2872-718-0x00000000046B0000-0x00000000046BA000-memory.dmp

memory/2872-721-0x000000000FAD0000-0x000000000FB4B000-memory.dmp

memory/2872-720-0x000000000FAD0000-0x000000000FB4B000-memory.dmp

memory/2872-724-0x000000000FAD0000-0x000000000FB26000-memory.dmp

memory/2872-723-0x000000000F860000-0x000000000F89E000-memory.dmp

memory/2872-722-0x000000000FAD0000-0x000000000FB26000-memory.dmp

memory/2872-728-0x0000000004940000-0x000000000496F000-memory.dmp

memory/2872-727-0x000000000F860000-0x000000000F89E000-memory.dmp

memory/2872-726-0x0000000004940000-0x000000000496F000-memory.dmp

memory/2872-725-0x000000000FAD0000-0x000000000FB27000-memory.dmp

memory/2872-730-0x000000000FAD0000-0x000000000FB59000-memory.dmp

memory/2872-729-0x000000000FAD0000-0x000000000FB59000-memory.dmp

memory/2872-734-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/2872-733-0x00000000046B0000-0x00000000046BA000-memory.dmp

memory/2872-732-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/2872-731-0x00000000046B0000-0x00000000046BA000-memory.dmp

memory/2872-735-0x000000000FAD0000-0x000000000FB4B000-memory.dmp

memory/2872-737-0x00000000046B0000-0x00000000046B7000-memory.dmp

memory/2872-736-0x000000000FAD0000-0x000000000FB4B000-memory.dmp

memory/2872-740-0x00000000046B0000-0x00000000046B7000-memory.dmp

memory/2872-739-0x000000000FAD0000-0x000000000FB26000-memory.dmp

memory/2872-738-0x000000000FAD0000-0x000000000FB26000-memory.dmp

memory/2872-743-0x00000000046B0000-0x00000000046C7000-memory.dmp

memory/2872-742-0x00000000046B0000-0x00000000046C7000-memory.dmp

memory/2872-741-0x0000000004940000-0x000000000496F000-memory.dmp

memory/2872-747-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-746-0x000000000FAD0000-0x000000000FB59000-memory.dmp

memory/2872-744-0x000000000FAD0000-0x000000000FB59000-memory.dmp

memory/2872-745-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-748-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/2872-751-0x00000000046B0000-0x00000000046CE000-memory.dmp

memory/2872-750-0x00000000046B0000-0x00000000046CE000-memory.dmp

memory/2872-749-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/2872-755-0x000000000FAD0000-0x000000000FB17000-memory.dmp

memory/2872-754-0x000000000FAD0000-0x000000000FB17000-memory.dmp

memory/2872-752-0x00000000046B0000-0x00000000046B7000-memory.dmp

memory/2872-753-0x00000000046B0000-0x00000000046B7000-memory.dmp

memory/2872-756-0x00000000046B0000-0x00000000046B7000-memory.dmp

memory/2872-759-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-758-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-757-0x00000000046B0000-0x00000000046B7000-memory.dmp

memory/2872-763-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-762-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-761-0x00000000046B0000-0x00000000046C7000-memory.dmp

memory/2872-760-0x00000000046B0000-0x00000000046C7000-memory.dmp

memory/2872-764-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-767-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-766-0x00000000046B0000-0x00000000046C9000-memory.dmp

memory/2872-765-0x00000000046B0000-0x00000000046C9000-memory.dmp

memory/2872-771-0x00000000046B0000-0x00000000046CB000-memory.dmp

memory/2872-770-0x00000000046B0000-0x00000000046CB000-memory.dmp

memory/2872-769-0x00000000046B0000-0x00000000046CE000-memory.dmp

memory/2872-768-0x00000000046B0000-0x00000000046CE000-memory.dmp

memory/2872-774-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-773-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-772-0x000000000FAD0000-0x000000000FB17000-memory.dmp

memory/2872-778-0x00000000046B0000-0x00000000046B9000-memory.dmp

memory/2872-777-0x00000000046B0000-0x00000000046B9000-memory.dmp

memory/2872-776-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-775-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-779-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-780-0x00000000046B0000-0x00000000046C5000-memory.dmp

memory/2872-782-0x000000000FAD0000-0x000000000FB4B000-memory.dmp

memory/2872-781-0x000000000FAD0000-0x000000000FB4B000-memory.dmp

memory/2872-783-0x00000000046B0000-0x00000000046C9000-memory.dmp

memory/2872-784-0x00000000046B0000-0x00000000046C9000-memory.dmp

memory/2872-786-0x000000000FAD0000-0x000000000FB18000-memory.dmp

memory/2872-785-0x000000000FAD0000-0x000000000FB18000-memory.dmp

memory/2872-790-0x00000000046B0000-0x00000000046C1000-memory.dmp

memory/2872-789-0x00000000046B0000-0x00000000046C1000-memory.dmp

memory/2872-788-0x00000000046B0000-0x00000000046CB000-memory.dmp

memory/2872-787-0x00000000046B0000-0x00000000046CB000-memory.dmp

memory/2872-794-0x00000000046B0000-0x00000000046CE000-memory.dmp

memory/2872-793-0x00000000046B0000-0x00000000046CE000-memory.dmp

memory/2872-792-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-791-0x00000000046B0000-0x00000000046BB000-memory.dmp

memory/2872-798-0x00000000046B0000-0x00000000046BA000-memory.dmp

memory/2872-797-0x00000000046B0000-0x00000000046BA000-memory.dmp

memory/2872-796-0x00000000046B0000-0x00000000046B9000-memory.dmp

memory/2872-795-0x00000000046B0000-0x00000000046B9000-memory.dmp

memory/2872-799-0x00000000046B0000-0x00000000046B8000-memory.dmp

C:\ProgramData\Simply Super Software\Trojan Remover\Data\trjlist65.dta

MD5 0c104aa91cab2d465f69ea7a2b0c0a19
SHA1 ddadf626b333baca6fed0cba351ae03e0c2037a0
SHA256 dc2bb3edf37556668a13f38c0819bb037cac50f9885c650b3ae2ece8a7f9dfc1
SHA512 52871958a37849725bd58345ba441a4278a8a8f68c596c2e6b5440f2048655e8a1f49c78ec7ee72a59264ed59c3d51f28cda237354d5118597214b49ab43045f

memory/2872-1107-0x0000000000400000-0x0000000001773000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC049.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2872-1514-0x0000000004940000-0x0000000004956000-memory.dmp

memory/2872-1515-0x00000000046C0000-0x00000000046C9000-memory.dmp

memory/2872-1710-0x000000001B5E0000-0x000000001B619000-memory.dmp

memory/2872-1711-0x000000001B620000-0x000000001B650000-memory.dmp

memory/2872-1712-0x000000001B650000-0x000000001B686000-memory.dmp

memory/2872-1714-0x0000000000400000-0x0000000001773000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 06:10

Reported

2024-08-18 06:12

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"

C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp" /SL5="$50280,20691785,1103872,C:\Users\Admin\AppData\Local\Temp\Trojan_Remover_V6.9.6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/888-2-0x0000000000401000-0x00000000004A9000-memory.dmp

memory/888-0-0x0000000000400000-0x000000000051B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NVGQF.tmp\Trojan_Remover_V6.9.6.tmp

MD5 5eca6b6cd4733323140d8e32cb484355
SHA1 75401d7c0e0f1bc14be20da23787785dbb01e7b2
SHA256 f6861456cacb82a1a999c1233fe67408e8eb25e3c5ed08a516111c9225143e72
SHA512 9910f01b32c65f1fe1f7c3a1eaecd8550a6a229475cbec2090e5524d6f1ac632d0710fa9e9e462ba8538ed1cf67a033f13d2baa500954a08edbda3058a743ce4

memory/3292-6-0x0000000000400000-0x000000000074F000-memory.dmp

memory/888-8-0x0000000000400000-0x000000000051B000-memory.dmp

memory/3292-10-0x0000000000400000-0x000000000074F000-memory.dmp