acb4f32c3df8689dfde4bbbd61f7f1fccaf0a8a260753445899c609a1ac4ef64

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
Size

590KB
MD5

b086da5b4e3a6027283b2ba5158852a4
SHA1

2bfb39f18fba13a26fb50ec946677ef96a6604e7
SHA256

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283
SHA512

1773007761a626e3f67719ec6582c08f630ada63a77b3941810648f6769ccb3cd6989a721927cfd6c1cce7670de1094a37db8d6342d578e22920f89c5a0740f5

Score

10^/10

discovery persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

Reimage.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page	Reimage.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Executes dropped EXE 20 IoCs

Processes:

sqlite3.exesqlite3.exesqlite3.exeReimageRepair.exesqlite3.exesqlite3.exesqlite3.exesqlite3.exeReimagePackage.exelzma.exelzma.exeProtectorUpdater.exeUniProtectorPackage.exeReiGuard.exeReiGuard.exeReiSystem.exeReimageApp.exeReimage.exeREI_AVIRA.exeReiSystem.exe

pid	process
1972	sqlite3.exe
1900	sqlite3.exe
1644	sqlite3.exe
1796	ReimageRepair.exe
748	sqlite3.exe
340	sqlite3.exe
1996	sqlite3.exe
1004	sqlite3.exe
324	ReimagePackage.exe
520	lzma.exe
1580	lzma.exe
432	ProtectorUpdater.exe
1712	UniProtectorPackage.exe
1036	ReiGuard.exe
548	ReiGuard.exe
1660	ReiSystem.exe
1348	ReimageApp.exe
944	Reimage.exe
2108	REI_AVIRA.exe
2264	ReiSystem.exe

Uses Session Manager for persistence 2 TTPs
Creates Session Manager registry key to run executable early in system boot.
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 145 IoCs

Processes:

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.execmd.execmd.execmd.exeReimageRepair.execmd.execmd.execmd.execmd.exeReimagePackage.exe

pid	process
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
2000	cmd.exe
2000	cmd.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1752	cmd.exe
1752	cmd.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1008	cmd.exe
1008	cmd.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1588	cmd.exe
1588	cmd.exe
1796	ReimageRepair.exe
612	cmd.exe
612	cmd.exe
1796	ReimageRepair.exe
1636	cmd.exe
1636	cmd.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
940	cmd.exe
940	cmd.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
1796	ReimageRepair.exe
324	ReimagePackage.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ReimagePackage.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	ReimagePackage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Reimage = "\"C:\\Program Files\\Reimage\\Reimage Protector\\ReimageApp.exe\""	ReimagePackage.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 72 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Reimage.exeReiGuard.exeReiGuard.exe

description	ioc	process
File opened (read-only)	\??\P:	Reimage.exe
File opened (read-only)	\??\U:	Reimage.exe
File opened (read-only)	\??\S:	ReiGuard.exe
File opened (read-only)	\??\G:	ReiGuard.exe
File opened (read-only)	\??\K:	ReiGuard.exe
File opened (read-only)	\??\G:	Reimage.exe
File opened (read-only)	\??\M:	Reimage.exe
File opened (read-only)	\??\N:	Reimage.exe
File opened (read-only)	\??\O:	Reimage.exe
File opened (read-only)	\??\O:	ReiGuard.exe
File opened (read-only)	\??\X:	ReiGuard.exe
File opened (read-only)	\??\L:	ReiGuard.exe
File opened (read-only)	\??\M:	ReiGuard.exe
File opened (read-only)	\??\T:	ReiGuard.exe
File opened (read-only)	\??\N:	ReiGuard.exe
File opened (read-only)	\??\Z:	ReiGuard.exe
File opened (read-only)	\??\P:	ReiGuard.exe
File opened (read-only)	\??\Q:	Reimage.exe
File opened (read-only)	\??\Z:	Reimage.exe
File opened (read-only)	\??\J:	Reimage.exe
File opened (read-only)	\??\R:	Reimage.exe
File opened (read-only)	\??\I:	ReiGuard.exe
File opened (read-only)	\??\M:	ReiGuard.exe
File opened (read-only)	\??\T:	ReiGuard.exe
File opened (read-only)	\??\V:	ReiGuard.exe
File opened (read-only)	\??\J:	ReiGuard.exe
File opened (read-only)	\??\Y:	ReiGuard.exe
File opened (read-only)	\??\I:	Reimage.exe
File opened (read-only)	\??\E:	ReiGuard.exe
File opened (read-only)	\??\B:	ReiGuard.exe
File opened (read-only)	\??\H:	Reimage.exe
File opened (read-only)	\??\L:	Reimage.exe
File opened (read-only)	\??\P:	ReiGuard.exe
File opened (read-only)	\??\R:	ReiGuard.exe
File opened (read-only)	\??\S:	Reimage.exe
File opened (read-only)	\??\J:	ReiGuard.exe
File opened (read-only)	\??\W:	ReiGuard.exe
File opened (read-only)	\??\B:	ReiGuard.exe
File opened (read-only)	\??\G:	ReiGuard.exe
File opened (read-only)	\??\H:	ReiGuard.exe
File opened (read-only)	\??\K:	ReiGuard.exe
File opened (read-only)	\??\A:	Reimage.exe
File opened (read-only)	\??\B:	Reimage.exe
File opened (read-only)	\??\V:	Reimage.exe
File opened (read-only)	\??\N:	ReiGuard.exe
File opened (read-only)	\??\K:	Reimage.exe
File opened (read-only)	\??\R:	ReiGuard.exe
File opened (read-only)	\??\Y:	ReiGuard.exe
File opened (read-only)	\??\A:	ReiGuard.exe
File opened (read-only)	\??\E:	ReiGuard.exe
File opened (read-only)	\??\I:	ReiGuard.exe
File opened (read-only)	\??\F:	ReiGuard.exe
File opened (read-only)	\??\X:	ReiGuard.exe
File opened (read-only)	\??\T:	Reimage.exe
File opened (read-only)	\??\W:	Reimage.exe
File opened (read-only)	\??\Y:	Reimage.exe
File opened (read-only)	\??\F:	ReiGuard.exe
File opened (read-only)	\??\O:	ReiGuard.exe
File opened (read-only)	\??\V:	ReiGuard.exe
File opened (read-only)	\??\W:	ReiGuard.exe
File opened (read-only)	\??\Q:	ReiGuard.exe
File opened (read-only)	\??\S:	ReiGuard.exe
File opened (read-only)	\??\L:	ReiGuard.exe
File opened (read-only)	\??\Q:	ReiGuard.exe

Modifies WinLogon 2 TTPs 31 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Reimage.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}	Reimage.exe

Drops file in System32 directory 10 IoCs

Processes:

ReiGuard.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ReiGuard.exe

Drops file in Program Files directory 33 IoCs

Processes:

ReimagePackage.exeUniProtectorPackage.exelzma.exelzma.exe

description	ioc	process
File created	C:\Program Files\Reimage\Reimage Repair\uninst.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\version.rei	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\LZMA.EXE	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll	lzma.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\msvcr120.dll	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Terms of Use.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\savapi.dll	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe	UniProtectorPackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Help & Support.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll	lzma.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url	ReimagePackage.exe

Drops file in Windows directory 9 IoCs

Processes:

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exeReimageRepair.exeUniProtectorPackage.exeReiGuard.exeReimagePackage.exeReimage.exeProtectorUpdater.exe

description	ioc	process
File opened for modification	C:\Windows\Reimage.ini	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
File opened for modification	C:\Windows\Reimage.ini	ReimageRepair.exe
File opened for modification	C:\Windows\reimage.ini	ReimageRepair.exe
File opened for modification	C:\Windows\Reimage.ini	UniProtectorPackage.exe
File opened for modification	C:\Windows\TEMPregistrylog\.log	ReiGuard.exe
File opened for modification	C:\Windows\reimage.ini	ReimagePackage.exe
File opened for modification	C:\Windows\reimage.ini	Reimage.exe
File opened for modification	C:\Windows\reimage.ini	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
File opened for modification	C:\Windows\Reimage.ini	ProtectorUpdater.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Reimage.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Reimage.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ManufacturerIdentifier	Reimage.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Reimage.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Reimage.exe

Enumerates processes with tasklist 1 TTPs 17 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
340	tasklist.exe
2004	tasklist.exe
1168	tasklist.exe
1560	tasklist.exe
1388	tasklist.exe
1700	tasklist.exe
868	tasklist.exe
2004	tasklist.exe
856	tasklist.exe
848	tasklist.exe
748	tasklist.exe
1408	tasklist.exe
1740	tasklist.exe
908	tasklist.exe
1612	tasklist.exe
936	tasklist.exe
1472	tasklist.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Reimage.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate Reimage.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

520 ipconfig.exe
2188 ipconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	Reimage.exe

pid	process
520	ipconfig.exe
2188	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Reimage.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	Reimage.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Reimage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Reimage.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\User Preferences	Reimage.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

ReiGuard.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ReiGuard.exe

Modifies registry class 836 IoCs

Processes:

regsvr32.exeregsvr32.exeReimage.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0CF32AA1-7571-11D0-93C4-00AA00A3DDEA}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{28AB0005-E845-4FFA-AA9B-F4665236141C}\Version	Reimage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24DC3975-09BF-4231-8655-3EE71F43837D}\TypeLib	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{26EC0B63-AA90-458A-8DF4-5659F2C8A18A}\Implemented Categories	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{334125C0-77E5-11d3-B653-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{37B03543-A4C8-11D2-B634-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F}\ProgID	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID\ = "REI_AxControl.ReiEngine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{28AB0005-E845-4FFA-AA9B-F4665236141C}\Programmable	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{334125C0-77E5-11d3-B653-00C04F79498E}\Programmable	Reimage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1d27f844-3a1f-4410-85ac-14651078412d}\VersionIndependentProgID	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0CF32AA1-7571-11D0-93C4-00AA00A3DDEA}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0002000D-0000-0000-C000-000000000046}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{233A9694-667E-11d1-9DFB-006097D50408}\MiscStatus	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24DC3975-09BF-4231-8655-3EE71F43837D}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{055CB2D7-2969-45CD-914B-76890722F112}\ProgID	Reimage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0369B4E5-45B6-11D3-B650-00C04F79498E}\Programmable	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}\ToolboxBitmap32	Reimage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0149EEDF-D08F-4142-8D73-D23903D21E90}\Programmable	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3050f4d8-98b5-11cf-BB82-00AA00BDCE0B}\DefaultIcon	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{37B0353C-A4C8-11D2-B634-00C04F79498E}\ProgID	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}\VersionIndependentProgID	Reimage.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ReiGuard.exeReiGuard.exeReimage.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Reimage.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

ReiGuard.exeReiGuard.exeReiSystem.exeReimage.exe

pid	process
1036	ReiGuard.exe
1036	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
1036	ReiGuard.exe
548	ReiGuard.exe
1660	ReiSystem.exe
1036	ReiGuard.exe
1036	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
548	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe
548	ReiGuard.exe

Suspicious use of AdjustPrivilegeToken 65 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	856	tasklist.exe
Token: SeDebugPrivilege	340	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	1408	tasklist.exe
Token: SeDebugPrivilege	848	tasklist.exe
Token: SeDebugPrivilege	1740	tasklist.exe
Token: SeDebugPrivilege	908	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	868	tasklist.exe
Token: SeDebugPrivilege	1612	tasklist.exe
Token: SeDebugPrivilege	936	tasklist.exe
Token: SeDebugPrivilege	748	tasklist.exe
Token: SeDebugPrivilege	1472	tasklist.exe
Token: SeDebugPrivilege	1168	tasklist.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	1388	tasklist.exe
Token: 33	1512	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1512	AUDIODG.EXE
Token: 33	1512	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1512	AUDIODG.EXE
Token: SeBackupPrivilege	944	Reimage.exe
Token: SeRestorePrivilege	944	Reimage.exe
Token: SeTakeOwnershipPrivilege	944	Reimage.exe
Token: SeDebugPrivilege	944	Reimage.exe
Token: SeBackupPrivilege	944	Reimage.exe
Token: SeBackupPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeBackupPrivilege	944	Reimage.exe
Token: SeBackupPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe
Token: SeSecurityPrivilege	944	Reimage.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

ReimageApp.exeReimage.exe

pid process

1348 ReimageApp.exe
944 Reimage.exe
1348 ReimageApp.exe
1348 ReimageApp.exe
1348 ReimageApp.exe
944 Reimage.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

ReimageApp.exeReimage.exe

pid process

1348 ReimageApp.exe
944 Reimage.exe
1348 ReimageApp.exe
1348 ReimageApp.exe
1348 ReimageApp.exe
944 Reimage.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Reimage.exe

pid process

944 Reimage.exe
944 Reimage.exe
944 Reimage.exe
944 Reimage.exe

pid	process
1348	ReimageApp.exe
944	Reimage.exe
1348	ReimageApp.exe
1348	ReimageApp.exe
1348	ReimageApp.exe
944	Reimage.exe

pid	process
1348	ReimageApp.exe
944	Reimage.exe
1348	ReimageApp.exe
1348	ReimageApp.exe
1348	ReimageApp.exe
944	Reimage.exe

pid	process
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe
944	Reimage.exe

Suspicious use of WriteProcessMemory 302 IoCs

Processes:

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.execmd.execmd.execmd.execmd.execmd.exeReimageRepair.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 2000	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 2000	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 2000	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 2000	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	sqlite3.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	sqlite3.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	sqlite3.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	sqlite3.exe
PID 1864 wrote to memory of 1752	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 1752	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 1752	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 1752	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1752 wrote to memory of 1900	1752	cmd.exe	sqlite3.exe
PID 1752 wrote to memory of 1900	1752	cmd.exe	sqlite3.exe
PID 1752 wrote to memory of 1900	1752	cmd.exe	sqlite3.exe
PID 1752 wrote to memory of 1900	1752	cmd.exe	sqlite3.exe
PID 1864 wrote to memory of 1008	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 1008	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 1008	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 1008	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1008 wrote to memory of 1644	1008	cmd.exe	sqlite3.exe
PID 1008 wrote to memory of 1644	1008	cmd.exe	sqlite3.exe
PID 1008 wrote to memory of 1644	1008	cmd.exe	sqlite3.exe
PID 1008 wrote to memory of 1644	1008	cmd.exe	sqlite3.exe
PID 1864 wrote to memory of 748	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 748	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 748	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 748	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 748 wrote to memory of 856	748	cmd.exe	tasklist.exe
PID 748 wrote to memory of 856	748	cmd.exe	tasklist.exe
PID 748 wrote to memory of 856	748	cmd.exe	tasklist.exe
PID 748 wrote to memory of 856	748	cmd.exe	tasklist.exe
PID 1864 wrote to memory of 2040	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 2040	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 2040	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1864 wrote to memory of 2040	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 2040 wrote to memory of 340	2040	cmd.exe	tasklist.exe
PID 2040 wrote to memory of 340	2040	cmd.exe	tasklist.exe
PID 2040 wrote to memory of 340	2040	cmd.exe	tasklist.exe
PID 2040 wrote to memory of 340	2040	cmd.exe	tasklist.exe
PID 1864 wrote to memory of 1004	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 1864 wrote to memory of 1004	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 1864 wrote to memory of 1004	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 1864 wrote to memory of 1004	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 1864 wrote to memory of 1004	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 1864 wrote to memory of 1004	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 1864 wrote to memory of 1004	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 1864 wrote to memory of 1796	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 1864 wrote to memory of 1796	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 1864 wrote to memory of 1796	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 1864 wrote to memory of 1796	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 1864 wrote to memory of 1796	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 1864 wrote to memory of 1796	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 1864 wrote to memory of 1796	1864	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 1796 wrote to memory of 1588	1796	ReimageRepair.exe	cmd.exe
PID 1796 wrote to memory of 1588	1796	ReimageRepair.exe	cmd.exe
PID 1796 wrote to memory of 1588	1796	ReimageRepair.exe	cmd.exe
PID 1796 wrote to memory of 1588	1796	ReimageRepair.exe	cmd.exe
PID 1588 wrote to memory of 748	1588	cmd.exe	sqlite3.exe
PID 1588 wrote to memory of 748	1588	cmd.exe	sqlite3.exe
PID 1588 wrote to memory of 748	1588	cmd.exe	sqlite3.exe
PID 1588 wrote to memory of 748	1588	cmd.exe	sqlite3.exe
PID 1796 wrote to memory of 612	1796	ReimageRepair.exe	cmd.exe
PID 1796 wrote to memory of 612	1796	ReimageRepair.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
"C:\Users\Admin\AppData\Local\Temp\9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
3⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"
3⤵
- Executes dropped EXE
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
3⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\jscript.dll"
2⤵
- Modifies registry class
PID:1004

C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe
"C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe" /update=1 /Language=1033 /tracking=0 /campaign=0 /adgroup=0 /Ads_Name=0 /Keyword=0 /ResumeInstall=2 /RunSilent=false /pxkp=Delete /ShowName=True /StartScan=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
4⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
- Loads dropped DLL
PID:612

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"
4⤵
- Executes dropped EXE
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
- Loads dropped DLL
PID:1636

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
4⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:2020

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:1304

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\jscript.dll"
3⤵
- Modifies registry class
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:432

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReimagePackage.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:1472

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:1408

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq GeoProxy.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uxz60m9o.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"
4⤵
- Executes dropped EXE
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:1620

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:1616

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:1320

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq smsniff.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1957/layout.php?consumer=1&gui_branch=0&trackutil=8044650947&MinorSessionID=2ad18dd5957f4af898c8fdcaa1&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe" /uninstallX86=TRUE /trackutil=8044650947 /CookieTracking=direct /CookieCampaign=no-referrer /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=561c0663-6918-46c0-b437-4d684e5d1b3a /IDMinorSession=2ad18dd5957f4af898c8fdcaa1 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=True /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:968

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:1512

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:520

C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:1560

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq REI_avira.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
4⤵
PID:1788

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
5⤵
- Modifies registry class
PID:960

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
4⤵
PID:1100

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
5⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\nsnC7E3.tmp\ProtectorUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\nsnC7E3.tmp\ProtectorUpdater.exe" /S /MinorSessionID=2ad18dd5957f4af898c8fdcaa1 /SessionID=561c0663-6918-46c0-b437-4d684e5d1b3a /TrackID=8044650947 /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
5⤵
PID:1448

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
"C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=2ad18dd5957f4af898c8fdcaa1 /SessionID=561c0663-6918-46c0-b437-4d684e5d1b3a /Install=true /UpdateOnly=default /InstallPath= /Iav=False
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
6⤵
PID:1740

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReiScanner.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
6⤵
PID:1396

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReiProtectorM.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
6⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReimageApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:1764

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReimageApp.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN ReimageUpdater /F
4⤵
PID:1632

C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe
"C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348

C:\Program Files\Reimage\Reimage Repair\Reimage.exe
"C:\Program Files\Reimage\Reimage Repair\Reimage.exe" http://www.reimageplus.com/GUI/GUI1957/layout.php?consumer=1&gui_branch=0&trackutil=8044650947&MinorSessionID=2ad18dd5957f4af898c8fdcaa1&lang_code=en&bundle=0&loadresults=0&ShowSettings=false /Locale=1033
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:520

C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe
"C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe" "C:\rei\AV"
5⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\ipconfig.exe
C:\Windows\system32\ipconfig.exe /all
5⤵
- Gathers network information
PID:2188

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
"C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
commadnlinetogetexplorerhistory 3600 "C:\Users\Admin\AppData\Local\Temp\259397042_file.txt"
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FF.bat
MD5
ae3e8e551fa2cb82471e707070b480db

SHA1
ed377624cef8777197fdcb9bc89293455cdf140f

SHA256
559b4334332521d90aa2d70d82cfd4f10331212360db92095ea2401d03f2c9ee

SHA512
f9af6cbbdcbd96e4973bb6def4c654781f611bb5e0f769128134b4ab091a8b06791bfa00502ef0b840deea640118f9a06da0fd9095afa324715dfe1e6a60dbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat
MD5
e11b7a7bcb47319994cca457fb6a25d4

SHA1
868bfcf1c536928b5dcc524302fb5945bf29f5d1

SHA256
ad07e11a0804942991783d02647518b1e5aeaaee803bbc1de77d8ccf0dacc777

SHA512
a2ea45adca9ba54e00f8d904c43ba8a4bb46123e89b21dd8c46e8b4525c8ccd29dd5b143186528ddbe4e3155d182fc5e370aeecbeabc1c1df3f25b4f5f4477c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat
MD5
8540bdd320b7441581c3fed1edc6d73d

SHA1
5c2b4a48d1fac037254d45cb140786aa05cd78c3

SHA256
f73d40ed70bfa43dcc5ba2089fb4269332aeea3f955125bbe40a7efa4b04c45b

SHA512
861dd6aae810cc671153328dd46ac5ddc7e39d1bd4eec94253601a5e21793733d4215d0848e1a29a7305238fd0ec413f3bada3243494f7ab887b2fe65cc15bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat
MD5
ae3e8e551fa2cb82471e707070b480db

SHA1
ed377624cef8777197fdcb9bc89293455cdf140f

SHA256
559b4334332521d90aa2d70d82cfd4f10331212360db92095ea2401d03f2c9ee

SHA512
f9af6cbbdcbd96e4973bb6def4c654781f611bb5e0f769128134b4ab091a8b06791bfa00502ef0b840deea640118f9a06da0fd9095afa324715dfe1e6a60dbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat
MD5
e11b7a7bcb47319994cca457fb6a25d4

SHA1
868bfcf1c536928b5dcc524302fb5945bf29f5d1

SHA256
ad07e11a0804942991783d02647518b1e5aeaaee803bbc1de77d8ccf0dacc777

SHA512
a2ea45adca9ba54e00f8d904c43ba8a4bb46123e89b21dd8c46e8b4525c8ccd29dd5b143186528ddbe4e3155d182fc5e370aeecbeabc1c1df3f25b4f5f4477c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat
MD5
8540bdd320b7441581c3fed1edc6d73d

SHA1
5c2b4a48d1fac037254d45cb140786aa05cd78c3

SHA256
f73d40ed70bfa43dcc5ba2089fb4269332aeea3f955125bbe40a7efa4b04c45b

SHA512
861dd6aae810cc671153328dd46ac5ddc7e39d1bd4eec94253601a5e21793733d4215d0848e1a29a7305238fd0ec413f3bada3243494f7ab887b2fe65cc15bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe
MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe
MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader log.txt
MD5
a46e61de383dc8a6f039f58f6bf8d3bf

SHA1
fbc746a5d44e2c08890a84bc7465d45be7ab6fb4

SHA256
e5234fdaea836a13d24fafa8613acf6723c8ee2ad61842eabac93f3c5cd5a9d3

SHA512
e72e2ffb4acf8ca028cf9000e8088a62550f9b8b92df45b0f01d0d83d3f3166b45693fb2f995cd7bae246f1cdd6983224c9e4a2ee5307d0e09ca797a2da2c6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\K51LPOTM.txt
MD5
06052a57652f3acab8f896e3b0d25103

SHA1
d7e8e88a0f29ae97569a868a4d21700481722d73

SHA256
021d0be81066645d1f46ebffa728d11440abbcbddec3ff73afc143c5f6d57516

SHA512
d4e5c99a3ce5779a9bfac4c1884eeb0a1dee56f80c9a03d780a89bdfc64f48be4419151ae953118e75c88de25fde5a54d20a33e16c8ea307a780f3f4baf53286

Download Submit
C:\Users\Public\Desktop\Resume Reimage Repair Installation.lnk
MD5
730c65153e76fea999f1c1e4feaf480a

SHA1
bd17eeefc214ee02861282c50cd0a09028cdbfae

SHA256
61677f5dea4df2c7d7f405a1c29f5b62cca416af8e303d17f541a5ffa27e104b

SHA512
80f0d48b3fef54718e9b4b5450ebc0d0f334fcc47fe5ff5b666dc16a5644074808a536cc74b3e12db8b19a0e22a34812442982589709ea0ce66df1bf0415c7e2

Download Submit
C:\Windows\Reimage.ini
MD5
2c0c8a63eec5f9a589da44d13111fd05

SHA1
c55eaf22663560e81613888c3bbac0c222808348

SHA256
33082a702d068dab7c642812e9ec65db9dfca76720cba79fbe7def4df3ce0511

SHA512
674dde2382c7da1d8bd36c37edf6fdc7f340a07dc3b5823d4ad64bbcf3d53c0ebceed0831e78be8456233cd84edec95b0c1deb5af6b2a2151b564ac32ccc52b6

Download Submit
\Users\Admin\AppData\Local\Temp\ReimageRepair.exe
MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
\Users\Admin\AppData\Local\Temp\ReimageRepair.exe
MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\Banner.dll
MD5
e264d0f91103758bc5b088e8547e0ec1

SHA1
24a94ff59668d18b908c78afd2a9563de2819680

SHA256
501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

SHA512
a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\LogEx.dll
MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\System.dll
MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\UserInfo.dll
MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\inetc.dll
MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\inetc.dll
MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\inetc.dll
MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\nsDialogs.dll
MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\stack.dll
MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\xml.dll
MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\xml.dll
MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nsc516C.tmp\xml.dll
MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\Banner.dll
MD5
e264d0f91103758bc5b088e8547e0ec1

SHA1
24a94ff59668d18b908c78afd2a9563de2819680

SHA256
501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

SHA512
a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\LogEx.dll
MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\System.dll
MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\UserInfo.dll
MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi8CF6.tmp\nsExec.dll
MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.exe
MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
memory/324-108-0x0000000000000000-mapping.dmp

Download
memory/340-35-0x0000000000000000-mapping.dmp

Download
memory/340-73-0x0000000000000000-mapping.dmp

Download
memory/432-94-0x0000000000000000-mapping.dmp

Download
memory/432-126-0x0000000000000000-mapping.dmp

Download
memory/516-124-0x0000000000000000-mapping.dmp

Download
memory/520-114-0x0000000000000000-mapping.dmp

Download
memory/612-69-0x0000000000000000-mapping.dmp

Download
memory/748-65-0x0000000000000000-mapping.dmp

Download
memory/748-113-0x0000000000000000-mapping.dmp

Download
memory/748-30-0x0000000000000000-mapping.dmp

Download
memory/848-95-0x0000000000000000-mapping.dmp

Download
memory/856-31-0x0000000000000000-mapping.dmp

Download
memory/868-105-0x0000000000000000-mapping.dmp

Download
memory/908-99-0x0000000000000000-mapping.dmp

Download
memory/936-111-0x0000000000000000-mapping.dmp

Download
memory/940-100-0x0000000000000000-mapping.dmp

Download
memory/944-142-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/960-120-0x0000000000000000-mapping.dmp

Download
memory/968-110-0x0000000000000000-mapping.dmp

Download
memory/1004-40-0x0000000000000000-mapping.dmp

Download
memory/1004-101-0x0000000000000000-mapping.dmp

Download
memory/1004-92-0x0000000000000000-mapping.dmp

Download
memory/1004-41-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/1008-23-0x0000000000000000-mapping.dmp

Download
memory/1036-136-0x0000000000000000-mapping.dmp

Download
memory/1100-122-0x0000000000000000-mapping.dmp

Download
memory/1168-129-0x0000000000000000-mapping.dmp

Download
memory/1304-89-0x0000000000000000-mapping.dmp

Download
memory/1320-106-0x0000000000000000-mapping.dmp

Download
memory/1348-141-0x0000000000000000-mapping.dmp

Download
memory/1388-139-0x0000000000000000-mapping.dmp

Download
memory/1396-134-0x0000000000000000-mapping.dmp

Download
memory/1408-90-0x0000000000000000-mapping.dmp

Download
memory/1408-98-0x0000000000000000-mapping.dmp

Download
memory/1448-128-0x0000000000000000-mapping.dmp

Download
memory/1472-117-0x0000000000000000-mapping.dmp

Download
memory/1472-96-0x0000000000000000-mapping.dmp

Download
memory/1512-112-0x0000000000000000-mapping.dmp

Download
memory/1560-133-0x0000000000000000-mapping.dmp

Download
memory/1560-116-0x0000000000000000-mapping.dmp

Download
memory/1580-115-0x0000000000000000-mapping.dmp

Download
memory/1588-60-0x0000000000000000-mapping.dmp

Download
memory/1612-107-0x0000000000000000-mapping.dmp

Download
memory/1616-104-0x0000000000000000-mapping.dmp

Download
memory/1620-102-0x0000000000000000-mapping.dmp

Download
memory/1632-140-0x0000000000000000-mapping.dmp

Download
memory/1636-76-0x0000000000000000-mapping.dmp

Download
memory/1644-27-0x0000000000000000-mapping.dmp

Download
memory/1660-137-0x0000000000000000-mapping.dmp

Download
memory/1700-103-0x0000000000000000-mapping.dmp

Download
memory/1712-130-0x0000000000000000-mapping.dmp

Download
memory/1740-97-0x0000000000000000-mapping.dmp

Download
memory/1740-132-0x0000000000000000-mapping.dmp

Download
memory/1752-16-0x0000000000000000-mapping.dmp

Download
memory/1764-138-0x0000000000000000-mapping.dmp

Download
memory/1788-118-0x0000000000000000-mapping.dmp

Download
memory/1796-49-0x0000000000000000-mapping.dmp

Download
memory/1864-2-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1900-20-0x0000000000000000-mapping.dmp

Download
memory/1972-13-0x0000000000000000-mapping.dmp

Download
memory/1996-80-0x0000000000000000-mapping.dmp

Download
memory/2000-8-0x0000000000000000-mapping.dmp

Download
memory/2000-38-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/2004-135-0x0000000000000000-mapping.dmp

Download
memory/2004-86-0x0000000000000000-mapping.dmp

Download
memory/2020-85-0x0000000000000000-mapping.dmp

Download
memory/2040-34-0x0000000000000000-mapping.dmp

Download