acb4f32c3df8689dfde4bbbd61f7f1fccaf0a8a260753445899c609a1ac4ef64

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
18-01-2021 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
Size

590KB
MD5

b086da5b4e3a6027283b2ba5158852a4
SHA1

2bfb39f18fba13a26fb50ec946677ef96a6604e7
SHA256

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283
SHA512

1773007761a626e3f67719ec6582c08f630ada63a77b3941810648f6769ccb3cd6989a721927cfd6c1cce7670de1094a37db8d6342d578e22920f89c5a0740f5

Score

10^/10

discovery persistence spyware

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Executes dropped EXE 18 IoCs

Processes:

sqlite3.exesqlite3.exesqlite3.exeReimageRepair.exesqlite3.exesqlite3.exesqlite3.exesqlite3.exeReimagePackage.exelzma.exelzma.exeProtectorUpdater.exeUniProtectorPackage.exeReiGuard.exeReiGuard.exeReiSystem.exeReimageApp.exeReimage.exe

pid	process
4260	sqlite3.exe
3356	sqlite3.exe
2808	sqlite3.exe
2388	ReimageRepair.exe
2248	sqlite3.exe
4620	sqlite3.exe
4696	sqlite3.exe
2160	sqlite3.exe
2156	ReimagePackage.exe
4468	lzma.exe
4256	lzma.exe
3968	ProtectorUpdater.exe
4336	UniProtectorPackage.exe
1892	ReiGuard.exe
4496	ReiGuard.exe
2916	ReiSystem.exe
4720	ReimageApp.exe
4476	Reimage.exe

Loads dropped DLL 117 IoCs

Processes:

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exeReimageRepair.exeReimagePackage.exe

pid	process
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2388	ReimageRepair.exe
2156	ReimagePackage.exe
2156	ReimagePackage.exe
2156	ReimagePackage.exe
2156	ReimagePackage.exe
2156	ReimagePackage.exe
2156	ReimagePackage.exe
2156	ReimagePackage.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ReimagePackage.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	ReimagePackage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Reimage = "\"C:\\Program Files\\Reimage\\Reimage Protector\\ReimageApp.exe\""	ReimagePackage.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ReiGuard.exe

description	ioc	process
File opened (read-only)	\??\F:	ReiGuard.exe
File opened (read-only)	\??\L:	ReiGuard.exe
File opened (read-only)	\??\M:	ReiGuard.exe
File opened (read-only)	\??\V:	ReiGuard.exe
File opened (read-only)	\??\Z:	ReiGuard.exe
File opened (read-only)	\??\A:	ReiGuard.exe
File opened (read-only)	\??\G:	ReiGuard.exe
File opened (read-only)	\??\H:	ReiGuard.exe
File opened (read-only)	\??\Y:	ReiGuard.exe
File opened (read-only)	\??\B:	ReiGuard.exe
File opened (read-only)	\??\K:	ReiGuard.exe
File opened (read-only)	\??\X:	ReiGuard.exe
File opened (read-only)	\??\E:	ReiGuard.exe
File opened (read-only)	\??\J:	ReiGuard.exe
File opened (read-only)	\??\N:	ReiGuard.exe
File opened (read-only)	\??\O:	ReiGuard.exe
File opened (read-only)	\??\P:	ReiGuard.exe
File opened (read-only)	\??\Q:	ReiGuard.exe
File opened (read-only)	\??\R:	ReiGuard.exe
File opened (read-only)	\??\S:	ReiGuard.exe
File opened (read-only)	\??\I:	ReiGuard.exe
File opened (read-only)	\??\U:	ReiGuard.exe
File opened (read-only)	\??\W:	ReiGuard.exe
File opened (read-only)	\??\T:	ReiGuard.exe

Drops file in System32 directory 7 IoCs

Processes:

ReiGuard.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe

Drops file in Program Files directory 34 IoCs

Processes:

ReimagePackage.exeUniProtectorPackage.exelzma.exelzma.exe

description	ioc	process
File created	C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Help & Support.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage.exe	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\uninst.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\version.rei	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\LZMA.EXE	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll	lzma.exe
File created	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Terms of Use.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll	lzma.exe
File created	C:\Program Files\Reimage\Reimage Repair\msvcr120.dll	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\savapi.dll	ReimagePackage.exe

Drops file in Windows directory 8 IoCs

Processes:

UniProtectorPackage.exeReimagePackage.exeReiGuard.exe9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exeReimageRepair.exeProtectorUpdater.exe

description	ioc	process
File opened for modification	C:\Windows\Reimage.ini	UniProtectorPackage.exe
File opened for modification	C:\Windows\reimage.ini	ReimagePackage.exe
File opened for modification	C:\Windows\TEMPregistrylog\.log	ReiGuard.exe
File opened for modification	C:\Windows\Reimage.ini	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
File opened for modification	C:\Windows\reimage.ini	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
File opened for modification	C:\Windows\Reimage.ini	ReimageRepair.exe
File opened for modification	C:\Windows\reimage.ini	ReimageRepair.exe
File opened for modification	C:\Windows\Reimage.ini	ProtectorUpdater.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3104 4476 WerFault.exe Reimage.exe

pid	pid_target	process	target process
3104	4476	WerFault.exe	Reimage.exe

Enumerates processes with tasklist 1 TTPs 17 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
352	tasklist.exe
4872	tasklist.exe
4568	tasklist.exe
4744	tasklist.exe
2564	tasklist.exe
612	tasklist.exe
1776	tasklist.exe
4664	tasklist.exe
4644	tasklist.exe
4232	tasklist.exe
4900	tasklist.exe
4416	tasklist.exe
804	tasklist.exe
4412	tasklist.exe
784	tasklist.exe
4888	tasklist.exe
416	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Reimage.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Reimage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Reimage.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

ReiGuard.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe

Modifies registry class 498 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib\ = "{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version\ = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT AUTHOR\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID\ = "REI_AxControl.ReiEngine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT AUTHOR\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ReiGuard.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ReiGuard.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

ReiGuard.exeReiGuard.exeReiSystem.exeWerFault.exe

pid	process
1892	ReiGuard.exe
1892	ReiGuard.exe
1892	ReiGuard.exe
1892	ReiGuard.exe
4496	ReiGuard.exe
4496	ReiGuard.exe
4496	ReiGuard.exe
1892	ReiGuard.exe
4496	ReiGuard.exe
1892	ReiGuard.exe
4496	ReiGuard.exe
4496	ReiGuard.exe
2916	ReiSystem.exe
2916	ReiSystem.exe
1892	ReiGuard.exe
1892	ReiGuard.exe
1892	ReiGuard.exe
1892	ReiGuard.exe
4496	ReiGuard.exe
4496	ReiGuard.exe
4496	ReiGuard.exe
4496	ReiGuard.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe
3104	WerFault.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	804	tasklist.exe
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	4664	tasklist.exe
Token: SeDebugPrivilege	4412	tasklist.exe
Token: SeDebugPrivilege	352	tasklist.exe
Token: SeDebugPrivilege	784	tasklist.exe
Token: SeDebugPrivilege	4888	tasklist.exe
Token: SeDebugPrivilege	416	tasklist.exe
Token: SeDebugPrivilege	4872	tasklist.exe
Token: SeDebugPrivilege	4568	tasklist.exe
Token: SeDebugPrivilege	4644	tasklist.exe
Token: SeDebugPrivilege	4744	tasklist.exe
Token: SeDebugPrivilege	2564	tasklist.exe
Token: SeDebugPrivilege	4232	tasklist.exe
Token: SeDebugPrivilege	612	tasklist.exe
Token: SeDebugPrivilege	4900	tasklist.exe
Token: SeDebugPrivilege	4416	tasklist.exe
Token: SeBackupPrivilege	4476	Reimage.exe
Token: SeRestorePrivilege	4476	Reimage.exe
Token: SeTakeOwnershipPrivilege	4476	Reimage.exe
Token: SeDebugPrivilege	4476	Reimage.exe
Token: SeDebugPrivilege	3104	WerFault.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

ReimageApp.exeReimage.exe

pid process

4720 ReimageApp.exe
4476 Reimage.exe
4720 ReimageApp.exe
4720 ReimageApp.exe
4720 ReimageApp.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

ReimageApp.exeReimage.exe

pid process

4720 ReimageApp.exe
4476 Reimage.exe
4720 ReimageApp.exe
4720 ReimageApp.exe
4720 ReimageApp.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Reimage.exe

pid process

4476 Reimage.exe
4476 Reimage.exe
4476 Reimage.exe
4476 Reimage.exe

pid	process
4720	ReimageApp.exe
4476	Reimage.exe
4720	ReimageApp.exe
4720	ReimageApp.exe
4720	ReimageApp.exe

pid	process
4720	ReimageApp.exe
4476	Reimage.exe
4720	ReimageApp.exe
4720	ReimageApp.exe
4720	ReimageApp.exe

pid	process
4476	Reimage.exe
4476	Reimage.exe
4476	Reimage.exe
4476	Reimage.exe

Suspicious use of WriteProcessMemory 187 IoCs

Processes:

9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.execmd.execmd.execmd.execmd.execmd.exeReimageRepair.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4772 wrote to memory of 2496	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 2496	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 2496	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 2496 wrote to memory of 4260	2496	cmd.exe	sqlite3.exe
PID 2496 wrote to memory of 4260	2496	cmd.exe	sqlite3.exe
PID 2496 wrote to memory of 4260	2496	cmd.exe	sqlite3.exe
PID 4772 wrote to memory of 3232	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 3232	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 3232	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 3232 wrote to memory of 3356	3232	cmd.exe	sqlite3.exe
PID 3232 wrote to memory of 3356	3232	cmd.exe	sqlite3.exe
PID 3232 wrote to memory of 3356	3232	cmd.exe	sqlite3.exe
PID 4772 wrote to memory of 4152	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 4152	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 4152	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4152 wrote to memory of 2808	4152	cmd.exe	sqlite3.exe
PID 4152 wrote to memory of 2808	4152	cmd.exe	sqlite3.exe
PID 4152 wrote to memory of 2808	4152	cmd.exe	sqlite3.exe
PID 4772 wrote to memory of 560	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 560	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 560	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 560 wrote to memory of 804	560	cmd.exe	tasklist.exe
PID 560 wrote to memory of 804	560	cmd.exe	tasklist.exe
PID 560 wrote to memory of 804	560	cmd.exe	tasklist.exe
PID 4772 wrote to memory of 1544	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 1544	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 4772 wrote to memory of 1544	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	cmd.exe
PID 1544 wrote to memory of 1776	1544	cmd.exe	tasklist.exe
PID 1544 wrote to memory of 1776	1544	cmd.exe	tasklist.exe
PID 1544 wrote to memory of 1776	1544	cmd.exe	tasklist.exe
PID 4772 wrote to memory of 4592	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 4772 wrote to memory of 4592	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	regsvr32.exe
PID 4772 wrote to memory of 2388	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 4772 wrote to memory of 2388	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 4772 wrote to memory of 2388	4772	9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe	ReimageRepair.exe
PID 2388 wrote to memory of 4724	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 4724	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 4724	2388	ReimageRepair.exe	cmd.exe
PID 4724 wrote to memory of 2248	4724	cmd.exe	sqlite3.exe
PID 4724 wrote to memory of 2248	4724	cmd.exe	sqlite3.exe
PID 4724 wrote to memory of 2248	4724	cmd.exe	sqlite3.exe
PID 2388 wrote to memory of 204	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 204	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 204	2388	ReimageRepair.exe	cmd.exe
PID 204 wrote to memory of 4620	204	cmd.exe	sqlite3.exe
PID 204 wrote to memory of 4620	204	cmd.exe	sqlite3.exe
PID 204 wrote to memory of 4620	204	cmd.exe	sqlite3.exe
PID 2388 wrote to memory of 2828	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 2828	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 2828	2388	ReimageRepair.exe	cmd.exe
PID 2828 wrote to memory of 4696	2828	cmd.exe	sqlite3.exe
PID 2828 wrote to memory of 4696	2828	cmd.exe	sqlite3.exe
PID 2828 wrote to memory of 4696	2828	cmd.exe	sqlite3.exe
PID 2388 wrote to memory of 1092	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 1092	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 1092	2388	ReimageRepair.exe	cmd.exe
PID 1092 wrote to memory of 4664	1092	cmd.exe	tasklist.exe
PID 1092 wrote to memory of 4664	1092	cmd.exe	tasklist.exe
PID 1092 wrote to memory of 4664	1092	cmd.exe	tasklist.exe
PID 2388 wrote to memory of 4228	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 4228	2388	ReimageRepair.exe	cmd.exe
PID 2388 wrote to memory of 4228	2388	ReimageRepair.exe	cmd.exe
PID 4228 wrote to memory of 4412	4228	cmd.exe	tasklist.exe
PID 4228 wrote to memory of 4412	4228	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe
"C:\Users\Admin\AppData\Local\Temp\9f8f2ba88fa5237c6ffd62cb54979c0cd9837303f1829f8107a3e18456ec9283.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q57s84fv.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
3⤵
- Executes dropped EXE
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q57s84fv.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"
3⤵
- Executes dropped EXE
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q57s84fv.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
3⤵
- Executes dropped EXE
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\jscript.dll"
2⤵
- Modifies registry class
PID:4592

C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe
"C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe" /update=1 /Language=1033 /tracking=0 /campaign=0 /adgroup=0 /Ads_Name=0 /Keyword=0 /ResumeInstall=2 /RunSilent=false /pxkp=Delete /ShowName=True /StartScan=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q57s84fv.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
4⤵
- Executes dropped EXE
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q57s84fv.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"
4⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q57s84fv.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
4⤵
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\jscript.dll"
3⤵
- Modifies registry class
PID:3204

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:904

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReimagePackage.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:2008

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:4544

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq GeoProxy.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q57s84fv.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"
4⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:2148

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:1212

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:5008

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq smsniff.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1957/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=527ccbbdc1f04137821c3793b1&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=c7153628-15d3-49d7-8dd9-0fa92ff0c2c8 /IDMinorSession=527ccbbdc1f04137821c3793b1 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=True /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:4480

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:4736

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4468

C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4256

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:1492

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq REI_avira.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
4⤵
PID:4660

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
5⤵
- Modifies registry class
PID:4104

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
4⤵
PID:4684

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
5⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\nspD043.tmp\ProtectorUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\nspD043.tmp\ProtectorUpdater.exe" /S /MinorSessionID=527ccbbdc1f04137821c3793b1 /SessionID=c7153628-15d3-49d7-8dd9-0fa92ff0c2c8 /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3968

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
5⤵
PID:3480

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
"C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=527ccbbdc1f04137821c3793b1 /SessionID=c7153628-15d3-49d7-8dd9-0fa92ff0c2c8 /Install=true /UpdateOnly=default /InstallPath= /Iav=False
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
6⤵
PID:1012

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReiScanner.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
6⤵
PID:648

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReiProtectorM.exe"
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
6⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReimageApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:5096

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReimageApp.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN ReimageUpdater /F
4⤵
PID:2456

C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe
"C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4720

C:\Program Files\Reimage\Reimage Repair\Reimage.exe
"C:\Program Files\Reimage\Reimage Repair\Reimage.exe" http://www.reimageplus.com/GUI/GUI1957/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=527ccbbdc1f04137821c3793b1&lang_code=en&bundle=0&loadresults=0&ShowSettings=false /Locale=1033
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4476 -s 2732
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
"C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\73215KPL.cookie

MD5
9d6151229945195bf810a117efbe876a

SHA1
e13be68b7d8bed76f6e06ffc889a021080eb714d

SHA256
d7566c5ce97a91946d6cf1f8869a7848a4d4507798ec54888b2b16193b8cac3a

SHA512
3f3a108e8f72acb498ca895bb0a1874e462f7c56b6f0586c79a9de8b74312b317d8a3519317b0c3c58f1514b199e2bc4338df040e80d5293dfbef9dcc647a517

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

MD5
88b2acb63151385b580a3a90fd9a2703

SHA1
4d3b06806a4992769311ae553b9b53520c93f7c0

SHA256
d072342a0622c3a0f5c7018dfd77d1bd543a3455cf57963c49a882981ab7a6f1

SHA512
ba0c49351d0a1e4d6ca78ffa085cc58d98a8535591e0134f922ffdb7281ec0ee33f77ccd5bece1d060bd8eb7043982e5a6ce16cc7dd57abc4e95b2759e2e8a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

MD5
88b2acb63151385b580a3a90fd9a2703

SHA1
4d3b06806a4992769311ae553b9b53520c93f7c0

SHA256
d072342a0622c3a0f5c7018dfd77d1bd543a3455cf57963c49a882981ab7a6f1

SHA512
ba0c49351d0a1e4d6ca78ffa085cc58d98a8535591e0134f922ffdb7281ec0ee33f77ccd5bece1d060bd8eb7043982e5a6ce16cc7dd57abc4e95b2759e2e8a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

MD5
7971a2bbc38434607787c55ae1bed26a

SHA1
270ba5a2ab540a8d3aca48af1eb389d1217d1808

SHA256
71164cb44d663a4efa159883a043394f5d4622a8c41fbbaede5e40e990847986

SHA512
f94dab7925c23597af84a77ddc71829a7708d53b3008ee8b1803c23c17197562c7fc74c89887f7cf58e69ca5dce93e1f7b5cad05243cfd096c7c4e04d68443af

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

MD5
7971a2bbc38434607787c55ae1bed26a

SHA1
270ba5a2ab540a8d3aca48af1eb389d1217d1808

SHA256
71164cb44d663a4efa159883a043394f5d4622a8c41fbbaede5e40e990847986

SHA512
f94dab7925c23597af84a77ddc71829a7708d53b3008ee8b1803c23c17197562c7fc74c89887f7cf58e69ca5dce93e1f7b5cad05243cfd096c7c4e04d68443af

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

MD5
36a034c4f8fbd57d70be3558f328c934

SHA1
14c5429a33517f1a67f35a840e498550a3ed2643

SHA256
cf80ba0e1cbda1590501365c35410de05d756e43557100d318720b3b4fa97cb7

SHA512
530997a1858f0d7609cd7e8ea2c41b299648268724d7c4cab4d893f16082930031ce8206f2d25f5c39f5b1b1024cd6965eb57c4e099453cf8d833eccb03aa83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

MD5
36a034c4f8fbd57d70be3558f328c934

SHA1
14c5429a33517f1a67f35a840e498550a3ed2643

SHA256
cf80ba0e1cbda1590501365c35410de05d756e43557100d318720b3b4fa97cb7

SHA512
530997a1858f0d7609cd7e8ea2c41b299648268724d7c4cab4d893f16082930031ce8206f2d25f5c39f5b1b1024cd6965eb57c4e099453cf8d833eccb03aa83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe

MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe

MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader log.txt

MD5
c599a3f4adc48d8a7ff955af2802904d

SHA1
aee65b9b3d4723fc37cb646f599d6817dd455cd7

SHA256
28366969ceded78ecfa805acee79e2d671fbf19246add33960becb52967b486d

SHA512
47987cf2e2233d343b818d5513bb48545d5ac9efa1c9f9b5c8f8fce11ce5a5517db703357bf5faf203d209e9addf72270c33c0538d2e75908b23bab17f58d4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Public\Desktop\Resume Reimage Repair Installation.lnk

MD5
f3eb2fb9db7acd30a9eed43f568ed81c

SHA1
0a060b6db7d1db8ef63e9d6fc999a2779a44492a

SHA256
c4de75370997f6fc49b12edaa6cdb3d3e8fc3341631ac85d0889165a181dbd8f

SHA512
d6db12d4162f50f049cd7f482cc46c3c5f91db2f384b96ceef56a13d57a276a94b02dc7a1892cf5037d450d6fb2809e55a4a5cb2ebe22b14d9e669d2977f5bfe

Download Submit
C:\Windows\Reimage.ini

MD5
28f22b074f303cf5d09f16e23ee20c61

SHA1
ce7a230ac537e200df13572014ef3f6cdbd65bb2

SHA256
7bf0aadef541e7be2c09caa70f2796c59d5c290033e7d2b417d7df229a50d02b

SHA512
e06918d6d53f5aa1149284a166419a8b3a38e791095a2904866aca7a8d27d6c2f57c1722a4e07180f3f660e67f1bdf7148763ad010646c9b54be10b0d80c66d3

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\Banner.dll

MD5
e264d0f91103758bc5b088e8547e0ec1

SHA1
24a94ff59668d18b908c78afd2a9563de2819680

SHA256
501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

SHA512
a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\LogEx.dll

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\System.dll

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\UserInfo.dll

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\nsDialogs.dll

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\stack.dll

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\stack.dll

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\xml.dll

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\xml.dll

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F41.tmp\xml.dll

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\Banner.dll

MD5
e264d0f91103758bc5b088e8547e0ec1

SHA1
24a94ff59668d18b908c78afd2a9563de2819680

SHA256
501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

SHA512
a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\LogEx.dll

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\System.dll

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\UserInfo.dll

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\inetc.dll

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\nsExec.dll

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\registry.dll

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\registry.dll

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\stack.dll

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\stack.dll

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\xml.dll

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nsx979F.tmp\xml.dll

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
memory/204-58-0x0000000000000000-mapping.dmp

Download
memory/352-90-0x0000000000000000-mapping.dmp

Download
memory/416-98-0x0000000000000000-mapping.dmp

Download
memory/560-23-0x0000000000000000-mapping.dmp

Download
memory/612-121-0x0000000000000000-mapping.dmp

Download
memory/648-122-0x0000000000000000-mapping.dmp

Download
memory/784-92-0x0000000000000000-mapping.dmp

Download
memory/804-24-0x0000000000000000-mapping.dmp

Download
memory/904-89-0x0000000000000000-mapping.dmp

Download
memory/1012-120-0x0000000000000000-mapping.dmp

Download
memory/1092-69-0x0000000000000000-mapping.dmp

Download
memory/1212-99-0x0000000000000000-mapping.dmp

Download
memory/1492-110-0x0000000000000000-mapping.dmp

Download
memory/1544-27-0x0000000000000000-mapping.dmp

Download
memory/1776-28-0x0000000000000000-mapping.dmp

Download
memory/1892-124-0x0000000000000000-mapping.dmp

Download
memory/2008-91-0x0000000000000000-mapping.dmp

Download
memory/2148-97-0x0000000000000000-mapping.dmp

Download
memory/2156-103-0x0000000000000000-mapping.dmp

Download
memory/2160-96-0x0000000000000000-mapping.dmp

Download
memory/2248-55-0x0000000000000000-mapping.dmp

Download
memory/2388-43-0x0000000000000000-mapping.dmp

Download
memory/2456-128-0x0000000000000000-mapping.dmp

Download
memory/2496-7-0x0000000000000000-mapping.dmp

Download
memory/2564-111-0x0000000000000000-mapping.dmp

Download
memory/2808-20-0x0000000000000000-mapping.dmp

Download
memory/2828-63-0x0000000000000000-mapping.dmp

Download
memory/2916-125-0x0000000000000000-mapping.dmp

Download
memory/3104-131-0x000001E31F450000-0x000001E31F451000-memory.dmp

Filesize
4KB

Download
memory/3104-130-0x000001E31F450000-0x000001E31F451000-memory.dmp

Filesize
4KB

Download
memory/3204-76-0x0000000000000000-mapping.dmp

Download
memory/3232-13-0x0000000000000000-mapping.dmp

Download
memory/3356-15-0x0000000000000000-mapping.dmp

Download
memory/3480-117-0x0000000000000000-mapping.dmp

Download
memory/3968-116-0x0000000000000000-mapping.dmp

Download
memory/4104-113-0x0000000000000000-mapping.dmp

Download
memory/4152-18-0x0000000000000000-mapping.dmp

Download
memory/4228-73-0x0000000000000000-mapping.dmp

Download
memory/4232-118-0x0000000000000000-mapping.dmp

Download
memory/4256-109-0x0000000000000000-mapping.dmp

Download
memory/4260-9-0x0000000000000000-mapping.dmp

Download
memory/4336-119-0x0000000000000000-mapping.dmp

Download
memory/4412-74-0x0000000000000000-mapping.dmp

Download
memory/4416-127-0x0000000000000000-mapping.dmp

Download
memory/4468-108-0x0000000000000000-mapping.dmp

Download
memory/4480-104-0x0000000000000000-mapping.dmp

Download
memory/4544-93-0x0000000000000000-mapping.dmp

Download
memory/4568-102-0x0000000000000000-mapping.dmp

Download
memory/4592-33-0x0000000000000000-mapping.dmp

Download
memory/4620-60-0x0000000000000000-mapping.dmp

Download
memory/4644-105-0x0000000000000000-mapping.dmp

Download
memory/4660-112-0x0000000000000000-mapping.dmp

Download
memory/4664-70-0x0000000000000000-mapping.dmp

Download
memory/4684-114-0x0000000000000000-mapping.dmp

Download
memory/4696-65-0x0000000000000000-mapping.dmp

Download
memory/4704-115-0x0000000000000000-mapping.dmp

Download
memory/4720-129-0x0000000000000000-mapping.dmp

Download
memory/4724-53-0x0000000000000000-mapping.dmp

Download
memory/4736-106-0x0000000000000000-mapping.dmp

Download
memory/4744-107-0x0000000000000000-mapping.dmp

Download
memory/4872-100-0x0000000000000000-mapping.dmp

Download
memory/4888-94-0x0000000000000000-mapping.dmp

Download
memory/4900-123-0x0000000000000000-mapping.dmp

Download
memory/4948-95-0x0000000000000000-mapping.dmp

Download
memory/5008-101-0x0000000000000000-mapping.dmp

Download
memory/5096-126-0x0000000000000000-mapping.dmp

Download