Overview
overview
8Static
static
7ReimageRepair.exe
windows7-x64
8ReimageRepair.exe
windows10-2004-x64
7$PLUGINSDI...ol.dll
windows7-x64
7$PLUGINSDI...ol.dll
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$PLUGINSDI...ig.dll
windows7-x64
3$PLUGINSDI...ig.dll
windows10-2004-x64
3$PLUGINSDIR/LogEx.dll
windows7-x64
3$PLUGINSDIR/LogEx.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...or.dll
windows7-x64
3$PLUGINSDI...or.dll
windows10-2004-x64
3Adware/Rei...ir.exe
windows7-x64
7Adware/Rei...ir.exe
windows10-2004-x64
7$PLUGINSDI...ol.dll
windows7-x64
7$PLUGINSDI...ol.dll
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 22:47
Behavioral task
behavioral1
Sample
ReimageRepair.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ReimageRepair.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/LogEx.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/LogEx.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/MSIBanner.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/MSIBanner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/WmiInspector.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/WmiInspector.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Adware/Reimage Repair/ReimageRepair.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Adware/Reimage Repair/ReimageRepair.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/ButtonEvent.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win10v2004-20240226-en
General
-
Target
ReimageRepair.exe
-
Size
572KB
-
MD5
f5af9d859c9a031ab6bea66048fab6e1
-
SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a
-
SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c
-
SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5
-
SSDEEP
12288:YEsvcQmY4ZHUDRHjYMCVdjQooYddMoAnUM22FT4i8BdK:Y30Q0HCFcXFRdyUKF
Malware Config
Signatures
-
Uses Session Manager for persistence 2 TTPs 1 IoCs
Creates Session Manager registry key to run executable early in system boot.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a00000000 Reimage.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0005000000019232-672.dat acprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0005000000019232-672.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Reimage = "\"C:\\Program Files\\Reimage\\Reimage Protector\\ReimageApp.exe\"" ReimagePackage.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Reimage.exe File opened (read-only) \??\E: ReiGuard.exe File opened (read-only) \??\I: ReiGuard.exe File opened (read-only) \??\B: Reimage.exe File opened (read-only) \??\M: Reimage.exe File opened (read-only) \??\Q: Reimage.exe File opened (read-only) \??\V: Reimage.exe File opened (read-only) \??\W: Reimage.exe File opened (read-only) \??\X: Reimage.exe File opened (read-only) \??\P: ReiGuard.exe File opened (read-only) \??\H: Reimage.exe File opened (read-only) \??\K: Reimage.exe File opened (read-only) \??\N: Reimage.exe File opened (read-only) \??\P: Reimage.exe File opened (read-only) \??\R: Reimage.exe File opened (read-only) \??\N: ReiGuard.exe File opened (read-only) \??\S: ReiGuard.exe File opened (read-only) \??\W: ReiGuard.exe File opened (read-only) \??\A: Reimage.exe File opened (read-only) \??\I: Reimage.exe File opened (read-only) \??\T: Reimage.exe File opened (read-only) \??\K: ReiGuard.exe File opened (read-only) \??\Q: ReiGuard.exe File opened (read-only) \??\R: ReiGuard.exe File opened (read-only) \??\X: ReiGuard.exe File opened (read-only) \??\Z: ReiGuard.exe File opened (read-only) \??\L: ReiGuard.exe File opened (read-only) \??\M: ReiGuard.exe File opened (read-only) \??\T: ReiGuard.exe File opened (read-only) \??\U: ReiGuard.exe File opened (read-only) \??\J: Reimage.exe File opened (read-only) \??\Y: Reimage.exe File opened (read-only) \??\A: ReiGuard.exe File opened (read-only) \??\J: ReiGuard.exe File opened (read-only) \??\V: ReiGuard.exe File opened (read-only) \??\Y: ReiGuard.exe File opened (read-only) \??\G: Reimage.exe File opened (read-only) \??\S: Reimage.exe File opened (read-only) \??\U: Reimage.exe File opened (read-only) \??\B: ReiGuard.exe File opened (read-only) \??\H: ReiGuard.exe File opened (read-only) \??\O: ReiGuard.exe File opened (read-only) \??\L: Reimage.exe File opened (read-only) \??\O: Reimage.exe File opened (read-only) \??\Z: Reimage.exe File opened (read-only) \??\G: ReiGuard.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Reimage.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Reimage.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\ Reimage.exe -
Modifies WinLogon 2 TTPs 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB} Reimage.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 ReiGuard.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE ReiGuard.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 33 IoCs
description ioc Process File created C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe ReimagePackage.exe File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Terms of Use.url ReimagePackage.exe File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\uninst.exe ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\Reimage.exe ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza ReimagePackage.exe File opened for modification C:\Program Files\Reimage\Reimage Repair\engine.dat ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\msvcr120.dll ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe UniProtectorPackage.exe File opened for modification C:\Program Files\Reimage\Reimage Repair\reimage.dat ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\version.rei ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\engine.dat ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll lzma.exe File created C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll lzma.exe File created C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe UniProtectorPackage.exe File created C:\Program Files\Reimage\Reimage Repair\LZMA.EXE ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico ReimagePackage.exe File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Help & Support.url ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\reimage.dat ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe UniProtectorPackage.exe File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\savapi.dll ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe UniProtectorPackage.exe File created C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe UniProtectorPackage.exe File created C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe ReimagePackage.exe File created C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza ReimagePackage.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\reimage.ini ReimagePackage.exe File opened for modification C:\Windows\TEMPregistrylog\.log ReiGuard.exe File opened for modification C:\Windows\reimage.ini Reimage.exe File opened for modification C:\Windows\Reimage.ini ReimageRepair.exe File opened for modification C:\Windows\reimage.ini ReimageRepair.exe File opened for modification C:\Windows\Reimage.ini ProtectorUpdater.exe File opened for modification C:\Windows\Reimage.ini UniProtectorPackage.exe -
Executes dropped EXE 16 IoCs
pid Process 2788 sqlite3.exe 2500 sqlite3.exe 2664 sqlite3.exe 2608 sqlite3.exe 2836 ReimagePackage.exe 1856 lzma.exe 2156 lzma.exe 3024 ProtectorUpdater.exe 2000 UniProtectorPackage.exe 2980 ReiGuard.exe 856 ReiGuard.exe 2108 ReiSystem.exe 2516 ReimageApp.exe 2016 Reimage.exe 776 REI_AVIRA.exe 2856 ReiSystem.exe -
Loads dropped DLL 64 IoCs
pid Process 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 2580 cmd.exe 2580 cmd.exe 1204 ReimageRepair.exe 2440 cmd.exe 2440 cmd.exe 1204 ReimageRepair.exe 2684 cmd.exe 2684 cmd.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 2780 cmd.exe 2780 cmd.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 1204 ReimageRepair.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe 2056 regsvr32.exe 1700 regsvr32.exe 1700 regsvr32.exe 1512 regsvr32.exe 768 regsvr32.exe 2836 ReimagePackage.exe 2836 ReimagePackage.exe -
Modifies system executable filetype association 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers\ShimLayer Property Page Reimage.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{1d27f844-3a1f-4410-85ac-14651078412d}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C4BF2784-AE00-41BA-9828-9C953BD3C54A}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{37B03543-A4C8-11D2-B634-00C04F79498E}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{49638B91-48AB-48B7-A47A-7D0E75A08EDE}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{823535A0-0318-11D3-9D8E-00C04F72D980}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}\InProcServer32 Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C4708DC-B181-46A8-8DA8-4AB0371758CD}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7057e952-bd1b-11d1-8919-00c04fc2c836}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8A674B4D-1F63-11D3-B64C-00C04F79498E}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{92ED88BF-879E-448F-B6B6-A385BCEB846D}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{47206204-5ECA-11D2-960F-00C04F8EE628}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AE24FDAE-03C6-11D1-8B76-0080C744F389}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{ECABB0AB-7F19-11D2-978E-0000F8757E2A}\InprocServer32 Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{992cffa0-f557-101a-88ec-00dd010ccc48}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A2E3074E-6C3D-11D3-B653-00C04F79498E}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{9193A8F9-0CBA-400E-AA97-EB4709164576}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A0B9B497-AFBC-45AD-A8A6-9B077C40D4F2}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{CC829A2F-3365-463F-AF13-81DBB6F3A555}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{28953661-0231-41DB-8986-21FF4388EE9B}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3050F5C8-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{09799AFB-AD67-11d1-ABCD-00C04FC30936}\InProcServer32 Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0002000D-0000-0000-C000-000000000046}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{05589fa1-c356-11ce-bf01-00aa0055595a}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E94137E0-92ED-4579-9251-18AF2A08CCD1}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5d08b586-343a-11d0-ad46-00c04fd8fdff}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B0EDF163-910A-11D2-B632-00C04F79498E}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{00020420-0000-0000-c000-000000000046}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3050F67D-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6AD28EE1-5002-4E71-AAF7-BD077907B1A4}\InprocServer32 Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{2764BCE5-CC39-11D2-B639-00C04F79498E}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{c7b6c04a-cbb5-11d0-bb4c-00c04fc2f410}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{15D6504A-5494-499C-886C-973C9E53B9F1}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{267DB0B3-55E3-4902-949B-DF8F5CEC0191}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{730f6cdc-2c86-11d2-8773-92e220524153}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A5B020FD-E04B-4e67-B65A-E7DEED25B2CF}\LocalServer32 Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{2291478C-5EE3-4BEF-AB5D-B5FF2CF58352}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73D14237-B9DB-4EFA-A6DD-84350421FB2F}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B43A0C1E-B63F-4691-B68F-CD807A45DA01}\LocalServer32 Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Reimage.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ManufacturerIdentifier Reimage.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Reimage.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Reimage.exe -
Enumerates processes with tasklist 1 TTPs 16 IoCs
pid Process 1048 tasklist.exe 2964 tasklist.exe 2456 tasklist.exe 2828 tasklist.exe 2584 tasklist.exe 2660 tasklist.exe 1868 tasklist.exe 2824 tasklist.exe 552 tasklist.exe 2084 tasklist.exe 400 tasklist.exe 1412 tasklist.exe 2144 tasklist.exe 2568 tasklist.exe 2116 tasklist.exe 2128 tasklist.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate Reimage.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2420 ipconfig.exe 1772 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main Reimage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Reimage.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\User Preferences Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B43A0C1E-B63F-4691-B68F-CD807A45DA01} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2391d819-9d17-44ec-9ac1-f6aa07549469} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{78c7b664-c9bf-4ce9-8b3a-b05d442e451e} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B43A0C1E-B63F-4691-B68F-CD807A45DA01} Reimage.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AutoComplete\Client Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2391d819-9d17-44ec-9ac1-f6aa07549469} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{78c7b664-c9bf-4ce9-8b3a-b05d442e451e} Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AutoComplete\Client Reimage.exe -
Modifies data under HKEY_USERS 51 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs ReiGuard.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ReiGuard.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs ReiGuard.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{24DC3975-09BF-4231-8655-3EE71F43837D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5740A302-EF0B-45CE-BF3B-4470A14A8980}\ProgID Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AD8E510D-217F-409B-8076-29C5E73B98E8}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ = "IReiEngine" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0149EEDF-D08F-4142-8D73-D23903D21E90}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{BB530C63-D9DF-4B49-9439-63453962E598}\InprocServer32 Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{055CB2D7-2969-45CD-914B-76890722F112}\VersionIndependentProgID Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{37B03544-A4C8-11D2-B634-00C04F79498E}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}\TypeLib Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}\ProgID Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}\VersionIndependentProgID Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D9BB4CEE-B87A-47F1-AC92-B08D9C7813FC}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\TypeLib Reimage.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\REI_AxControl.DLL\AppID = "{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3A9428A7-31A4-45E9-9EFB-E055BF7BB3DB}\Programmable Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{00020420-0000-0000-c000-000000000046}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{03C06416-D127-407A-AB4C-FDD279ABBE5D}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}\InProcServer32 Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{38F03426-E83B-4E68-B65B-DCAE73304838} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}\Version Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLESCRIPT regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{1C15D484-911D-11D2-B632-00C04F79498E}\TypeLib Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3050F5C8-98B5-11CF-BB82-00AA00BDCE0B}\MiscStatus Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8A674B4D-1F63-11D3-B64C-00C04F79498E}\Version Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0369B4E5-45B6-11D3-B650-00C04F79498E}\Version Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{055CB2D7-2969-45CD-914B-76890722F112}\Implemented Categories Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{E1F1A0B8-BEEE-490D-BA7C-066C40B5E2B9} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCC-9B79-11D3-B654-00C04F79498E}\TypeLib Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B0EDF163-910A-11D2-B632-00C04F79498E}\MiscStatus\1 Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{42150CD9-CA9A-4EA5-9939-30EE037F6E74} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{334125C0-77E5-11d3-B653-00C04F79498E} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}\ProgID Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}\Version Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8A674B4D-1F63-11D3-B64C-00C04F79498E}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{e846f0a0-d367-11d1-8286-00a0c9231c29}\InprocServer32 Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E94137E0-92ED-4579-9251-18AF2A08CCD1} Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7007acc7-3202-11d1-aad2-00805fc1270e}\DefaultIcon Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C45268A2-FA81-4E19-B1E3-72EDBD60AEDA}\VersionIndependentProgID Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}\TypeLib Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{92ED88BF-879E-448F-B6B6-A385BCEB846D}\Implemented Categories Reimage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\HELPDIR\ = "C:\\Program Files\\Reimage\\Reimage Repair" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{055CB2D7-2969-45CD-914B-76890722F112} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352} Reimage.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1} Reimage.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a ReiGuard.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a ReiGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 ReiGuard.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a ReiGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 ReiGuard.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 ReiGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 ReiGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Reimage.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 Reimage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Reimage.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Reimage.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 ReiGuard.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2980 ReiGuard.exe 856 ReiGuard.exe 856 ReiGuard.exe 2980 ReiGuard.exe 856 ReiGuard.exe 2108 ReiSystem.exe 856 ReiGuard.exe 856 ReiGuard.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 856 ReiGuard.exe 856 ReiGuard.exe 856 ReiGuard.exe 856 ReiGuard.exe 856 ReiGuard.exe 856 ReiGuard.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2828 tasklist.exe Token: SeDebugPrivilege 400 tasklist.exe Token: SeDebugPrivilege 2116 tasklist.exe Token: SeDebugPrivilege 1412 tasklist.exe Token: SeDebugPrivilege 2144 tasklist.exe Token: SeDebugPrivilege 2584 tasklist.exe Token: SeDebugPrivilege 2568 tasklist.exe Token: SeDebugPrivilege 2660 tasklist.exe Token: SeDebugPrivilege 1868 tasklist.exe Token: SeDebugPrivilege 1048 tasklist.exe Token: SeDebugPrivilege 2084 tasklist.exe Token: SeDebugPrivilege 2964 tasklist.exe Token: SeDebugPrivilege 2824 tasklist.exe Token: SeDebugPrivilege 552 tasklist.exe Token: SeDebugPrivilege 2456 tasklist.exe Token: SeDebugPrivilege 2128 tasklist.exe Token: SeBackupPrivilege 2016 Reimage.exe Token: SeRestorePrivilege 2016 Reimage.exe Token: SeTakeOwnershipPrivilege 2016 Reimage.exe Token: SeDebugPrivilege 2016 Reimage.exe Token: SeBackupPrivilege 2016 Reimage.exe Token: SeBackupPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeBackupPrivilege 2016 Reimage.exe Token: SeBackupPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe Token: SeSecurityPrivilege 2016 Reimage.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2516 ReimageApp.exe 2016 Reimage.exe 2516 ReimageApp.exe 2516 ReimageApp.exe 2516 ReimageApp.exe 2016 Reimage.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2516 ReimageApp.exe 2016 Reimage.exe 2516 ReimageApp.exe 2516 ReimageApp.exe 2516 ReimageApp.exe 2016 Reimage.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe 2016 Reimage.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2580 1204 ReimageRepair.exe 28 PID 1204 wrote to memory of 2580 1204 ReimageRepair.exe 28 PID 1204 wrote to memory of 2580 1204 ReimageRepair.exe 28 PID 1204 wrote to memory of 2580 1204 ReimageRepair.exe 28 PID 2580 wrote to memory of 2788 2580 cmd.exe 30 PID 2580 wrote to memory of 2788 2580 cmd.exe 30 PID 2580 wrote to memory of 2788 2580 cmd.exe 30 PID 2580 wrote to memory of 2788 2580 cmd.exe 30 PID 1204 wrote to memory of 2440 1204 ReimageRepair.exe 31 PID 1204 wrote to memory of 2440 1204 ReimageRepair.exe 31 PID 1204 wrote to memory of 2440 1204 ReimageRepair.exe 31 PID 1204 wrote to memory of 2440 1204 ReimageRepair.exe 31 PID 2440 wrote to memory of 2500 2440 cmd.exe 33 PID 2440 wrote to memory of 2500 2440 cmd.exe 33 PID 2440 wrote to memory of 2500 2440 cmd.exe 33 PID 2440 wrote to memory of 2500 2440 cmd.exe 33 PID 1204 wrote to memory of 2684 1204 ReimageRepair.exe 34 PID 1204 wrote to memory of 2684 1204 ReimageRepair.exe 34 PID 1204 wrote to memory of 2684 1204 ReimageRepair.exe 34 PID 1204 wrote to memory of 2684 1204 ReimageRepair.exe 34 PID 2684 wrote to memory of 2664 2684 cmd.exe 36 PID 2684 wrote to memory of 2664 2684 cmd.exe 36 PID 2684 wrote to memory of 2664 2684 cmd.exe 36 PID 2684 wrote to memory of 2664 2684 cmd.exe 36 PID 1204 wrote to memory of 2832 1204 ReimageRepair.exe 37 PID 1204 wrote to memory of 2832 1204 ReimageRepair.exe 37 PID 1204 wrote to memory of 2832 1204 ReimageRepair.exe 37 PID 1204 wrote to memory of 2832 1204 ReimageRepair.exe 37 PID 2832 wrote to memory of 2828 2832 cmd.exe 39 PID 2832 wrote to memory of 2828 2832 cmd.exe 39 PID 2832 wrote to memory of 2828 2832 cmd.exe 39 PID 2832 wrote to memory of 2828 2832 cmd.exe 39 PID 1204 wrote to memory of 1712 1204 ReimageRepair.exe 41 PID 1204 wrote to memory of 1712 1204 ReimageRepair.exe 41 PID 1204 wrote to memory of 1712 1204 ReimageRepair.exe 41 PID 1204 wrote to memory of 1712 1204 ReimageRepair.exe 41 PID 1712 wrote to memory of 400 1712 cmd.exe 43 PID 1712 wrote to memory of 400 1712 cmd.exe 43 PID 1712 wrote to memory of 400 1712 cmd.exe 43 PID 1712 wrote to memory of 400 1712 cmd.exe 43 PID 1204 wrote to memory of 536 1204 ReimageRepair.exe 45 PID 1204 wrote to memory of 536 1204 ReimageRepair.exe 45 PID 1204 wrote to memory of 536 1204 ReimageRepair.exe 45 PID 1204 wrote to memory of 536 1204 ReimageRepair.exe 45 PID 1204 wrote to memory of 536 1204 ReimageRepair.exe 45 PID 1204 wrote to memory of 536 1204 ReimageRepair.exe 45 PID 1204 wrote to memory of 536 1204 ReimageRepair.exe 45 PID 1204 wrote to memory of 928 1204 ReimageRepair.exe 47 PID 1204 wrote to memory of 928 1204 ReimageRepair.exe 47 PID 1204 wrote to memory of 928 1204 ReimageRepair.exe 47 PID 1204 wrote to memory of 928 1204 ReimageRepair.exe 47 PID 928 wrote to memory of 2116 928 cmd.exe 49 PID 928 wrote to memory of 2116 928 cmd.exe 49 PID 928 wrote to memory of 2116 928 cmd.exe 49 PID 928 wrote to memory of 2116 928 cmd.exe 49 PID 1204 wrote to memory of 3016 1204 ReimageRepair.exe 50 PID 1204 wrote to memory of 3016 1204 ReimageRepair.exe 50 PID 1204 wrote to memory of 3016 1204 ReimageRepair.exe 50 PID 1204 wrote to memory of 3016 1204 ReimageRepair.exe 50 PID 3016 wrote to memory of 1412 3016 cmd.exe 52 PID 3016 wrote to memory of 1412 3016 cmd.exe 52 PID 3016 wrote to memory of 1412 3016 cmd.exe 52 PID 3016 wrote to memory of 1412 3016 cmd.exe 52 PID 1204 wrote to memory of 2396 1204 ReimageRepair.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe"C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe"1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"3⤵
- Executes dropped EXE
PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"3⤵
- Executes dropped EXE
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"3⤵
- Executes dropped EXE
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Reimage.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq avupdate.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Windows\system32\jscript.dll"2⤵
- Registers COM server for autorun
- Modifies registry class
PID:536
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ReimagePackage.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵PID:2396
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq GeoProxy.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"2⤵
- Loads dropped DLL
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"3⤵
- Executes dropped EXE
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵PID:2496
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Wireshark.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵PID:2512
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Fiddler.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt2⤵PID:2948
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq smsniff.exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
-
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1974/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=8aa98a68c2434fd187ed82e6aa&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=92527fbb-0a76-44ba-aebe-d85cdc9164f5 /IDMinorSession=8aa98a68c2434fd187ed82e6aa /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt3⤵PID:1740
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Reimage.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt3⤵PID:664
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq avupdate.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
-
C:\Program Files\Reimage\Reimage Repair\lzma.exe"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1856
-
-
C:\Program Files\Reimage\Reimage Repair\lzma.exe"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2156
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt3⤵PID:1568
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq REI_avira.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"3⤵
- Loads dropped DLL
PID:2056 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1700
-
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"3⤵
- Loads dropped DLL
PID:1512 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"4⤵
- Loads dropped DLL
PID:768
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsy7300.tmp\ProtectorUpdater.exe"C:\Users\Admin\AppData\Local\Temp\nsy7300.tmp\ProtectorUpdater.exe" /S /MinorSessionID=8aa98a68c2434fd187ed82e6aa /SessionID=92527fbb-0a76-44ba-aebe-d85cdc9164f5 /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False3⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt4⤵PID:2736
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq UniProtectorPackage.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe"C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=8aa98a68c2434fd187ed82e6aa /SessionID=92527fbb-0a76-44ba-aebe-d85cdc9164f5 /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true4⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt5⤵PID:2640
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ReiScanner.exe"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt5⤵PID:2364
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ReiProtectorM.exe"6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
-
C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq ReiGuard.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt3⤵PID:2692
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ReiGuard.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq ReimageApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt3⤵PID:2748
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq ReimageApp.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN ReimageUpdater /F3⤵PID:2168
-
-
C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe"C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516
-
-
C:\Program Files\Reimage\Reimage Repair\Reimage.exe"C:\Program Files\Reimage\Reimage Repair\Reimage.exe" http://www.reimageplus.com/GUI/GUI1974/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=8aa98a68c2434fd187ed82e6aa&lang_code=en&bundle=0&loadresults=0&ShowSettings=false /Locale=10333⤵
- Uses Session Manager for persistence
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies WinLogon
- Drops file in Windows directory
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2016 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2420
-
-
C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe"C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe" "C:\rei\AV"4⤵
- Executes dropped EXE
PID:776
-
-
C:\Windows\system32\ipconfig.exeC:\Windows\system32\ipconfig.exe /all4⤵
- Gathers network information
PID:1772
-
-
-
-
C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:856 -
C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
-
C:\Program Files\Reimage\Reimage Protector\ReiSystem.execommadnlinetogetexplorerhistory 3600 "C:\Users\Admin\AppData\Local\Temp\259504496_file.txt"2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:320
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5a59ab79ec748d1da70e326b49b8aa820
SHA1145d254525c6b41251733953e3d4e00e3370f0fd
SHA256871361690289c50c81a6e38c28914121adceab3ff0ba93d043f1cc4e59635955
SHA5125cd4fdfe9e20151313814551a36ab0aab8881fc1b12b5c41e0ccd64d6f4980e908b3493efd569964ce63290853785c10b151285ab19b37c7d3a411b5461275b9
-
Filesize
572KB
MD5f5af9d859c9a031ab6bea66048fab6e1
SHA1d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a
SHA2564efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c
SHA512c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_F70553637B9F26717122C4DAFA3ADB11
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\scan_agent_events[1].htm
Filesize2B
MD5444bcb3a3fcf8389296c49467f27e1d6
SHA17a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA2562689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA5129fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570
-
Filesize
2B
MD56bb61e3b7bce0931da574d19d1d82c88
SHA17984b0a0e139cabadb5afc7756d473fb34d23819
SHA2561bad6b8cf97131fceab8543e81f7757195fbb1d36b376ee994ad1cf17699c464
SHA5124fcdd8c15addb15f1e994008677c740848168cd8d32e92d44301ea12b37a93fbd9f0a0468d04789e1f387b395509bd3b998e8aad5e02dd2625f0aac661fb1100
-
Filesize
64B
MD5dea052a2ad11945b1960577c0192f2eb
SHA11d02626a05a546a90c05902b2551f32c20eb3708
SHA256943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA5125496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
971KB
MD541b797743d2d08233b680501b086d669
SHA1e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5
SHA2565805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5
SHA51213fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80
-
Filesize
249B
MD5b819d012eb62123d43dd13eca9c231cf
SHA1d4957748b8ba27f531630e8eccd024710d7d9858
SHA2560cbd3627879e5e28b0f8606407fd4a5645d3ec3bc6fd16bd63517e84103d4d42
SHA51272b581371a22e9f6cd3b4b0ce0d655f24bbf194fc9a0ad6beb0c534fe3e7938ed812271fc54db9efbf49873749e88b0ad1fcc059c195249258137dd27d33327a
-
Filesize
8KB
MD565d017ba65785b43720de6c9979a2e8c
SHA10aed2846e1b338077bae5a7f756c345a5c90d8a9
SHA256ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac
SHA51231a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95
-
Filesize
248B
MD5fc8ed9f50a0f7d7490db0bb8d14dbc7a
SHA12c0f7e869e4f4555190cdddd13dfd83852814fc8
SHA2565d93a26beb5167a3e761430199e911c55722a56b03024e6c80da90e08bf2451c
SHA5120a89be1ab5ca355600fd451c3f25d315f3eda6d76087c1c7b6812ebdecb1b117d59ed57d0a3250e5f39ad0503649ecb0b46a69035d68e43aadedaea3d6d80214
-
Filesize
249B
MD52e9499e7c50e9ed2b2738f032cbf512a
SHA19744c8849b3354a3705f223b3c898bebf4855fd8
SHA2569973d60ff93fc4146805fc0615790f2fca716bcee910229c5eff3b8b141625cb
SHA512523e81185c07d3520a3f92bf94f443aa9f5dc9b93ebb06ddff8fe5968a2d19813e2eee132076b739d1c835b373f26be9dd4b4700a2f580380fa2771bf2a9d6fa
-
Filesize
248B
MD5faaa2d72fb1a5ac069cc6a78a780996d
SHA15408b7f25cb4ab2de48668c67f3f9ef73df714d9
SHA2569fd783ac9b27682d25c91fbf824840cca7ced32aaa1aeebc32a86d321d5ee7e8
SHA512e7d55738df81d99833d5084cebd681ebf8b35bf921b4127995cf5c963873934b7ce769f97f5ade2e063d9959117db84d9e425f3feae82097b28cf3f7c1f6b491
-
Filesize
156KB
MD54c373143ee342a75b469e0748049cd24
SHA1d4e0e5155e78b99ec9459136acece2364bc2e935
SHA256b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589
SHA512569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61
-
Filesize
150KB
MD568436d57a2d46cbc9302b1925359e054
SHA1c89d42a4cd24e77745e1dfbd7deb9a1d4ec42636
SHA256d8ea979f58825c0e2f4c7b1a0ea0effc1570e580ca30cb15c92d38041f14d563
SHA51242e70d0215771659142cbe1213704f41e39e9eff72d39a692c213baeeeb6cbaef31c4803da607f8114a22b1c99b2d44038ff3fa6b7507f88c74354d678a296b6
-
Filesize
83KB
MD5ae1a4753df5fc34780602bcac675a8a5
SHA13e30c7bbbb25d6b4141fe405fc7862e04868b220
SHA256e7e5bbfd8c8ad303753ecfda840180b586c336e4ab5aacc6b0adea1c3ef0188a
SHA512b70920c7fe7938fc56badc133a175c80684d0041b1980c0941cfe3781e568a9aaa611670395b0bd7786e5309eb9bfbef5a5f90d9b0b4cdc00aac31c9037fda83
-
Filesize
39KB
MD53f1be1321461c7b7a3b4322391c818f0
SHA1f59b7a1e65f60a446f4355e22f0a10bddec3d21b
SHA2563d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd
SHA5122f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7
-
Filesize
2KB
MD58f3df5875ccd9d1982a6d65c0d3e06c9
SHA18fefd15ed67d03a95e329f4e18477ae5ae9b023d
SHA25664f2dd5e4f25b2a45056257af5a9061e7f34907f9345e6ba85b7a47ae58c009a
SHA512e58f7b0870540b9207a304cd66fe44ecfbd42292446aa213fa3be6795eeba463a664366a9ccd642b615d74984e5ab91b06a3929a435f9aebed898a95ecd48089
-
Filesize
456KB
MD5faef76863191994d3847c36e82df2651
SHA1c56c0dc42a6ff1ae608b252f041516109cc596a6
SHA2562c68d772545e6d0ff79a2111014af0c6cc2594094c83171cb8dd5ab1b3cd9534
SHA5122de28071b3b76df0fa9b4a82ebe4915c19fcbc61a447b3322f6c3d00927a9977aff6e2426fb2d17a611926c3a3d49845dead336b241079cf501715a68506100a
-
Filesize
111B
MD5e2f6bb39b26af24c8fc2fd5e8a9a2a8c
SHA1cf9d831cc0cb17e5e958db8082cbfb8d8d0a3389
SHA256f12b9e4d97fdb2f0159f90b857378a710ec8a7886703a889e57bd9396874e886
SHA512431c7543e88a2f98a123faa2647f5f30b736fb74026e395d83fd680d80233b5eac2aad73018e73a4aefaa692e55b3e01686faa5f8901f15e6814eca5c03000fc
-
Filesize
140B
MD52a27124b22320b5fc07e3a9a554b19e9
SHA19e87e4c1d67114061de140ae88a7a8cbd2480bc1
SHA2568eda3993e65e7bf94d386666d74f42313154287ecbade2cbed82e37c2771a52f
SHA5120911014c5e7bd4e68d482e50a2fdb47656b5b25d805ae0479237a4fffc22bfe3cde455e8cbb2a15aa80d2edfadd8ed0bc58f307b3d8feb203749a98c45b791fb
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
130KB
MD5a831d2cb4f4e6bbcc112b6c80820a703
SHA12c9ee8569cd984625031df80da228ba160fe7a26
SHA25604561c6bbeaa4efbbf967c9eeb76bbc3363b3a8a6668c30e859c1518ebb2eeab
SHA512ec91238aeb22979778ad6aa05f235450c2a9bf82005c6a77e61fac8113785c92374e87737cf2429801d720a3a045ac17cc3a04e6de1b24cc6f696920eceebdf9
-
Filesize
10KB
MD5f9d4e6196647798736c0a710997a9d21
SHA1c1cbb1aa78644082d92fa902c8c25ae2e8477f5a
SHA256b713bc5221e03c4d7eb25b5f15ef0ca3378fbc814924057d872ab5da95a49046
SHA5128a92ad6fbea9876b0ccfde9e5851e9025d022c8ce2de3e1b7fa3652c0f7438123f666771377765db3f1f975284d0881501f80e6f79c42eb65ab2ca17d5a5cedc
-
Filesize
260KB
MD5295d51f9f9c237f2a1d0e377232e730a
SHA18bb64aebff50c66197051eac40526bff13ad3fd1
SHA2567b19042dbfc6a162be0dcf5bbc5f32be73183e145f7670284c11ca040aafe71c
SHA512b46074708b21a236eafe668ab768523d724d18b70e899207f23f3574203cb9d97f599743a6e3d2c9005204e600cb8ec16464d08a7d66f55b43147cb22a745bde
-
Filesize
4KB
MD54b8fb7fefdfc8bb126d84c55d5b0ef53
SHA12b3f39e293d14a16cd3d743bfde36e26ec0f0566
SHA256d4b1c71a7c1739a49970f17ab5c89859c8c4cef4bf5154cf8d56200f2dc18933
SHA5124bfc09b38975aae71fc16e4509d637ec9dc3f4696fb63ab0171d7d3e38fecb0ffe9ac086be6108940551597e19a765ea0ac94d38dd763e90ded0929f52fb551b
-
Filesize
194B
MD500148a62d1606c4af2a94af2d2e94f8f
SHA151fa900f1d7ed884efef0a2dc69873c856f4de88
SHA256dd6ed530fc37a31d60f39ef0d99b6ee40437f406bcce828609c872321df521cf
SHA5126ebf958fabd8448bb694e115a7f6bb4dabb173f13c9dcd22b818afff8beba1f3ba443c773f72d381afb7e0971c2f91ba0f1fb2b876576e4ef96c8e5b97213b24
-
Filesize
196B
MD55385c31eeb5388b455dfa38ad6fb2909
SHA1dbddff0dd3eae172aa22cdb0653dd3d054264cc8
SHA2567add2eb41b01b026c15a5abf5f6a9eb898f3c88d13eeedd0538ea0adf87cd9c2
SHA512e87f4236e92229497e443912f35e95065f8da78fe63c0678785ca5d45d0b14dc1738b36e523538d4fcb64410583acc3ac4dcf942821088593ef1dd4ed2c4d11e
-
Filesize
12.3MB
MD50cf8715cbdee01676d24f4f78c7b431f
SHA174989063fd05ffb28d0d705c583c2c6b1e9aef99
SHA2564de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4
SHA512248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327
-
Filesize
3KB
MD5e264d0f91103758bc5b088e8547e0ec1
SHA124a94ff59668d18b908c78afd2a9563de2819680
SHA256501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63
SHA512a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205
-
Filesize
44KB
MD50f96d9eb959ad4e8fd205e6d58cf01b8
SHA17c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA25657ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA5129f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
4KB
MD5c7ce0e47c83525983fd2c4c9566b4aad
SHA138b7ad7bb32ffae35540fce373b8a671878dc54e
SHA2566293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
-
Filesize
31KB
MD55da9df435ff20853a2c45026e7681cef
SHA139b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA2569c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA5124ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f
-
Filesize
9KB
MD54ccc4a742d4423f2f0ed744fd9c81f63
SHA1704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
Filesize
24KB
MD52b7007ed0262ca02ef69d8990815cbeb
SHA12eabe4f755213666dbbbde024a5235ddde02b47f
SHA2560b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca
-
Filesize
10KB
MD5867af9bea8b24c78736bf8d0fdb5a78e
SHA105839fad98aa2bcd9f6ecb22de4816e0c75bf97d
SHA256732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9
SHA512b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b
-
Filesize
182KB
MD5ebce8f5e440e0be57665e1e58dfb7425
SHA1573dc1abd2b03512f390f569058fd2cf1d02ce91
SHA256d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7
SHA5124786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85
-
Filesize
477KB
MD591cdcea4be94624e198d3012f5442584
SHA1fab4043494e4bb02efbaf72bcca86c01992d765c
SHA256ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2
SHA51274edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e