Resubmissions

02/03/2024, 23:20

240302-3bewdaac5s 8

02/03/2024, 22:47

240302-2qjx7sab3w 8

Analysis

  • max time kernel
    151s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:20

General

  • Target

    Adware/Reimage Repair/ReimageRepair.exe

  • Size

    572KB

  • MD5

    f5af9d859c9a031ab6bea66048fab6e1

  • SHA1

    d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

  • SHA256

    4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

  • SHA512

    c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

  • SSDEEP

    12288:YEsvcQmY4ZHUDRHjYMCVdjQooYddMoAnUM22FT4i8BdK:Y30Q0HCFcXFRdyUKF

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Downloads MZ/PE file
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 4 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 64 IoCs
  • Registers COM server for autorun 1 TTPs 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 14 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe
    "C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe"
    1⤵
    • Drops file in Windows directory
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
        "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
        3⤵
        • Executes dropped EXE
        PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
        "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"
        3⤵
        • Executes dropped EXE
        PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
        "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
        3⤵
        • Executes dropped EXE
        PID:332
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /FI "IMAGENAME eq Reimage.exe"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /FI "IMAGENAME eq avupdate.exe"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s "C:\Windows\system32\jscript.dll"
      2⤵
      • Registers COM server for autorun
      • Modifies registry class
      PID:3044
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /FI "IMAGENAME eq ReimagePackage.exe"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      2⤵
        PID:2316
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "IMAGENAME eq GeoProxy.exe"
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
        2⤵
        • Loads dropped DLL
        PID:760
        • C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
          "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"
          3⤵
          • Executes dropped EXE
          PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        2⤵
          PID:2800
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq Wireshark.exe"
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1520
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
          2⤵
            PID:2848
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq Fiddler.exe"
              3⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2868
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
            2⤵
              PID:1060
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq smsniff.exe"
                3⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2112
            • C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
              "C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1974/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=2bc95b172cfb49cb8445165272&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /IDMinorSession=2bc95b172cfb49cb8445165272 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
              2⤵
              • Drops file in Program Files directory
              • Executes dropped EXE
              • Loads dropped DLL
              PID:780
              • C:\Windows\SysWOW64\cmd.exe
                cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
                3⤵
                  PID:1116
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist /FI "IMAGENAME eq Reimage.exe"
                    4⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3036
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
                  3⤵
                    PID:2820
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist /FI "IMAGENAME eq avupdate.exe"
                      4⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2212
                  • C:\Program Files\Reimage\Reimage Repair\lzma.exe
                    "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
                    3⤵
                    • Drops file in Program Files directory
                    • Executes dropped EXE
                    PID:2556
                  • C:\Program Files\Reimage\Reimage Repair\lzma.exe
                    "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
                    3⤵
                    • Drops file in Program Files directory
                    • Executes dropped EXE
                    PID:2560
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
                    3⤵
                      PID:2436
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist /FI "IMAGENAME eq REI_avira.exe"
                        4⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2696
                    • C:\Windows\SysWOW64\regsvr32.exe
                      regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
                      3⤵
                      • Loads dropped DLL
                      PID:468
                      • C:\Windows\system32\regsvr32.exe
                        /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
                        4⤵
                        • Loads dropped DLL
                        • Registers COM server for autorun
                        • Modifies registry class
                        PID:1336
                    • C:\Windows\SysWOW64\regsvr32.exe
                      regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
                      3⤵
                      • Loads dropped DLL
                      PID:948
                      • C:\Windows\system32\regsvr32.exe
                        /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
                        4⤵
                        • Loads dropped DLL
                        PID:2720
                    • C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe
                      "C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe" /S /MinorSessionID=2bc95b172cfb49cb8445165272 /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False
                      3⤵
                      • Drops file in Windows directory
                      • Executes dropped EXE
                      PID:2488
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
                        4⤵
                          PID:1552
                          • C:\Windows\SysWOW64\tasklist.exe
                            tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
                            5⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2088
                        • C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
                          "C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=2bc95b172cfb49cb8445165272 /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
                          4⤵
                          • Drops file in Program Files directory
                          • Drops file in Windows directory
                          • Executes dropped EXE
                          PID:1148
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
                            5⤵
                              PID:1032
                              • C:\Windows\SysWOW64\tasklist.exe
                                tasklist /FI "IMAGENAME eq ReiScanner.exe"
                                6⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:952
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
                              5⤵
                                PID:2156
                                • C:\Windows\SysWOW64\tasklist.exe
                                  tasklist /FI "IMAGENAME eq ReiProtectorM.exe"
                                  6⤵
                                  • Enumerates processes with tasklist
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1744
                              • C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
                                "C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
                                5⤵
                                • Executes dropped EXE
                                PID:2992

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files\Reimage\Reimage Repair\LZMA.EXE

                              Filesize

                              99KB

                              MD5

                              a59ab79ec748d1da70e326b49b8aa820

                              SHA1

                              145d254525c6b41251733953e3d4e00e3370f0fd

                              SHA256

                              871361690289c50c81a6e38c28914121adceab3ff0ba93d043f1cc4e59635955

                              SHA512

                              5cd4fdfe9e20151313814551a36ab0aab8881fc1b12b5c41e0ccd64d6f4980e908b3493efd569964ce63290853785c10b151285ab19b37c7d3a411b5461275b9

                            • C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe

                              Filesize

                              572KB

                              MD5

                              f5af9d859c9a031ab6bea66048fab6e1

                              SHA1

                              d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

                              SHA256

                              4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

                              SHA512

                              c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

                            • C:\Users\Admin\AppData\Local\Temp\FF.bat

                              Filesize

                              249B

                              MD5

                              063463ef1054b8bbb71329bc8dc6fe97

                              SHA1

                              a738fbf3e01b93f506a24f6ed9015b660049d704

                              SHA256

                              20dfa4f6b680fc72eab8f3743e971f559aa1f40b19f8c882e1a08e99ee136b01

                              SHA512

                              29948b563a4f83419703afd4e8f86c8fc119f1376d4e1e6c0d6b50dfbf8a65e9517f0a1bd4b52e6a08c794351838929ea83f5cac767aafaf323793a4f6e1552c

                            • C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

                              Filesize

                              64B

                              MD5

                              dea052a2ad11945b1960577c0192f2eb

                              SHA1

                              1d02626a05a546a90c05902b2551f32c20eb3708

                              SHA256

                              943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

                              SHA512

                              5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

                            • C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

                              Filesize

                              10.2MB

                              MD5

                              4a6256fe64fef3ae79265f9b501017bc

                              SHA1

                              44c677c04eba800577b524e1f36e5c1f771d7934

                              SHA256

                              6b132ee4e2d5b3023ab3dd9f822e6b389ec16b8235400851e295b641adcf3688

                              SHA512

                              e4758e7ac3b3a0702b4a5ff250d9fa0b935db19877f745101a813aa18fe6ba00da655c3ce215934757aae96567fe9d7fae9e352573917ffddfe620fa011c011c

                            • C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

                              Filesize

                              11.3MB

                              MD5

                              49f56ddb7c82a44bf0e68020d5698c2f

                              SHA1

                              6ac4a2f5521a782cbc89af1999b96bae4b9d7f56

                              SHA256

                              f4b604693117de3ba99c21c3b78bb82670d2696a560b259d57c1104ce971e19e

                              SHA512

                              4180e984fba5d91c7eec1e2d322f45d1b94a03ccae5c096268d65ccc96f5756391b106df713a87541fe3823ecd3e66146a661d7d3583c2928cbc0f6962ead5eb

                            • C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

                              Filesize

                              12.3MB

                              MD5

                              0cf8715cbdee01676d24f4f78c7b431f

                              SHA1

                              74989063fd05ffb28d0d705c583c2c6b1e9aef99

                              SHA256

                              4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4

                              SHA512

                              248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327

                            • C:\Users\Admin\AppData\Local\Temp\cfl.rei

                              Filesize

                              971KB

                              MD5

                              41b797743d2d08233b680501b086d669

                              SHA1

                              e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5

                              SHA256

                              5805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5

                              SHA512

                              13fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80

                            • C:\Users\Admin\AppData\Local\Temp\nseC718.tmp\SimpleSC.dll

                              Filesize

                              39KB

                              MD5

                              3f1be1321461c7b7a3b4322391c818f0

                              SHA1

                              f59b7a1e65f60a446f4355e22f0a10bddec3d21b

                              SHA256

                              3d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd

                              SHA512

                              2f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7

                            • C:\Users\Admin\AppData\Local\Temp\nsj6435.tmp

                              Filesize

                              248B

                              MD5

                              940c9b368f1bd2e03fcdfdc49588ebe4

                              SHA1

                              ac62253b5dbfca2e51774315c6a7861756fd91dd

                              SHA256

                              9008c05913bdb8f583f4a7fe93eb6a800ff08d7a89cdd471ad3d4665eb70a02d

                              SHA512

                              d0c57de7de943b96d71ad5e86dfdbf513daa3a17d2c7e44a636ac637821f25fe434c338989f9ba99f95ee3a890651f0fd69a97b186c8cb0480e1fd890a194462

                            • C:\Users\Admin\AppData\Local\Temp\nsj9080.tmp

                              Filesize

                              248B

                              MD5

                              14681a17ddb9513b3e9dcc2f008c7c74

                              SHA1

                              126cee0694504224cf257ff6172164a3f5533ca9

                              SHA256

                              1861f9ee433b25be33dca4c725919aaa3e7c2e444130d12919d1bd97b596b611

                              SHA512

                              eb3cb653abdc50949bc72702a19e947e8915480bc6f1facd346cd2969580ee3cda78951af05f9efa03ea0247d3c3d5622052594f19b514139a50b74556f7a179

                            • C:\Users\Admin\AppData\Local\Temp\nst93CC.tmp

                              Filesize

                              249B

                              MD5

                              70bbe88535683439e36d91300160485c

                              SHA1

                              62a5fcd535c4f25b532120faf2880c5caf88cb1b

                              SHA256

                              52bfffd8fb36510fa123b489f82c944d45b08bda4747abd989cc0235dfa111e1

                              SHA512

                              1bcb05e6bf19561bba891c4aceb07b4907264d0429c4bca921792d004dca3a720822e405144cf3a2470415b168b66e8e759360ebe726a3fa638da09e05853219

                            • C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\DcryptDll.dll

                              Filesize

                              156KB

                              MD5

                              4c373143ee342a75b469e0748049cd24

                              SHA1

                              d4e0e5155e78b99ec9459136acece2364bc2e935

                              SHA256

                              b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589

                              SHA512

                              569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61

                            • C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\modern-header.bmp

                              Filesize

                              83KB

                              MD5

                              ae1a4753df5fc34780602bcac675a8a5

                              SHA1

                              3e30c7bbbb25d6b4141fe405fc7862e04868b220

                              SHA256

                              e7e5bbfd8c8ad303753ecfda840180b586c336e4ab5aacc6b0adea1c3ef0188a

                              SHA512

                              b70920c7fe7938fc56badc133a175c80684d0041b1980c0941cfe3781e568a9aaa611670395b0bd7786e5309eb9bfbef5a5f90d9b0b4cdc00aac31c9037fda83

                            • C:\Users\Admin\AppData\Local\Temp\repair_version.xml

                              Filesize

                              2KB

                              MD5

                              8f3df5875ccd9d1982a6d65c0d3e06c9

                              SHA1

                              8fefd15ed67d03a95e329f4e18477ae5ae9b023d

                              SHA256

                              64f2dd5e4f25b2a45056257af5a9061e7f34907f9345e6ba85b7a47ae58c009a

                              SHA512

                              e58f7b0870540b9207a304cd66fe44ecfbd42292446aa213fa3be6795eeba463a664366a9ccd642b615d74984e5ab91b06a3929a435f9aebed898a95ecd48089

                            • \Users\Admin\AppData\Local\Temp\ReimagePackage.exe

                              Filesize

                              1.2MB

                              MD5

                              0c7136e12eb9468aa625105080f5c446

                              SHA1

                              49ce785a05046b6ea371d05ef8e6e59adfddbac9

                              SHA256

                              6fe1a373fe1a363cdde44e5847156598536c2563389ebacfe4f82647121f6cad

                              SHA512

                              274c215edb6466de1c72f65fcf3402bc4bbf7f9b7638f40e6935d645ec548b14bbbb4e30841c032f9e60ee47aac2360e01adb86346e2f564b9706d8329758b07

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\Banner.dll

                              Filesize

                              3KB

                              MD5

                              e264d0f91103758bc5b088e8547e0ec1

                              SHA1

                              24a94ff59668d18b908c78afd2a9563de2819680

                              SHA256

                              501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

                              SHA512

                              a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\LogEx.dll

                              Filesize

                              44KB

                              MD5

                              0f96d9eb959ad4e8fd205e6d58cf01b8

                              SHA1

                              7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

                              SHA256

                              57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

                              SHA512

                              9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\System.dll

                              Filesize

                              11KB

                              MD5

                              bf712f32249029466fa86756f5546950

                              SHA1

                              75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

                              SHA256

                              7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

                              SHA512

                              13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\UserInfo.dll

                              Filesize

                              4KB

                              MD5

                              c7ce0e47c83525983fd2c4c9566b4aad

                              SHA1

                              38b7ad7bb32ffae35540fce373b8a671878dc54e

                              SHA256

                              6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

                              SHA512

                              ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\inetc.dll

                              Filesize

                              31KB

                              MD5

                              5da9df435ff20853a2c45026e7681cef

                              SHA1

                              39b1d70a7a03e7c791cb21a53d82fd949706a4b4

                              SHA256

                              9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

                              SHA512

                              4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\nsDialogs.dll

                              Filesize

                              9KB

                              MD5

                              4ccc4a742d4423f2f0ed744fd9c81f63

                              SHA1

                              704f00a1acc327fd879cf75fc90d0b8f927c36bc

                              SHA256

                              416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

                              SHA512

                              790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\nsExec.dll

                              Filesize

                              6KB

                              MD5

                              132e6153717a7f9710dcea4536f364cd

                              SHA1

                              e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

                              SHA256

                              d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

                              SHA512

                              9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\registry.dll

                              Filesize

                              24KB

                              MD5

                              2b7007ed0262ca02ef69d8990815cbeb

                              SHA1

                              2eabe4f755213666dbbbde024a5235ddde02b47f

                              SHA256

                              0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

                              SHA512

                              aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\stack.dll

                              Filesize

                              10KB

                              MD5

                              867af9bea8b24c78736bf8d0fdb5a78e

                              SHA1

                              05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

                              SHA256

                              732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

                              SHA512

                              b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

                            • \Users\Admin\AppData\Local\Temp\nsd8F27.tmp\xml.dll

                              Filesize

                              182KB

                              MD5

                              ebce8f5e440e0be57665e1e58dfb7425

                              SHA1

                              573dc1abd2b03512f390f569058fd2cf1d02ce91

                              SHA256

                              d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

                              SHA512

                              4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

                            • \Users\Admin\AppData\Local\Temp\sqlite3.exe

                              Filesize

                              477KB

                              MD5

                              91cdcea4be94624e198d3012f5442584

                              SHA1

                              fab4043494e4bb02efbaf72bcca86c01992d765c

                              SHA256

                              ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

                              SHA512

                              74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

                            • memory/332-93-0x0000000000400000-0x000000000047D000-memory.dmp

                              Filesize

                              500KB

                            • memory/2092-285-0x0000000004BF0000-0x0000000004BFB000-memory.dmp

                              Filesize

                              44KB

                            • memory/2092-157-0x0000000004BC0000-0x0000000004BCB000-memory.dmp

                              Filesize

                              44KB

                            • memory/2092-147-0x00000000059F0000-0x0000000005A49000-memory.dmp

                              Filesize

                              356KB

                            • memory/2092-111-0x0000000002000000-0x000000000200B000-memory.dmp

                              Filesize

                              44KB

                            • memory/2100-263-0x0000000000400000-0x000000000047D000-memory.dmp

                              Filesize

                              500KB

                            • memory/2488-459-0x00000000747F0000-0x00000000747FB000-memory.dmp

                              Filesize

                              44KB

                            • memory/2488-477-0x00000000003D0000-0x00000000003DB000-memory.dmp

                              Filesize

                              44KB

                            • memory/2784-47-0x0000000000400000-0x000000000047D000-memory.dmp

                              Filesize

                              500KB

                            • memory/2912-70-0x0000000000400000-0x000000000047D000-memory.dmp

                              Filesize

                              500KB