Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-3bewdaac5s
Target Adware.zip
SHA256 4a836b5dfbb49e09690dccdcce3296f66a3c7190ab03555140a8117695c6165f
Tags
discovery evasion upx persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4a836b5dfbb49e09690dccdcce3296f66a3c7190ab03555140a8117695c6165f

Threat Level: Likely malicious

The file Adware.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion upx persistence spyware stealer

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Downloads MZ/PE file

Checks installed software on the system

Checks computer location settings

Drops file in Windows directory

Loads dropped DLL

Registers COM server for autorun

Drops file in Program Files directory

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:20

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-02 23:20

Reported

2024-03-02 23:23

Platform

win7-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WinZip Driver Updater\is-EK7VH.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-FFMUL.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-8R1MF.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-C2PGU.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-DA494.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-3VASK.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.dll C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-CHV0L.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-RPVD9.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-AFUNO.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-DDVH8.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-NI1OQ.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-J284O.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-76I0D.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-SVTKC.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-PCHR2.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi.dll C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-TNHAP.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-9PAAI.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-GELD7.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-8OOQP.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unrar.dll C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-NB1CH.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-NOO59.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-HP8PQ.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-FS436.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-D0KGI.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\DriverUpdateHelper64.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-K46MB.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-OTBV9.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-54E0A.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-5H4HJ.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-KKKI5.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi64.dll C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-G2MDN.tmp C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\INPROCSERVER32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
PID 2000 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
PID 2704 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2704 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2704 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2704 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2704 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2704 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2704 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2704 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 2704 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2704 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"

C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp" /SL5="$B014E,3017901,168448,C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /tn "WINZIPDU-WINZIPDUDriverUpdater" /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdater" /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdaterRunAtStartup" /f

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "WinZipDriverUpdater"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinZipDriverUpdater" dir=in action=allow program="C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe" -firstinstall

Network

N/A

Files

memory/2000-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp

MD5 03a5ddae8f18c3390aee71cbc8571756
SHA1 902397a802c3149fca07ed6a6366cfe704998a42
SHA256 709101ba21638ab3ac941b1edf60e6a35a6422ea8cdb29acb84fe9006e997ce1
SHA512 01176428e86d85980cff42b96daa3d6d3fe9647b8f31c83cea14ebcf59b877e9c7af6d69c8a1278ecbec3ebe35d1f3ee5da8651955fb8b81c32d75f536c33da4

memory/2704-7-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-Q0FT3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2000-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2704-15-0x0000000000400000-0x000000000052E000-memory.dmp

memory/2704-18-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2704-39-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll

MD5 1a2e5109c2bb5c68d499e17b83acb73a
SHA1 efa15cfa23606dfc355d11580b509e768a50ddbb
SHA256 e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11
SHA512 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b

\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 1c56989ec0655dbca8939d03eb11b45e
SHA1 e945f3b91fcc54c82a4fc21e9270fee307b953b3
SHA256 c4edcff80133994e019c0035a2334965ab727748ec94455d487d5a1055946730
SHA512 8d2693298dd0c24981840a03745a6a1d014c877c6a5cea8d67de45cd4288492a44063ba2e52cafeec12f8edadc1194e7080fd99def22235bd6bbfe4fbee9e9d8

\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 20aaea9ccea474d982b3a6e29f4b2bd2
SHA1 81537a55581b070b8e9e139dddbb0b1472f24018
SHA256 fec34e336445842b7576c8cc5b23dbb73ce81bff0c8ad3bceb34b93c3655031d
SHA512 962c299b73fd721fd1dc766e71f7a7c9782d5005ee8c4cda4d5e436442b4e45680e510893249ddc88dc991d858d505234d6422cc49c80447a519efd718d28168

memory/2704-120-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 1f12fe5fac30efe7e0fd2a96c185d15a
SHA1 551a408485375013efb641625de990c1a7b22ebf
SHA256 b1c8ec4c061e7aef8a225c3cb5236be09501503a1262a18c5bef336259e666c7
SHA512 5a42fa984b1c5729418ee8522247ce362a3363d17eff9c90272921b4e69b58cdb3b1aed83d97d7919d380b3ddf7aeb3722ffe6b65ec2d77e23a5dafec9d00fec

memory/2528-146-0x0000000001150000-0x0000000001188000-memory.dmp

\Program Files (x86)\WinZip Driver Updater\unrar.dll

MD5 92040a0f7f7d7a3f1e12d8bb064cb3b2
SHA1 df29e79c9d91ac0ee4788156ad9ea525b8fe11d7
SHA256 7344bd44e4433a8f3034519f2b5745c0ced5b614c5c28bdc88cdc9acbbaef2c3
SHA512 ec423ba8a6c5f11f105ba3a12c62fa500ebb2b44c6ce1064381996a818856285a817d76c0c5a57c28821a492cfb59ba31d97ab585a62f08bbec68d7c91fb9408

C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll

MD5 7a1a16f150ccb9cb1731327b2e03488f
SHA1 54ccaaf593f828c09ff5e718a69e1b0d5d904d66
SHA256 ed05f590e22bc39330b9925b766b70b8213e3dd20686660021be3616e6685295
SHA512 7d1e3c857f4a7b74eb403085d0a5ded5fb89c96b3e56c1ec7dd218157d588ad64f97205066d74556409d43369c92d1193fdaf6cc3f073f0bc5a4c994f584daca

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 3d39c88bc10366c5cb0db6147c4127db
SHA1 855a5a8c73f4bc1fde921bfc76a2609b615d9683
SHA256 11f98bb0e6719f7cd0f74ee7a664947977080216d35c20c9168e794673bf6086
SHA512 01e6b397a00a19510886d9957a7c2f9b0358dc6adf9467db2461da9c7e52bac1a984ce3ec02ee218997e958851dd7e23eb93e188dc34b1a25be3bb55da66e4ac

C:\Program Files (x86)\WinZip Driver Updater\eng_rcp.ini

MD5 3472b1344ee22e7768567d73bd50c58b
SHA1 1ca4692e9e812d3e68874ccf4f958f452e733360
SHA256 86a64a91c6c3aede88969b83fd4d400a010f397f8154106e3810e5bc2c16e9a0
SHA512 5a71f2de5580f99644a860742d11074bc37597ae4f504667f9c597042d360d1fceb17047d51eb658ee7daf83a0d80d7bcf3b80299d4d0a92f27761978f3479de

\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 22906a6e571771ff39cf79dab44417a4
SHA1 16d4ae3df09afeff502f35c606a2cb3cc2e31a6f
SHA256 60eff8d6c736fba3a992925470854eae18747d14124f69116383d28bbbbf36bd
SHA512 4a5c43eea5429eee97fca0a84b814dcbbb9609e757bb250a28757baef05f64d0ea16161d74ddc5a8f168193141c152d59c09308b693472feb8887163211c2288

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 575160bfca448ca7691b65b6db22114f
SHA1 00246a4c899d239af6a77d92017439453b2036dd
SHA256 d2d5eab00af33be00ab92b8e3eef499b482f85514173f8a94938bb8e177199b7
SHA512 794a7dedd0eeb84d7de87f1f47b6442fbde1bcae77f22bd42b1fe82dfeedf997ac14b0102e4cc4b52a2e461b6bd7242408c6cd91b5237de85d621ceaa09e889b

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-02 23:20

Reported

2024-03-02 23:24

Platform

win10v2004-20240226-en

Max time kernel

225s

Max time network

241s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WinZip Driver Updater\is-R3L3C.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-CDCFQ.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.dll C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-G5KU3.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-O13PR.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-9H3CG.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.exe C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-FGF1A.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\unrar.dll C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-U27DJ.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-SEQVM.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-QU2I3.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-MQM8V.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-3PITI.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi.dll C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-G82HF.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-J6UML.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-N41KI.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-T5JF6.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-J6MPU.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-IQ8QP.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-4H2LJ.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-HESCH.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-IPD13.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-ABGLB.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-82837.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-I88H1.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-NTCF9.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-0M1AK.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-T44TJ.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\difxapi64.dll C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-O2392.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\is-M9CRA.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File opened for modification C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\DriverUpdateHelper64.exe C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-DT1AC.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
File created C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-QNRH1.tmp C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\PROGID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\OLESCRIPT C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp
PID 2568 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp
PID 2568 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp
PID 1048 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1048 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1048 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1048 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 1048 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 1048 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 1048 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 1048 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 1048 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\netsh.exe
PID 1048 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Windows\SysWOW64\taskkill.exe
PID 1048 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
PID 1048 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
PID 1048 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
PID 1048 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1048 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3352 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"

C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp" /SL5="$D0042,3017901,168448,C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /tn "WINZIPDU-WINZIPDUDriverUpdater" /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdater" /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdaterRunAtStartup" /f

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "WinZipDriverUpdater"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinZipDriverUpdater" dir=in action=allow program="C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe" -firstinstall

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.winzip.com/instcmplt.cgi?pid=wzdu&vid=du23&lang=en&utm_source=winzip&utm_campaign=default&utm_medium=newbuild&LangID=en

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c2c146f8,0x7ff9c2c14708,0x7ff9c2c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.winzip.com udp
GB 23.213.16.57:80 www.winzip.com tcp
GB 23.213.16.57:80 www.winzip.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 systemtools.winzip.com udp
US 54.196.68.199:80 systemtools.winzip.com tcp
US 8.8.8.8:53 57.16.213.23.in-addr.arpa udp
US 8.8.8.8:53 199.68.196.54.in-addr.arpa udp
US 8.8.8.8:53 www.yiiframework.com udp

Files

memory/2568-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp

MD5 03a5ddae8f18c3390aee71cbc8571756
SHA1 902397a802c3149fca07ed6a6366cfe704998a42
SHA256 709101ba21638ab3ac941b1edf60e6a35a6422ea8cdb29acb84fe9006e997ce1
SHA512 01176428e86d85980cff42b96daa3d6d3fe9647b8f31c83cea14ebcf59b877e9c7af6d69c8a1278ecbec3ebe35d1f3ee5da8651955fb8b81c32d75f536c33da4

memory/1048-6-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/2568-11-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1048-12-0x0000000000400000-0x000000000052E000-memory.dmp

memory/1048-16-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/1048-23-0x0000000000400000-0x000000000052E000-memory.dmp

memory/1048-26-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll

MD5 1a2e5109c2bb5c68d499e17b83acb73a
SHA1 efa15cfa23606dfc355d11580b509e768a50ddbb
SHA256 e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11
SHA512 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 20aaea9ccea474d982b3a6e29f4b2bd2
SHA1 81537a55581b070b8e9e139dddbb0b1472f24018
SHA256 fec34e336445842b7576c8cc5b23dbb73ce81bff0c8ad3bceb34b93c3655031d
SHA512 962c299b73fd721fd1dc766e71f7a7c9782d5005ee8c4cda4d5e436442b4e45680e510893249ddc88dc991d858d505234d6422cc49c80447a519efd718d28168

memory/1048-101-0x0000000000400000-0x000000000052E000-memory.dmp

memory/1048-108-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\WinZip Driver Updater\unrar.dll

MD5 92040a0f7f7d7a3f1e12d8bb064cb3b2
SHA1 df29e79c9d91ac0ee4788156ad9ea525b8fe11d7
SHA256 7344bd44e4433a8f3034519f2b5745c0ced5b614c5c28bdc88cdc9acbbaef2c3
SHA512 ec423ba8a6c5f11f105ba3a12c62fa500ebb2b44c6ce1064381996a818856285a817d76c0c5a57c28821a492cfb59ba31d97ab585a62f08bbec68d7c91fb9408

memory/768-114-0x0000000003340000-0x0000000003378000-memory.dmp

C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll

MD5 7a1a16f150ccb9cb1731327b2e03488f
SHA1 54ccaaf593f828c09ff5e718a69e1b0d5d904d66
SHA256 ed05f590e22bc39330b9925b766b70b8213e3dd20686660021be3616e6685295
SHA512 7d1e3c857f4a7b74eb403085d0a5ded5fb89c96b3e56c1ec7dd218157d588ad64f97205066d74556409d43369c92d1193fdaf6cc3f073f0bc5a4c994f584daca

C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe

MD5 dd08d3b321d56d965f2e531846ad9170
SHA1 88295462b6019474661c9ce7b2728689d393a9b9
SHA256 673b1188f44c370902441eefc1cd1606a65c162b2a24a244db15d98ff20f3e3f
SHA512 339fffdf188be7db9f3f449427eafc5fb18b1c1e6b32d27a85cc1a01b7e56ed250da25fda60c11067415a60b855874f8d156a6aaf512446f0943466878a14e4c

memory/1048-121-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\WinZip Driver Updater\eng_rcp.ini

MD5 3472b1344ee22e7768567d73bd50c58b
SHA1 1ca4692e9e812d3e68874ccf4f958f452e733360
SHA256 86a64a91c6c3aede88969b83fd4d400a010f397f8154106e3810e5bc2c16e9a0
SHA512 5a71f2de5580f99644a860742d11074bc37597ae4f504667f9c597042d360d1fceb17047d51eb658ee7daf83a0d80d7bcf3b80299d4d0a92f27761978f3479de

memory/2568-123-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1e3dc6a82a2cb341f7c9feeaf53f466f
SHA1 915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256 a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA512 0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

\??\pipe\LOCAL\crashpad_3352_PSIAKXFPQJFHIUCC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36bb45cb1262fcfcab1e3e7960784eaa
SHA1 ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA256 7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA512 02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

memory/768-142-0x0000000003340000-0x0000000003378000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22964c18fb8f8c651a6c18cfd25e19aa
SHA1 3fbe9d0f67828c4d9bfc0cbeb0b811a3b6c23dfd
SHA256 c1b7b81989adf8c16345223efbb9769a99ff4176883772930fd70f5a060bdd12
SHA512 e006678ed4106a52be2263ffa256850cb79ff3174f43a650b8863f4ffa7d346f8c59b61db0c534607cbd0ae56f5cae7d6bdaaaa5ebf6be1f46e19386c6b92813

memory/768-160-0x0000000003340000-0x0000000003378000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2fdeb94ef27930195db83d07d423aedf
SHA1 5777126f057cdde0f2148ab064b91447abeab982
SHA256 dae87051623f00df9cff5c33926f05ae01548dd59e65432f0b612e3600e4b664
SHA512 8c9b3d80380bdfcc88c76bf72e55acd917b5e63ad82adb623869d10393cfac15c41e311afb2b738d1e44d80f7f8b6f7366c183d88a0f43b3c718f3e5db7840d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 074f507263b419718d5b182bf8d3c61b
SHA1 6fdb2db1389ec4502c7c84fb8534e5b65cffb6c0
SHA256 02b96f22cb08b86ef49e367146c4ea21b74dcb0b3bf660cf2dffe1f6c47a8468
SHA512 e5fefffdb5fcae9207af1034f4d52fa3c209b26b6456c86ffa90bed784891cc92978cf0dc0b087a8b69f4aa4235b83ad9512b14ff9a211cd8ff2dab1e839e10b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e391f2f89919a400d3f6e113c65c3dfc
SHA1 3bb7fde205bfdf20ef626ccdf923668d7f716a55
SHA256 6b01caf1818c36058956120d27f24795cb9e08f7a7fe6369558f4cd602d70821
SHA512 45f550c3d52b011b1c861b913d2c1bfd7d9cb76bdc3d7dd9bf76e7a9f90f748df4a1ca9724de85dcee5c7c0d6ec919cef119a1ee74fdec6e9759c7e8375f74f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:20

Reported

2024-03-02 23:23

Platform

win7-20240221-en

Max time kernel

151s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Downloads MZ/PE file

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reimage\Reimage Repair\version.rei C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll C:\Program Files\Reimage\Reimage Repair\lzma.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\savapi.dll C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Help & Support.url C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe N/A
File created C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\msvcr120.dll C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\LZMA.EXE C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\reimage.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\engine.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\engine.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\uninst.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll C:\Program Files\Reimage\Reimage Repair\lzma.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\reimage.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Terms of Use.url C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Reimage.ini C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
File opened for modification C:\Windows\reimage.ini C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
File opened for modification C:\Windows\Reimage.ini C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe N/A
File opened for modification C:\Windows\Reimage.ini C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\INPROCSERVER32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLESCRIPT C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLESCRIPT C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll, 102" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLESCRIPT C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib\ = "{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib\ = "{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLESCRIPT C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLEScript C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1\CLSID\ = "{10ECCE17-29B5-4880-A8F5-EAD298611484}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLESCRIPT C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLESCRIPT C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 3016 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 3016 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 3016 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2092 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2460 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2460 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2460 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2092 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 468 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 468 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 468 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2092 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2652 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2652 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2652 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2092 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1260 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1260 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1260 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2092 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\system32\regsvr32.exe
PID 2092 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\system32\regsvr32.exe
PID 2092 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\system32\regsvr32.exe
PID 2092 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\system32\regsvr32.exe
PID 2092 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\system32\regsvr32.exe
PID 2092 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\system32\regsvr32.exe
PID 2092 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\system32\regsvr32.exe
PID 2092 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2520 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2520 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2520 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2092 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2092 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe

"C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Reimage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq avupdate.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Windows\system32\jscript.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq ReimagePackage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq GeoProxy.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Wireshark.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Fiddler.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq smsniff.exe"

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1974/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=2bc95b172cfb49cb8445165272&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /IDMinorSession=2bc95b172cfb49cb8445165272 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Reimage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq avupdate.exe"

C:\Program Files\Reimage\Reimage Repair\lzma.exe

"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"

C:\Program Files\Reimage\Reimage Repair\lzma.exe

"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq REI_avira.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"

C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe" /S /MinorSessionID=2bc95b172cfb49cb8445165272 /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"

C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe

"C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=2bc95b172cfb49cb8445165272 /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq ReiScanner.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq ReiProtectorM.exe"

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe

"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.reimageplus.com udp
US 161.47.7.14:80 www.reimageplus.com tcp
US 8.8.8.8:53 cdnrep.reimage.com udp
GB 18.245.162.121:80 cdnrep.reimage.com tcp
US 161.47.7.14:80 www.reimageplus.com tcp
US 8.8.8.8:53 cdnrep.reimageplus.com udp
GB 18.244.179.29:80 cdnrep.reimageplus.com tcp
US 161.47.7.14:80 www.reimageplus.com tcp
GB 18.245.162.121:80 cdnrep.reimage.com tcp
US 161.47.7.14:80 www.reimageplus.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\LogEx.dll

MD5 0f96d9eb959ad4e8fd205e6d58cf01b8
SHA1 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA256 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA512 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\Banner.dll

MD5 e264d0f91103758bc5b088e8547e0ec1
SHA1 24a94ff59668d18b908c78afd2a9563de2819680
SHA256 501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63
SHA512 a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

C:\Users\Admin\AppData\Local\Temp\nsj9080.tmp

MD5 14681a17ddb9513b3e9dcc2f008c7c74
SHA1 126cee0694504224cf257ff6172164a3f5533ca9
SHA256 1861f9ee433b25be33dca4c725919aaa3e7c2e444130d12919d1bd97b596b611
SHA512 eb3cb653abdc50949bc72702a19e947e8915480bc6f1facd346cd2969580ee3cda78951af05f9efa03ea0247d3c3d5622052594f19b514139a50b74556f7a179

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5 91cdcea4be94624e198d3012f5442584
SHA1 fab4043494e4bb02efbaf72bcca86c01992d765c
SHA256 ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2
SHA512 74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

memory/2784-47-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF.bat

MD5 063463ef1054b8bbb71329bc8dc6fe97
SHA1 a738fbf3e01b93f506a24f6ed9015b660049d704
SHA256 20dfa4f6b680fc72eab8f3743e971f559aa1f40b19f8c882e1a08e99ee136b01
SHA512 29948b563a4f83419703afd4e8f86c8fc119f1376d4e1e6c0d6b50dfbf8a65e9517f0a1bd4b52e6a08c794351838929ea83f5cac767aafaf323793a4f6e1552c

memory/2912-70-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst93CC.tmp

MD5 70bbe88535683439e36d91300160485c
SHA1 62a5fcd535c4f25b532120faf2880c5caf88cb1b
SHA256 52bfffd8fb36510fa123b489f82c944d45b08bda4747abd989cc0235dfa111e1
SHA512 1bcb05e6bf19561bba891c4aceb07b4907264d0429c4bca921792d004dca3a720822e405144cf3a2470415b168b66e8e759360ebe726a3fa638da09e05853219

memory/332-93-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5 dea052a2ad11945b1960577c0192f2eb
SHA1 1d02626a05a546a90c05902b2551f32c20eb3708
SHA256 943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA512 5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

memory/2092-111-0x0000000002000000-0x000000000200B000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\registry.dll

MD5 2b7007ed0262ca02ef69d8990815cbeb
SHA1 2eabe4f755213666dbbbde024a5235ddde02b47f
SHA256 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512 aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

memory/2092-147-0x00000000059F0000-0x0000000005A49000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\stack.dll

MD5 867af9bea8b24c78736bf8d0fdb5a78e
SHA1 05839fad98aa2bcd9f6ecb22de4816e0c75bf97d
SHA256 732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9
SHA512 b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

memory/2092-157-0x0000000004BC0000-0x0000000004BCB000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\xml.dll

MD5 ebce8f5e440e0be57665e1e58dfb7425
SHA1 573dc1abd2b03512f390f569058fd2cf1d02ce91
SHA256 d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7
SHA512 4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

C:\Users\Admin\AppData\Local\Temp\repair_version.xml

MD5 8f3df5875ccd9d1982a6d65c0d3e06c9
SHA1 8fefd15ed67d03a95e329f4e18477ae5ae9b023d
SHA256 64f2dd5e4f25b2a45056257af5a9061e7f34907f9345e6ba85b7a47ae58c009a
SHA512 e58f7b0870540b9207a304cd66fe44ecfbd42292446aa213fa3be6795eeba463a664366a9ccd642b615d74984e5ab91b06a3929a435f9aebed898a95ecd48089

C:\Users\Admin\AppData\Local\Temp\cfl.rei

MD5 41b797743d2d08233b680501b086d669
SHA1 e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5
SHA256 5805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5
SHA512 13fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80

C:\Users\Admin\AppData\Local\Temp\nsj6435.tmp

MD5 940c9b368f1bd2e03fcdfdc49588ebe4
SHA1 ac62253b5dbfca2e51774315c6a7861756fd91dd
SHA256 9008c05913bdb8f583f4a7fe93eb6a800ff08d7a89cdd471ad3d4665eb70a02d
SHA512 d0c57de7de943b96d71ad5e86dfdbf513daa3a17d2c7e44a636ac637821f25fe434c338989f9ba99f95ee3a890651f0fd69a97b186c8cb0480e1fd890a194462

memory/2100-263-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2092-285-0x0000000004BF0000-0x0000000004BFB000-memory.dmp

\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

MD5 0c7136e12eb9468aa625105080f5c446
SHA1 49ce785a05046b6ea371d05ef8e6e59adfddbac9
SHA256 6fe1a373fe1a363cdde44e5847156598536c2563389ebacfe4f82647121f6cad
SHA512 274c215edb6466de1c72f65fcf3402bc4bbf7f9b7638f40e6935d645ec548b14bbbb4e30841c032f9e60ee47aac2360e01adb86346e2f564b9706d8329758b07

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

MD5 4a6256fe64fef3ae79265f9b501017bc
SHA1 44c677c04eba800577b524e1f36e5c1f771d7934
SHA256 6b132ee4e2d5b3023ab3dd9f822e6b389ec16b8235400851e295b641adcf3688
SHA512 e4758e7ac3b3a0702b4a5ff250d9fa0b935db19877f745101a813aa18fe6ba00da655c3ce215934757aae96567fe9d7fae9e352573917ffddfe620fa011c011c

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

MD5 49f56ddb7c82a44bf0e68020d5698c2f
SHA1 6ac4a2f5521a782cbc89af1999b96bae4b9d7f56
SHA256 f4b604693117de3ba99c21c3b78bb82670d2696a560b259d57c1104ce971e19e
SHA512 4180e984fba5d91c7eec1e2d322f45d1b94a03ccae5c096268d65ccc96f5756391b106df713a87541fe3823ecd3e66146a661d7d3583c2928cbc0f6962ead5eb

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

MD5 0cf8715cbdee01676d24f4f78c7b431f
SHA1 74989063fd05ffb28d0d705c583c2c6b1e9aef99
SHA256 4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4
SHA512 248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327

C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\modern-header.bmp

MD5 ae1a4753df5fc34780602bcac675a8a5
SHA1 3e30c7bbbb25d6b4141fe405fc7862e04868b220
SHA256 e7e5bbfd8c8ad303753ecfda840180b586c336e4ab5aacc6b0adea1c3ef0188a
SHA512 b70920c7fe7938fc56badc133a175c80684d0041b1980c0941cfe3781e568a9aaa611670395b0bd7786e5309eb9bfbef5a5f90d9b0b4cdc00aac31c9037fda83

C:\Program Files\Reimage\Reimage Repair\LZMA.EXE

MD5 a59ab79ec748d1da70e326b49b8aa820
SHA1 145d254525c6b41251733953e3d4e00e3370f0fd
SHA256 871361690289c50c81a6e38c28914121adceab3ff0ba93d043f1cc4e59635955
SHA512 5cd4fdfe9e20151313814551a36ab0aab8881fc1b12b5c41e0ccd64d6f4980e908b3493efd569964ce63290853785c10b151285ab19b37c7d3a411b5461275b9

C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\DcryptDll.dll

MD5 4c373143ee342a75b469e0748049cd24
SHA1 d4e0e5155e78b99ec9459136acece2364bc2e935
SHA256 b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589
SHA512 569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61

C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe

MD5 f5af9d859c9a031ab6bea66048fab6e1
SHA1 d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a
SHA256 4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c
SHA512 c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

memory/2488-459-0x00000000747F0000-0x00000000747FB000-memory.dmp

memory/2488-477-0x00000000003D0000-0x00000000003DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nseC718.tmp\SimpleSC.dll

MD5 3f1be1321461c7b7a3b4322391c818f0
SHA1 f59b7a1e65f60a446f4355e22f0a10bddec3d21b
SHA256 3d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd
SHA512 2f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:20

Reported

2024-03-02 23:23

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll C:\Program Files\Reimage\Reimage Repair\lzma.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\engine.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll C:\Program Files\Reimage\Reimage Repair\lzma.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\msvcr120.dll C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\reimage.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File opened for modification C:\Program Files\Reimage\Reimage Repair\engine.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\version.rei C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\Reimage.exe C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\reimage.dat C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\savapi.dll C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
File created C:\Program Files\Reimage\Reimage Repair\LZMA.EXE C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Reimage.ini C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
File opened for modification C:\Windows\reimage.ini C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 C:\Windows\SYSTEM32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\OLESCRIPT C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\OLESCRIPT C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\OLESCRIPT C:\Windows\SYSTEM32\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1080 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1080 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2228 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 3324 wrote to memory of 312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 3324 wrote to memory of 312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2228 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 948 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 948 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2228 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 952 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 952 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2228 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2228 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 2228 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 2228 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3280 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3280 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2228 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3084 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3084 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2228 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4496 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4496 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2228 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 3824 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 3824 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2228 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5100 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5100 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2228 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe

"C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Reimage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq avupdate.exe"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 /s "C:\Windows\system32\jscript.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq ReimagePackage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq GeoProxy.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Wireshark.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Fiddler.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq smsniff.exe"

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1974/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=e5bcd97a1c194000a1faffc6b0&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=f965607b-c266-4657-a0f3-203b4b58f87a /IDMinorSession=e5bcd97a1c194000a1faffc6b0 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Reimage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq avupdate.exe"

C:\Program Files\Reimage\Reimage Repair\lzma.exe

"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"

C:\Program Files\Reimage\Reimage Repair\lzma.exe

"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq REI_avira.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.reimageplus.com udp
US 161.47.7.14:80 www.reimageplus.com tcp
US 8.8.8.8:53 14.7.47.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 cdnrep.reimage.com udp
GB 18.245.162.121:80 cdnrep.reimage.com tcp
US 8.8.8.8:53 121.162.245.18.in-addr.arpa udp
US 161.47.7.14:80 www.reimageplus.com tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 cdnrep.reimageplus.com udp
GB 18.244.179.123:80 cdnrep.reimageplus.com tcp
US 8.8.8.8:53 123.179.244.18.in-addr.arpa udp
US 161.47.7.14:80 www.reimageplus.com tcp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\LogEx.dll

MD5 0f96d9eb959ad4e8fd205e6d58cf01b8
SHA1 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA256 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA512 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\Banner.dll

MD5 e264d0f91103758bc5b088e8547e0ec1
SHA1 24a94ff59668d18b908c78afd2a9563de2819680
SHA256 501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63
SHA512 a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

C:\Users\Admin\AppData\Local\Temp\nsrD65E.tmp

MD5 1a8a35a97d446a7209e6206f9a9ddcd3
SHA1 bdebb461d5522f62a81a8ad1c68ca96fd7841a7e
SHA256 c89362f393ca2ce39d9775a3ce198e9737b08bf276b341187404f7276c4fb699
SHA512 01aa8a6600dc23fea37c1ddd91642fa4562b542c648dbf366d7540ccebb3526744f5980787c9470199db0b642c104e5813dd2c9d2ae10d82bc063c46b4ed4136

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5 91cdcea4be94624e198d3012f5442584
SHA1 fab4043494e4bb02efbaf72bcca86c01992d765c
SHA256 ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2
SHA512 74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

memory/1676-37-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nscD95C.tmp

MD5 d00fc07e7703a9cf90dbd39b7b550b03
SHA1 94d9b34998d412e74eb059dcfe3479faf2b4c684
SHA256 cb2901c2fa6dc3dcf1f3e7914807694b59fb2e1ce80d11f0f8db54927be5fb1b
SHA512 f3bcd8fd17e25a0ca1f98a899cfbfa0959470520b97c175067b5e3fc0b3bf23b574a270aedf590946eda26e00452ed075522c478dd6f860b2770b73feb6acc26

memory/312-52-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsiDB51.tmp

MD5 b7ed99e551791168d2843199a642bffe
SHA1 f5dffd0a8b4268a17b3d93b352391f193e1c7c85
SHA256 555fa7317a2de61be0883bd64f9ae7b9d889fe59c110674f4fcae7f9d3c6e910
SHA512 bbd146b3683c7dc4251124d95c65dd3496312e1ed47d1ba018bf6116fc35ca7661b00e7e0236e9e2699237df683f8e37114114bd6c2ece0aea90417e7815b6f2

memory/1668-67-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5 dea052a2ad11945b1960577c0192f2eb
SHA1 1d02626a05a546a90c05902b2551f32c20eb3708
SHA256 943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA512 5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

memory/2228-84-0x00000000058D0000-0x00000000058DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

memory/2228-104-0x0000000000C70000-0x0000000000CC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\registry.dll

MD5 2b7007ed0262ca02ef69d8990815cbeb
SHA1 2eabe4f755213666dbbbde024a5235ddde02b47f
SHA256 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512 aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\stack.dll

MD5 867af9bea8b24c78736bf8d0fdb5a78e
SHA1 05839fad98aa2bcd9f6ecb22de4816e0c75bf97d
SHA256 732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9
SHA512 b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

memory/2228-116-0x00000000008D0000-0x00000000008DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\xml.dll

MD5 ebce8f5e440e0be57665e1e58dfb7425
SHA1 573dc1abd2b03512f390f569058fd2cf1d02ce91
SHA256 d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7
SHA512 4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

memory/2228-177-0x00000000008F0000-0x00000000008FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\repair_version.xml

MD5 8f3df5875ccd9d1982a6d65c0d3e06c9
SHA1 8fefd15ed67d03a95e329f4e18477ae5ae9b023d
SHA256 64f2dd5e4f25b2a45056257af5a9061e7f34907f9345e6ba85b7a47ae58c009a
SHA512 e58f7b0870540b9207a304cd66fe44ecfbd42292446aa213fa3be6795eeba463a664366a9ccd642b615d74984e5ab91b06a3929a435f9aebed898a95ecd48089

C:\Users\Admin\AppData\Local\Temp\cfl.rei

MD5 41b797743d2d08233b680501b086d669
SHA1 e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5
SHA256 5805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5
SHA512 13fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80

C:\Users\Admin\AppData\Local\Temp\nsk8FD8.tmp

MD5 b22c0a7ddb2e6661203f2a8286c9bb7f
SHA1 93af3d196fbad1004a4fd5df04253399abef2a6e
SHA256 d508ad5951e07341bc574838b216e46f1f00f4e2c3495f3208c4e398523c8f9b
SHA512 2479d8deba2f15f1a99ace40f3f1ec8ff885666dbf815374131634a4adde07bc9d09e36d424a0537bc89a4f87b5d253b889c944417fe36a6bd1fa7247ef73146

memory/4632-212-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

MD5 0cf8715cbdee01676d24f4f78c7b431f
SHA1 74989063fd05ffb28d0d705c583c2c6b1e9aef99
SHA256 4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4
SHA512 248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

MD5 54d20e0e5fc291cf706828d6715899b9
SHA1 a0cd1d0488b563c3efac72d4917476c48b79e9e2
SHA256 fda1355af47182f9c86a348e2e1f681d849ed70acabc6cb7ea1d8654009eefde
SHA512 587079e0259f35b9a3149d1c5908b488e15beffd227b6773b95b2ce9137b1527aae254f66c98ab96656509d2ff7a2edd66f550abbb949f482059ae33a299a364

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe

MD5 638c5fc583d36ed7211e051099d56c6b
SHA1 09b3ec63e46ba3b1cebc50acf9e4195e5392ab65
SHA256 8a5ebe65aee9941cc46484636ced1767f33c2d8410d7aa931de46aea49497023
SHA512 4e679199daa36492e7beebbb7a4625eef1e2fcfd4f427722bd9797139feb226b936b605afd7d2d0bfca3ef25fa25333e16623da1f385f96ee3356b67386c2aad

C:\Users\Admin\AppData\Local\Temp\nsiAEE6.tmp\modern-header.bmp

MD5 ae1a4753df5fc34780602bcac675a8a5
SHA1 3e30c7bbbb25d6b4141fe405fc7862e04868b220
SHA256 e7e5bbfd8c8ad303753ecfda840180b586c336e4ab5aacc6b0adea1c3ef0188a
SHA512 b70920c7fe7938fc56badc133a175c80684d0041b1980c0941cfe3781e568a9aaa611670395b0bd7786e5309eb9bfbef5a5f90d9b0b4cdc00aac31c9037fda83

C:\Users\Admin\AppData\Local\Temp\nsiAEE6.tmp\DcryptDll.dll

MD5 4c373143ee342a75b469e0748049cd24
SHA1 d4e0e5155e78b99ec9459136acece2364bc2e935
SHA256 b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589
SHA512 569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61

C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe

MD5 f5af9d859c9a031ab6bea66048fab6e1
SHA1 d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a
SHA256 4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c
SHA512 c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5