Analysis Overview
SHA256
4a836b5dfbb49e09690dccdcce3296f66a3c7190ab03555140a8117695c6165f
Threat Level: Likely malicious
The file Adware.zip was found to be: Likely malicious.
Malicious Activity Summary
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
Reads user/profile data of web browsers
ACProtect 1.3x - 1.4x DLL software
Downloads MZ/PE file
Checks installed software on the system
Checks computer location settings
Drops file in Windows directory
Loads dropped DLL
Registers COM server for autorun
Drops file in Program Files directory
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies registry class
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Kills process with taskkill
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 23:20
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 23:20
Reported
2024-03-02 23:23
Platform
win7-20240221-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-EK7VH.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-FFMUL.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-8R1MF.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-C2PGU.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-DA494.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-3VASK.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.dll | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-CHV0L.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-RPVD9.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-AFUNO.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-DDVH8.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-NI1OQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-J284O.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-76I0D.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-SVTKC.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-PCHR2.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\difxapi.dll | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-TNHAP.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-9PAAI.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-GELD7.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-8OOQP.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\unrar.dll | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-NB1CH.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-NOO59.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-HP8PQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-FS436.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-D0KGI.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\DriverUpdateHelper64.exe | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-K46MB.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-OTBV9.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-54E0A.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-5H4HJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-KKKI5.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\difxapi64.dll | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.exe | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-G2MDN.tmp | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\INPROCSERVER32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"
C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp" /SL5="$B014E,3017901,168448,C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "WINZIPDU-WINZIPDUDriverUpdater" /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdater" /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdaterRunAtStartup" /f
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "WinZipDriverUpdater"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinZipDriverUpdater" dir=in action=allow program="C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe" -firstinstall
Network
Files
memory/2000-0-0x0000000000400000-0x0000000000433000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-7C9JU.tmp\WinZip Driver Updater.tmp
| MD5 | 03a5ddae8f18c3390aee71cbc8571756 |
| SHA1 | 902397a802c3149fca07ed6a6366cfe704998a42 |
| SHA256 | 709101ba21638ab3ac941b1edf60e6a35a6422ea8cdb29acb84fe9006e997ce1 |
| SHA512 | 01176428e86d85980cff42b96daa3d6d3fe9647b8f31c83cea14ebcf59b877e9c7af6d69c8a1278ecbec3ebe35d1f3ee5da8651955fb8b81c32d75f536c33da4 |
memory/2704-7-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-Q0FT3.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2000-14-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2704-15-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2704-18-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2704-39-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll
| MD5 | 1a2e5109c2bb5c68d499e17b83acb73a |
| SHA1 | efa15cfa23606dfc355d11580b509e768a50ddbb |
| SHA256 | e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11 |
| SHA512 | 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b |
\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | 1c56989ec0655dbca8939d03eb11b45e |
| SHA1 | e945f3b91fcc54c82a4fc21e9270fee307b953b3 |
| SHA256 | c4edcff80133994e019c0035a2334965ab727748ec94455d487d5a1055946730 |
| SHA512 | 8d2693298dd0c24981840a03745a6a1d014c877c6a5cea8d67de45cd4288492a44063ba2e52cafeec12f8edadc1194e7080fd99def22235bd6bbfe4fbee9e9d8 |
\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | 20aaea9ccea474d982b3a6e29f4b2bd2 |
| SHA1 | 81537a55581b070b8e9e139dddbb0b1472f24018 |
| SHA256 | fec34e336445842b7576c8cc5b23dbb73ce81bff0c8ad3bceb34b93c3655031d |
| SHA512 | 962c299b73fd721fd1dc766e71f7a7c9782d5005ee8c4cda4d5e436442b4e45680e510893249ddc88dc991d858d505234d6422cc49c80447a519efd718d28168 |
memory/2704-120-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | 1f12fe5fac30efe7e0fd2a96c185d15a |
| SHA1 | 551a408485375013efb641625de990c1a7b22ebf |
| SHA256 | b1c8ec4c061e7aef8a225c3cb5236be09501503a1262a18c5bef336259e666c7 |
| SHA512 | 5a42fa984b1c5729418ee8522247ce362a3363d17eff9c90272921b4e69b58cdb3b1aed83d97d7919d380b3ddf7aeb3722ffe6b65ec2d77e23a5dafec9d00fec |
memory/2528-146-0x0000000001150000-0x0000000001188000-memory.dmp
\Program Files (x86)\WinZip Driver Updater\unrar.dll
| MD5 | 92040a0f7f7d7a3f1e12d8bb064cb3b2 |
| SHA1 | df29e79c9d91ac0ee4788156ad9ea525b8fe11d7 |
| SHA256 | 7344bd44e4433a8f3034519f2b5745c0ced5b614c5c28bdc88cdc9acbbaef2c3 |
| SHA512 | ec423ba8a6c5f11f105ba3a12c62fa500ebb2b44c6ce1064381996a818856285a817d76c0c5a57c28821a492cfb59ba31d97ab585a62f08bbec68d7c91fb9408 |
C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll
| MD5 | 7a1a16f150ccb9cb1731327b2e03488f |
| SHA1 | 54ccaaf593f828c09ff5e718a69e1b0d5d904d66 |
| SHA256 | ed05f590e22bc39330b9925b766b70b8213e3dd20686660021be3616e6685295 |
| SHA512 | 7d1e3c857f4a7b74eb403085d0a5ded5fb89c96b3e56c1ec7dd218157d588ad64f97205066d74556409d43369c92d1193fdaf6cc3f073f0bc5a4c994f584daca |
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | 3d39c88bc10366c5cb0db6147c4127db |
| SHA1 | 855a5a8c73f4bc1fde921bfc76a2609b615d9683 |
| SHA256 | 11f98bb0e6719f7cd0f74ee7a664947977080216d35c20c9168e794673bf6086 |
| SHA512 | 01e6b397a00a19510886d9957a7c2f9b0358dc6adf9467db2461da9c7e52bac1a984ce3ec02ee218997e958851dd7e23eb93e188dc34b1a25be3bb55da66e4ac |
C:\Program Files (x86)\WinZip Driver Updater\eng_rcp.ini
| MD5 | 3472b1344ee22e7768567d73bd50c58b |
| SHA1 | 1ca4692e9e812d3e68874ccf4f958f452e733360 |
| SHA256 | 86a64a91c6c3aede88969b83fd4d400a010f397f8154106e3810e5bc2c16e9a0 |
| SHA512 | 5a71f2de5580f99644a860742d11074bc37597ae4f504667f9c597042d360d1fceb17047d51eb658ee7daf83a0d80d7bcf3b80299d4d0a92f27761978f3479de |
\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | 22906a6e571771ff39cf79dab44417a4 |
| SHA1 | 16d4ae3df09afeff502f35c606a2cb3cc2e31a6f |
| SHA256 | 60eff8d6c736fba3a992925470854eae18747d14124f69116383d28bbbbf36bd |
| SHA512 | 4a5c43eea5429eee97fca0a84b814dcbbb9609e757bb250a28757baef05f64d0ea16161d74ddc5a8f168193141c152d59c09308b693472feb8887163211c2288 |
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | 575160bfca448ca7691b65b6db22114f |
| SHA1 | 00246a4c899d239af6a77d92017439453b2036dd |
| SHA256 | d2d5eab00af33be00ab92b8e3eef499b482f85514173f8a94938bb8e177199b7 |
| SHA512 | 794a7dedd0eeb84d7de87f1f47b6442fbde1bcae77f22bd42b1fe82dfeedf997ac14b0102e4cc4b52a2e461b6bd7242408c6cd91b5237de85d621ceaa09e889b |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 23:20
Reported
2024-03-02 23:24
Platform
win10v2004-20240226-en
Max time kernel
225s
Max time network
241s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-R3L3C.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-CDCFQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.dll | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-G5KU3.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-O13PR.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-9H3CG.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\7z.exe | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-FGF1A.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\unrar.dll | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-U27DJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-SEQVM.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-QU2I3.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-MQM8V.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-3PITI.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\difxapi.dll | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-G82HF.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-J6UML.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-N41KI.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-T5JF6.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-J6MPU.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-IQ8QP.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-4H2LJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\unins000.msg | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-HESCH.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-IPD13.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-ABGLB.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-82837.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\is-I88H1.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-NTCF9.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-0M1AK.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-T44TJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\difxapi64.dll | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-O2392.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\is-M9CRA.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\DriverUpdateHelper64.exe | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-DT1AC.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| File created | C:\Program Files (x86)\WinZip Driver Updater\updater\extract\is-QNRH1.tmp | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\PROGID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\OLESCRIPT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"
C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp" /SL5="$D0042,3017901,168448,C:\Users\Admin\AppData\Local\Temp\Adware\WinZip Driver Updater\WinZip Driver Updater.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "WINZIPDU-WINZIPDUDriverUpdater" /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdater" /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "WinZipDriverUpdaterRunAtStartup" /f
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "WinZipDriverUpdater"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinZipDriverUpdater" dir=in action=allow program="C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im winzipdu.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im DriverUpdateHelper64.exe
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
"C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe" -firstinstall
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.winzip.com/instcmplt.cgi?pid=wzdu&vid=du23&lang=en&utm_source=winzip&utm_campaign=default&utm_medium=newbuild&LangID=en
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c2c146f8,0x7ff9c2c14708,0x7ff9c2c14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4798349742615593218,11319658674838758364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.winzip.com | udp |
| GB | 23.213.16.57:80 | www.winzip.com | tcp |
| GB | 23.213.16.57:80 | www.winzip.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | systemtools.winzip.com | udp |
| US | 54.196.68.199:80 | systemtools.winzip.com | tcp |
| US | 8.8.8.8:53 | 57.16.213.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.68.196.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.yiiframework.com | udp |
Files
memory/2568-0-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0RC08.tmp\WinZip Driver Updater.tmp
| MD5 | 03a5ddae8f18c3390aee71cbc8571756 |
| SHA1 | 902397a802c3149fca07ed6a6366cfe704998a42 |
| SHA256 | 709101ba21638ab3ac941b1edf60e6a35a6422ea8cdb29acb84fe9006e997ce1 |
| SHA512 | 01176428e86d85980cff42b96daa3d6d3fe9647b8f31c83cea14ebcf59b877e9c7af6d69c8a1278ecbec3ebe35d1f3ee5da8651955fb8b81c32d75f536c33da4 |
memory/1048-6-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/2568-11-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1048-12-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1048-16-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/1048-23-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1048-26-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Program Files (x86)\WinZip Driver Updater\updater\amd64Helper\difxapi.dll
| MD5 | 1a2e5109c2bb5c68d499e17b83acb73a |
| SHA1 | efa15cfa23606dfc355d11580b509e768a50ddbb |
| SHA256 | e70bbcee0d01658ccd201ebe0f0e547b9daff01b7c593a0fdd0c64e5f45d6f11 |
| SHA512 | 47317d24d02c4122fe175bcd7f5b3dd8823063e7ea63f83961e40f10872642d2d6f6e6abaf5fb7630cf0e9d8cec0d112889600b14ecb8698b81597f52d54815b |
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | 20aaea9ccea474d982b3a6e29f4b2bd2 |
| SHA1 | 81537a55581b070b8e9e139dddbb0b1472f24018 |
| SHA256 | fec34e336445842b7576c8cc5b23dbb73ce81bff0c8ad3bceb34b93c3655031d |
| SHA512 | 962c299b73fd721fd1dc766e71f7a7c9782d5005ee8c4cda4d5e436442b4e45680e510893249ddc88dc991d858d505234d6422cc49c80447a519efd718d28168 |
memory/1048-101-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1048-108-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Program Files (x86)\WinZip Driver Updater\unrar.dll
| MD5 | 92040a0f7f7d7a3f1e12d8bb064cb3b2 |
| SHA1 | df29e79c9d91ac0ee4788156ad9ea525b8fe11d7 |
| SHA256 | 7344bd44e4433a8f3034519f2b5745c0ced5b614c5c28bdc88cdc9acbbaef2c3 |
| SHA512 | ec423ba8a6c5f11f105ba3a12c62fa500ebb2b44c6ce1064381996a818856285a817d76c0c5a57c28821a492cfb59ba31d97ab585a62f08bbec68d7c91fb9408 |
memory/768-114-0x0000000003340000-0x0000000003378000-memory.dmp
C:\Program Files (x86)\WinZip Driver Updater\isxdl.dll
| MD5 | 7a1a16f150ccb9cb1731327b2e03488f |
| SHA1 | 54ccaaf593f828c09ff5e718a69e1b0d5d904d66 |
| SHA256 | ed05f590e22bc39330b9925b766b70b8213e3dd20686660021be3616e6685295 |
| SHA512 | 7d1e3c857f4a7b74eb403085d0a5ded5fb89c96b3e56c1ec7dd218157d588ad64f97205066d74556409d43369c92d1193fdaf6cc3f073f0bc5a4c994f584daca |
C:\Program Files (x86)\WinZip Driver Updater\winzipdu.exe
| MD5 | dd08d3b321d56d965f2e531846ad9170 |
| SHA1 | 88295462b6019474661c9ce7b2728689d393a9b9 |
| SHA256 | 673b1188f44c370902441eefc1cd1606a65c162b2a24a244db15d98ff20f3e3f |
| SHA512 | 339fffdf188be7db9f3f449427eafc5fb18b1c1e6b32d27a85cc1a01b7e56ed250da25fda60c11067415a60b855874f8d156a6aaf512446f0943466878a14e4c |
memory/1048-121-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Program Files (x86)\WinZip Driver Updater\eng_rcp.ini
| MD5 | 3472b1344ee22e7768567d73bd50c58b |
| SHA1 | 1ca4692e9e812d3e68874ccf4f958f452e733360 |
| SHA256 | 86a64a91c6c3aede88969b83fd4d400a010f397f8154106e3810e5bc2c16e9a0 |
| SHA512 | 5a71f2de5580f99644a860742d11074bc37597ae4f504667f9c597042d360d1fceb17047d51eb658ee7daf83a0d80d7bcf3b80299d4d0a92f27761978f3479de |
memory/2568-123-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1e3dc6a82a2cb341f7c9feeaf53f466f |
| SHA1 | 915decb72e1f86e14114f14ac9bfd9ba198fdfce |
| SHA256 | a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c |
| SHA512 | 0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a |
\??\pipe\LOCAL\crashpad_3352_PSIAKXFPQJFHIUCC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36bb45cb1262fcfcab1e3e7960784eaa |
| SHA1 | ab0e15841b027632c9e1b0a47d3dec42162fc637 |
| SHA256 | 7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae |
| SHA512 | 02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456 |
memory/768-142-0x0000000003340000-0x0000000003378000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 22964c18fb8f8c651a6c18cfd25e19aa |
| SHA1 | 3fbe9d0f67828c4d9bfc0cbeb0b811a3b6c23dfd |
| SHA256 | c1b7b81989adf8c16345223efbb9769a99ff4176883772930fd70f5a060bdd12 |
| SHA512 | e006678ed4106a52be2263ffa256850cb79ff3174f43a650b8863f4ffa7d346f8c59b61db0c534607cbd0ae56f5cae7d6bdaaaa5ebf6be1f46e19386c6b92813 |
memory/768-160-0x0000000003340000-0x0000000003378000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2fdeb94ef27930195db83d07d423aedf |
| SHA1 | 5777126f057cdde0f2148ab064b91447abeab982 |
| SHA256 | dae87051623f00df9cff5c33926f05ae01548dd59e65432f0b612e3600e4b664 |
| SHA512 | 8c9b3d80380bdfcc88c76bf72e55acd917b5e63ad82adb623869d10393cfac15c41e311afb2b738d1e44d80f7f8b6f7366c183d88a0f43b3c718f3e5db7840d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 074f507263b419718d5b182bf8d3c61b |
| SHA1 | 6fdb2db1389ec4502c7c84fb8534e5b65cffb6c0 |
| SHA256 | 02b96f22cb08b86ef49e367146c4ea21b74dcb0b3bf660cf2dffe1f6c47a8468 |
| SHA512 | e5fefffdb5fcae9207af1034f4d52fa3c209b26b6456c86ffa90bed784891cc92978cf0dc0b087a8b69f4aa4235b83ad9512b14ff9a211cd8ff2dab1e839e10b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e391f2f89919a400d3f6e113c65c3dfc |
| SHA1 | 3bb7fde205bfdf20ef626ccdf923668d7f716a55 |
| SHA256 | 6b01caf1818c36058956120d27f24795cb9e08f7a7fe6369558f4cd602d70821 |
| SHA512 | 45f550c3d52b011b1c861b913d2c1bfd7d9cb76bdc3d7dd9bf76e7a9f90f748df4a1ca9724de85dcee5c7c0d6ec919cef119a1ee74fdec6e9759c7e8375f74f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 23:20
Reported
2024-03-02 23:23
Platform
win7-20240221-en
Max time kernel
151s
Max time network
167s
Command Line
Signatures
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reimage\Reimage Repair\version.rei | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\savapi.dll | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\Reimage Repair Help & Support.url | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe | C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe | C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\LZMA.EXE | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\reimage.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\engine.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe | C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\engine.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\uninst.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe | C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\reimage.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\Reimage Repair Terms of Use.url | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe | C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Reimage.ini | C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe | N/A |
| File opened for modification | C:\Windows\reimage.ini | C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe | N/A |
| File opened for modification | C:\Windows\Reimage.ini | C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe | N/A |
| File opened for modification | C:\Windows\Reimage.ini | C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| N/A | N/A | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
| N/A | N/A | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe | N/A |
| N/A | N/A | C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\INPROCSERVER32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLESCRIPT | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLESCRIPT | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll, 102" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLESCRIPT | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\TypeLib\ = "{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib\ = "{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ToolboxBitmap32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLESCRIPT | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLEScript | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1\CLSID\ = "{10ECCE17-29B5-4880-A8F5-EAD298611484}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLESCRIPT | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLESCRIPT | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe
"C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\jscript.dll"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReimagePackage.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq GeoProxy.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq smsniff.exe"
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1974/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=2bc95b172cfb49cb8445165272&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /IDMinorSession=2bc95b172cfb49cb8445165272 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq REI_avira.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\ProtectorUpdater.exe" /S /MinorSessionID=2bc95b172cfb49cb8445165272 /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
"C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=2bc95b172cfb49cb8445165272 /SessionID=7797b2bf-2a5f-4d94-909f-f8f44d57ade9 /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReiScanner.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReiProtectorM.exe"
C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.reimageplus.com | udp |
| US | 161.47.7.14:80 | www.reimageplus.com | tcp |
| US | 8.8.8.8:53 | cdnrep.reimage.com | udp |
| GB | 18.245.162.121:80 | cdnrep.reimage.com | tcp |
| US | 161.47.7.14:80 | www.reimageplus.com | tcp |
| US | 8.8.8.8:53 | cdnrep.reimageplus.com | udp |
| GB | 18.244.179.29:80 | cdnrep.reimageplus.com | tcp |
| US | 161.47.7.14:80 | www.reimageplus.com | tcp |
| GB | 18.245.162.121:80 | cdnrep.reimage.com | tcp |
| US | 161.47.7.14:80 | www.reimageplus.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\LogEx.dll
| MD5 | 0f96d9eb959ad4e8fd205e6d58cf01b8 |
| SHA1 | 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f |
| SHA256 | 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314 |
| SHA512 | 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c |
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\Banner.dll
| MD5 | e264d0f91103758bc5b088e8547e0ec1 |
| SHA1 | 24a94ff59668d18b908c78afd2a9563de2819680 |
| SHA256 | 501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63 |
| SHA512 | a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205 |
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\UserInfo.dll
| MD5 | c7ce0e47c83525983fd2c4c9566b4aad |
| SHA1 | 38b7ad7bb32ffae35540fce373b8a671878dc54e |
| SHA256 | 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae |
| SHA512 | ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e |
C:\Users\Admin\AppData\Local\Temp\nsj9080.tmp
| MD5 | 14681a17ddb9513b3e9dcc2f008c7c74 |
| SHA1 | 126cee0694504224cf257ff6172164a3f5533ca9 |
| SHA256 | 1861f9ee433b25be33dca4c725919aaa3e7c2e444130d12919d1bd97b596b611 |
| SHA512 | eb3cb653abdc50949bc72702a19e947e8915480bc6f1facd346cd2969580ee3cda78951af05f9efa03ea0247d3c3d5622052594f19b514139a50b74556f7a179 |
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
\Users\Admin\AppData\Local\Temp\sqlite3.exe
| MD5 | 91cdcea4be94624e198d3012f5442584 |
| SHA1 | fab4043494e4bb02efbaf72bcca86c01992d765c |
| SHA256 | ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2 |
| SHA512 | 74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e |
memory/2784-47-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FF.bat
| MD5 | 063463ef1054b8bbb71329bc8dc6fe97 |
| SHA1 | a738fbf3e01b93f506a24f6ed9015b660049d704 |
| SHA256 | 20dfa4f6b680fc72eab8f3743e971f559aa1f40b19f8c882e1a08e99ee136b01 |
| SHA512 | 29948b563a4f83419703afd4e8f86c8fc119f1376d4e1e6c0d6b50dfbf8a65e9517f0a1bd4b52e6a08c794351838929ea83f5cac767aafaf323793a4f6e1552c |
memory/2912-70-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst93CC.tmp
| MD5 | 70bbe88535683439e36d91300160485c |
| SHA1 | 62a5fcd535c4f25b532120faf2880c5caf88cb1b |
| SHA256 | 52bfffd8fb36510fa123b489f82c944d45b08bda4747abd989cc0235dfa111e1 |
| SHA512 | 1bcb05e6bf19561bba891c4aceb07b4907264d0429c4bca921792d004dca3a720822e405144cf3a2470415b168b66e8e759360ebe726a3fa638da09e05853219 |
memory/332-93-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
| MD5 | dea052a2ad11945b1960577c0192f2eb |
| SHA1 | 1d02626a05a546a90c05902b2551f32c20eb3708 |
| SHA256 | 943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2 |
| SHA512 | 5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917 |
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\inetc.dll
| MD5 | 5da9df435ff20853a2c45026e7681cef |
| SHA1 | 39b1d70a7a03e7c791cb21a53d82fd949706a4b4 |
| SHA256 | 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2 |
| SHA512 | 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f |
memory/2092-111-0x0000000002000000-0x000000000200B000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
memory/2092-147-0x00000000059F0000-0x0000000005A49000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\stack.dll
| MD5 | 867af9bea8b24c78736bf8d0fdb5a78e |
| SHA1 | 05839fad98aa2bcd9f6ecb22de4816e0c75bf97d |
| SHA256 | 732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9 |
| SHA512 | b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b |
memory/2092-157-0x0000000004BC0000-0x0000000004BCB000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd8F27.tmp\xml.dll
| MD5 | ebce8f5e440e0be57665e1e58dfb7425 |
| SHA1 | 573dc1abd2b03512f390f569058fd2cf1d02ce91 |
| SHA256 | d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7 |
| SHA512 | 4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85 |
C:\Users\Admin\AppData\Local\Temp\repair_version.xml
| MD5 | 8f3df5875ccd9d1982a6d65c0d3e06c9 |
| SHA1 | 8fefd15ed67d03a95e329f4e18477ae5ae9b023d |
| SHA256 | 64f2dd5e4f25b2a45056257af5a9061e7f34907f9345e6ba85b7a47ae58c009a |
| SHA512 | e58f7b0870540b9207a304cd66fe44ecfbd42292446aa213fa3be6795eeba463a664366a9ccd642b615d74984e5ab91b06a3929a435f9aebed898a95ecd48089 |
C:\Users\Admin\AppData\Local\Temp\cfl.rei
| MD5 | 41b797743d2d08233b680501b086d669 |
| SHA1 | e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5 |
| SHA256 | 5805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5 |
| SHA512 | 13fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80 |
C:\Users\Admin\AppData\Local\Temp\nsj6435.tmp
| MD5 | 940c9b368f1bd2e03fcdfdc49588ebe4 |
| SHA1 | ac62253b5dbfca2e51774315c6a7861756fd91dd |
| SHA256 | 9008c05913bdb8f583f4a7fe93eb6a800ff08d7a89cdd471ad3d4665eb70a02d |
| SHA512 | d0c57de7de943b96d71ad5e86dfdbf513daa3a17d2c7e44a636ac637821f25fe434c338989f9ba99f95ee3a890651f0fd69a97b186c8cb0480e1fd890a194462 |
memory/2100-263-0x0000000000400000-0x000000000047D000-memory.dmp
memory/2092-285-0x0000000004BF0000-0x0000000004BFB000-memory.dmp
\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
| MD5 | 0c7136e12eb9468aa625105080f5c446 |
| SHA1 | 49ce785a05046b6ea371d05ef8e6e59adfddbac9 |
| SHA256 | 6fe1a373fe1a363cdde44e5847156598536c2563389ebacfe4f82647121f6cad |
| SHA512 | 274c215edb6466de1c72f65fcf3402bc4bbf7f9b7638f40e6935d645ec548b14bbbb4e30841c032f9e60ee47aac2360e01adb86346e2f564b9706d8329758b07 |
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
| MD5 | 4a6256fe64fef3ae79265f9b501017bc |
| SHA1 | 44c677c04eba800577b524e1f36e5c1f771d7934 |
| SHA256 | 6b132ee4e2d5b3023ab3dd9f822e6b389ec16b8235400851e295b641adcf3688 |
| SHA512 | e4758e7ac3b3a0702b4a5ff250d9fa0b935db19877f745101a813aa18fe6ba00da655c3ce215934757aae96567fe9d7fae9e352573917ffddfe620fa011c011c |
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
| MD5 | 49f56ddb7c82a44bf0e68020d5698c2f |
| SHA1 | 6ac4a2f5521a782cbc89af1999b96bae4b9d7f56 |
| SHA256 | f4b604693117de3ba99c21c3b78bb82670d2696a560b259d57c1104ce971e19e |
| SHA512 | 4180e984fba5d91c7eec1e2d322f45d1b94a03ccae5c096268d65ccc96f5756391b106df713a87541fe3823ecd3e66146a661d7d3583c2928cbc0f6962ead5eb |
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
| MD5 | 0cf8715cbdee01676d24f4f78c7b431f |
| SHA1 | 74989063fd05ffb28d0d705c583c2c6b1e9aef99 |
| SHA256 | 4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4 |
| SHA512 | 248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327 |
C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\modern-header.bmp
| MD5 | ae1a4753df5fc34780602bcac675a8a5 |
| SHA1 | 3e30c7bbbb25d6b4141fe405fc7862e04868b220 |
| SHA256 | e7e5bbfd8c8ad303753ecfda840180b586c336e4ab5aacc6b0adea1c3ef0188a |
| SHA512 | b70920c7fe7938fc56badc133a175c80684d0041b1980c0941cfe3781e568a9aaa611670395b0bd7786e5309eb9bfbef5a5f90d9b0b4cdc00aac31c9037fda83 |
C:\Program Files\Reimage\Reimage Repair\LZMA.EXE
| MD5 | a59ab79ec748d1da70e326b49b8aa820 |
| SHA1 | 145d254525c6b41251733953e3d4e00e3370f0fd |
| SHA256 | 871361690289c50c81a6e38c28914121adceab3ff0ba93d043f1cc4e59635955 |
| SHA512 | 5cd4fdfe9e20151313814551a36ab0aab8881fc1b12b5c41e0ccd64d6f4980e908b3493efd569964ce63290853785c10b151285ab19b37c7d3a411b5461275b9 |
C:\Users\Admin\AppData\Local\Temp\nsu8336.tmp\DcryptDll.dll
| MD5 | 4c373143ee342a75b469e0748049cd24 |
| SHA1 | d4e0e5155e78b99ec9459136acece2364bc2e935 |
| SHA256 | b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589 |
| SHA512 | 569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61 |
C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe
| MD5 | f5af9d859c9a031ab6bea66048fab6e1 |
| SHA1 | d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a |
| SHA256 | 4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c |
| SHA512 | c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5 |
memory/2488-459-0x00000000747F0000-0x00000000747FB000-memory.dmp
memory/2488-477-0x00000000003D0000-0x00000000003DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nseC718.tmp\SimpleSC.dll
| MD5 | 3f1be1321461c7b7a3b4322391c818f0 |
| SHA1 | f59b7a1e65f60a446f4355e22f0a10bddec3d21b |
| SHA256 | 3d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd |
| SHA512 | 2f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 23:20
Reported
2024-03-02 23:23
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
167s
Command Line
Signatures
Reads user/profile data of web browsers
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\engine.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\reimage.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File opened for modification | C:\Program Files\Reimage\Reimage Repair\engine.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\version.rei | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\Reimage.exe | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\reimage.dat | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\savapi.dll | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| File created | C:\Program Files\Reimage\Reimage Repair\LZMA.EXE | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Reimage.ini | C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe | N/A |
| File opened for modification | C:\Windows\reimage.ini | C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sqlite3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe | N/A |
| N/A | N/A | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
| N/A | N/A | C:\Program Files\Reimage\Reimage Repair\lzma.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\OLESCRIPT | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\OLESCRIPT | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\OLESCRIPT | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe
"C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\jscript.dll"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ReimagePackage.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq GeoProxy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq smsniff.exe"
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1974/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=e5bcd97a1c194000a1faffc6b0&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\Adware\Reimage Repair\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=f965607b-c266-4657-a0f3-203b4b58f87a /IDMinorSession=e5bcd97a1c194000a1faffc6b0 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Reimage.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
C:\Program Files\Reimage\Reimage Repair\lzma.exe
"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq REI_avira.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.reimageplus.com | udp |
| US | 161.47.7.14:80 | www.reimageplus.com | tcp |
| US | 8.8.8.8:53 | 14.7.47.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnrep.reimage.com | udp |
| GB | 18.245.162.121:80 | cdnrep.reimage.com | tcp |
| US | 8.8.8.8:53 | 121.162.245.18.in-addr.arpa | udp |
| US | 161.47.7.14:80 | www.reimageplus.com | tcp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnrep.reimageplus.com | udp |
| GB | 18.244.179.123:80 | cdnrep.reimageplus.com | tcp |
| US | 8.8.8.8:53 | 123.179.244.18.in-addr.arpa | udp |
| US | 161.47.7.14:80 | www.reimageplus.com | tcp |
| US | 8.8.8.8:53 | 204.201.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\LogEx.dll
| MD5 | 0f96d9eb959ad4e8fd205e6d58cf01b8 |
| SHA1 | 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f |
| SHA256 | 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314 |
| SHA512 | 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c |
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\Banner.dll
| MD5 | e264d0f91103758bc5b088e8547e0ec1 |
| SHA1 | 24a94ff59668d18b908c78afd2a9563de2819680 |
| SHA256 | 501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63 |
| SHA512 | a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205 |
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\UserInfo.dll
| MD5 | c7ce0e47c83525983fd2c4c9566b4aad |
| SHA1 | 38b7ad7bb32ffae35540fce373b8a671878dc54e |
| SHA256 | 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae |
| SHA512 | ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e |
C:\Users\Admin\AppData\Local\Temp\nsrD65E.tmp
| MD5 | 1a8a35a97d446a7209e6206f9a9ddcd3 |
| SHA1 | bdebb461d5522f62a81a8ad1c68ca96fd7841a7e |
| SHA256 | c89362f393ca2ce39d9775a3ce198e9737b08bf276b341187404f7276c4fb699 |
| SHA512 | 01aa8a6600dc23fea37c1ddd91642fa4562b542c648dbf366d7540ccebb3526744f5980787c9470199db0b642c104e5813dd2c9d2ae10d82bc063c46b4ed4136 |
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
| MD5 | 91cdcea4be94624e198d3012f5442584 |
| SHA1 | fab4043494e4bb02efbaf72bcca86c01992d765c |
| SHA256 | ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2 |
| SHA512 | 74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e |
memory/1676-37-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nscD95C.tmp
| MD5 | d00fc07e7703a9cf90dbd39b7b550b03 |
| SHA1 | 94d9b34998d412e74eb059dcfe3479faf2b4c684 |
| SHA256 | cb2901c2fa6dc3dcf1f3e7914807694b59fb2e1ce80d11f0f8db54927be5fb1b |
| SHA512 | f3bcd8fd17e25a0ca1f98a899cfbfa0959470520b97c175067b5e3fc0b3bf23b574a270aedf590946eda26e00452ed075522c478dd6f860b2770b73feb6acc26 |
memory/312-52-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsiDB51.tmp
| MD5 | b7ed99e551791168d2843199a642bffe |
| SHA1 | f5dffd0a8b4268a17b3d93b352391f193e1c7c85 |
| SHA256 | 555fa7317a2de61be0883bd64f9ae7b9d889fe59c110674f4fcae7f9d3c6e910 |
| SHA512 | bbd146b3683c7dc4251124d95c65dd3496312e1ed47d1ba018bf6116fc35ca7661b00e7e0236e9e2699237df683f8e37114114bd6c2ece0aea90417e7815b6f2 |
memory/1668-67-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
| MD5 | dea052a2ad11945b1960577c0192f2eb |
| SHA1 | 1d02626a05a546a90c05902b2551f32c20eb3708 |
| SHA256 | 943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2 |
| SHA512 | 5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917 |
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\inetc.dll
| MD5 | 5da9df435ff20853a2c45026e7681cef |
| SHA1 | 39b1d70a7a03e7c791cb21a53d82fd949706a4b4 |
| SHA256 | 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2 |
| SHA512 | 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f |
memory/2228-84-0x00000000058D0000-0x00000000058DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
memory/2228-104-0x0000000000C70000-0x0000000000CC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\stack.dll
| MD5 | 867af9bea8b24c78736bf8d0fdb5a78e |
| SHA1 | 05839fad98aa2bcd9f6ecb22de4816e0c75bf97d |
| SHA256 | 732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9 |
| SHA512 | b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b |
memory/2228-116-0x00000000008D0000-0x00000000008DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsgD44A.tmp\xml.dll
| MD5 | ebce8f5e440e0be57665e1e58dfb7425 |
| SHA1 | 573dc1abd2b03512f390f569058fd2cf1d02ce91 |
| SHA256 | d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7 |
| SHA512 | 4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85 |
memory/2228-177-0x00000000008F0000-0x00000000008FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\repair_version.xml
| MD5 | 8f3df5875ccd9d1982a6d65c0d3e06c9 |
| SHA1 | 8fefd15ed67d03a95e329f4e18477ae5ae9b023d |
| SHA256 | 64f2dd5e4f25b2a45056257af5a9061e7f34907f9345e6ba85b7a47ae58c009a |
| SHA512 | e58f7b0870540b9207a304cd66fe44ecfbd42292446aa213fa3be6795eeba463a664366a9ccd642b615d74984e5ab91b06a3929a435f9aebed898a95ecd48089 |
C:\Users\Admin\AppData\Local\Temp\cfl.rei
| MD5 | 41b797743d2d08233b680501b086d669 |
| SHA1 | e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5 |
| SHA256 | 5805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5 |
| SHA512 | 13fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80 |
C:\Users\Admin\AppData\Local\Temp\nsk8FD8.tmp
| MD5 | b22c0a7ddb2e6661203f2a8286c9bb7f |
| SHA1 | 93af3d196fbad1004a4fd5df04253399abef2a6e |
| SHA256 | d508ad5951e07341bc574838b216e46f1f00f4e2c3495f3208c4e398523c8f9b |
| SHA512 | 2479d8deba2f15f1a99ace40f3f1ec8ff885666dbf815374131634a4adde07bc9d09e36d424a0537bc89a4f87b5d253b889c944417fe36a6bd1fa7247ef73146 |
memory/4632-212-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
| MD5 | 0cf8715cbdee01676d24f4f78c7b431f |
| SHA1 | 74989063fd05ffb28d0d705c583c2c6b1e9aef99 |
| SHA256 | 4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4 |
| SHA512 | 248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327 |
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
| MD5 | 54d20e0e5fc291cf706828d6715899b9 |
| SHA1 | a0cd1d0488b563c3efac72d4917476c48b79e9e2 |
| SHA256 | fda1355af47182f9c86a348e2e1f681d849ed70acabc6cb7ea1d8654009eefde |
| SHA512 | 587079e0259f35b9a3149d1c5908b488e15beffd227b6773b95b2ce9137b1527aae254f66c98ab96656509d2ff7a2edd66f550abbb949f482059ae33a299a364 |
C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
| MD5 | 638c5fc583d36ed7211e051099d56c6b |
| SHA1 | 09b3ec63e46ba3b1cebc50acf9e4195e5392ab65 |
| SHA256 | 8a5ebe65aee9941cc46484636ced1767f33c2d8410d7aa931de46aea49497023 |
| SHA512 | 4e679199daa36492e7beebbb7a4625eef1e2fcfd4f427722bd9797139feb226b936b605afd7d2d0bfca3ef25fa25333e16623da1f385f96ee3356b67386c2aad |
C:\Users\Admin\AppData\Local\Temp\nsiAEE6.tmp\modern-header.bmp
| MD5 | ae1a4753df5fc34780602bcac675a8a5 |
| SHA1 | 3e30c7bbbb25d6b4141fe405fc7862e04868b220 |
| SHA256 | e7e5bbfd8c8ad303753ecfda840180b586c336e4ab5aacc6b0adea1c3ef0188a |
| SHA512 | b70920c7fe7938fc56badc133a175c80684d0041b1980c0941cfe3781e568a9aaa611670395b0bd7786e5309eb9bfbef5a5f90d9b0b4cdc00aac31c9037fda83 |
C:\Users\Admin\AppData\Local\Temp\nsiAEE6.tmp\DcryptDll.dll
| MD5 | 4c373143ee342a75b469e0748049cd24 |
| SHA1 | d4e0e5155e78b99ec9459136acece2364bc2e935 |
| SHA256 | b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589 |
| SHA512 | 569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61 |
C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe
| MD5 | f5af9d859c9a031ab6bea66048fab6e1 |
| SHA1 | d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a |
| SHA256 | 4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c |
| SHA512 | c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5 |