4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReimagePackage.exe
Size

12.3MB
MD5

0cf8715cbdee01676d24f4f78c7b431f
SHA1

74989063fd05ffb28d0d705c583c2c6b1e9aef99
SHA256

4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4
SHA512

248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327
SSDEEP

196608:pSjaAQ7Z8aVC/xE4hVS930UqN2FItiZESkM8ZCLfsFrrdTM4nGgAU1Q+osH:oOAQaBvWq0QiZH18ZaIr2qG/sH

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Uses Session Manager for persistence 2 TTPs 1 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a00000000	Reimage.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019316-206.dat	acprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019316-206.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Reimage = "\"C:\\Program Files\\Reimage\\Reimage Protector\\ReimageApp.exe\""	ReimagePackage.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	ReiGuard.exe
File opened (read-only)	\??\U:	ReiGuard.exe
File opened (read-only)	\??\W:	ReiGuard.exe
File opened (read-only)	\??\A:	Reimage.exe
File opened (read-only)	\??\M:	Reimage.exe
File opened (read-only)	\??\Y:	Reimage.exe
File opened (read-only)	\??\L:	ReiGuard.exe
File opened (read-only)	\??\V:	Reimage.exe
File opened (read-only)	\??\T:	ReiGuard.exe
File opened (read-only)	\??\Z:	ReiGuard.exe
File opened (read-only)	\??\B:	Reimage.exe
File opened (read-only)	\??\I:	Reimage.exe
File opened (read-only)	\??\J:	Reimage.exe
File opened (read-only)	\??\K:	Reimage.exe
File opened (read-only)	\??\Z:	Reimage.exe
File opened (read-only)	\??\A:	ReiGuard.exe
File opened (read-only)	\??\B:	ReiGuard.exe
File opened (read-only)	\??\N:	ReiGuard.exe
File opened (read-only)	\??\O:	ReiGuard.exe
File opened (read-only)	\??\P:	ReiGuard.exe
File opened (read-only)	\??\W:	Reimage.exe
File opened (read-only)	\??\X:	Reimage.exe
File opened (read-only)	\??\I:	ReiGuard.exe
File opened (read-only)	\??\K:	ReiGuard.exe
File opened (read-only)	\??\O:	Reimage.exe
File opened (read-only)	\??\U:	Reimage.exe
File opened (read-only)	\??\Q:	ReiGuard.exe
File opened (read-only)	\??\V:	ReiGuard.exe
File opened (read-only)	\??\E:	Reimage.exe
File opened (read-only)	\??\R:	Reimage.exe
File opened (read-only)	\??\S:	Reimage.exe
File opened (read-only)	\??\G:	ReiGuard.exe
File opened (read-only)	\??\T:	Reimage.exe
File opened (read-only)	\??\J:	ReiGuard.exe
File opened (read-only)	\??\M:	ReiGuard.exe
File opened (read-only)	\??\S:	ReiGuard.exe
File opened (read-only)	\??\L:	Reimage.exe
File opened (read-only)	\??\N:	Reimage.exe
File opened (read-only)	\??\P:	Reimage.exe
File opened (read-only)	\??\Q:	Reimage.exe
File opened (read-only)	\??\X:	ReiGuard.exe
File opened (read-only)	\??\Y:	ReiGuard.exe
File opened (read-only)	\??\G:	Reimage.exe
File opened (read-only)	\??\H:	Reimage.exe
File opened (read-only)	\??\E:	ReiGuard.exe
File opened (read-only)	\??\H:	ReiGuard.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\	Reimage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Reimage.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Reimage.exe

Modifies WinLogon 2 TTPs 62 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}	Reimage.exe

Deletes itself 1 IoCs

pid	Process
2112	Reimage.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ReiGuard.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\uninst.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\version.rei	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll	lzma.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\LZMA.EXE	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\msvcr120.dll	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll	lzma.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Help & Support.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\savapi.dll	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Terms of Use.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe	UniProtectorPackage.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Reimage.ini	UniProtectorPackage.exe
File opened for modification	C:\Windows\TEMPregistrylog\.log	ReiGuard.exe
File opened for modification	C:\Windows\reimage.ini	Reimage.exe
File opened for modification	C:\Windows\reimage.ini	ReimagePackage.exe
File opened for modification	C:\Windows\Reimage.ini	ProtectorUpdater.exe

Executes dropped EXE 11 IoCs

pid	Process
2000	lzma.exe
1436	lzma.exe
1544	ProtectorUpdater.exe
3004	UniProtectorPackage.exe
2332	ReiGuard.exe
684	ReiGuard.exe
2720	ReiSystem.exe
2804	ReimageApp.exe
2112	Reimage.exe
1144	REI_AVIRA.exe
348	ReiSystem.exe

Loads dropped DLL 64 IoCs

pid	Process
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
3016	regsvr32.exe
992	regsvr32.exe
992	regsvr32.exe
1096	regsvr32.exe
1516	regsvr32.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
1544	ProtectorUpdater.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
684	ReiGuard.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
3004	UniProtectorPackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe
2364	ReimagePackage.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers\ShimLayer Property Page	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page	Reimage.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3050f4d8-98b5-11cf-BB82-00AA00BDCE0B}\LocalServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{92ED88BF-879E-448F-B6B6-A385BCEB846D}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CC829A2F-3365-463F-AF13-81DBB6F3A555}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3050F391-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C45268A2-FA81-4E19-B1E3-72EDBD60AEDA}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCC-9B79-11D3-B654-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1d27f844-3a1f-4410-85ac-14651078412d}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CD0-9B79-11D3-B654-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}\InprocServer32	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AD8E510D-217F-409B-8076-29C5E73B98E8}\InprocServer32	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8FE85D00-4647-40B9-87E4-5EB8A52F4759}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C4BF2784-AE00-41BA-9828-9C953BD3C54A}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCD-9B79-11D3-B654-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D76334CA-D89E-4BAF-86AB-DDB59372AFC2}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{823535A0-0318-11D3-9D8E-00C04F72D980}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D978F0CB-DEBA-4388-83BE-D3E106E02A4F}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CD6-9B79-11D3-B654-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{ECABAFC0-7F19-11D2-978E-0000F8757E2A}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{37B03543-A4C8-11D2-B634-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{809B6661-94C4-49E6-B6EC-3F0F862215AA}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3050f667-98b5-11cf-bb82-00aa00bdce0b}\InProcServer32\7.0.3300.0	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{cc7bfb43-f175-11d1-a392-00e0291f3959}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B64016F3-C9A2-4066-96F0-BD9563314726}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1138506a-b949-46a7-b6c0-ee26499fdeaf}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2291478C-5EE3-4BEF-AB5D-B5FF2CF58352}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{05589fa1-c356-11ce-bf01-00aa0055595a}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{37B03544-A4C8-11D2-B634-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCF-9B79-11D3-B654-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E4979309-7A32-495E-8A92-7B014AAD4961}\InprocServer32	Reimage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{47206204-5ECA-11D2-960F-00C04F8EE628}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FD351EA1-4173-4AF4-821D-80D4AE979048}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{267DB0B3-55E3-4902-949B-DF8F5CEC0191}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AE24FDAE-03C6-11D1-8B76-0080C744F389}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\InprocServer32	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7007ACCF-3202-11D1-AAD2-00805FC1270E}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6AD28EE1-5002-4E71-AAF7-BD077907B1A4}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8A674B4C-1F63-11D3-B64C-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{ecabb0bf-7f19-11d2-978e-0000f8757e2a}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AED6483E-3304-11D2-86F1-006008B0E5D2}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{730f6cdc-2c86-11d2-8773-92e220524153}\InProcServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3A9428A7-31A4-45E9-9EFB-E055BF7BB3DB}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{86151827-E47B-45EE-8421-D10E6E690979}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3540D440-5B1D-49CB-821A-E84B8CF065A7}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{ecabafc2-7f19-11d2-978e-0000f8757e2a}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3050F67D-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32	Reimage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Reimage.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Reimage.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Reimage.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ManufacturerIdentifier	Reimage.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery

T1057

pid	Process
2500	tasklist.exe
2940	tasklist.exe
1724	tasklist.exe
2576	tasklist.exe
2472	tasklist.exe
2112	tasklist.exe
2940	tasklist.exe
2452	tasklist.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	Reimage.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1776	ipconfig.exe
2284	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	Reimage.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AutoComplete\Client	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AutoComplete\Client	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{78c7b664-c9bf-4ce9-8b3a-b05d442e451e}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B43A0C1E-B63F-4691-B68F-CD807A45DA01}	Reimage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Reimage.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\User Preferences	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2391d819-9d17-44ec-9ac1-f6aa07549469}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{78c7b664-c9bf-4ce9-8b3a-b05d442e451e}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B43A0C1E-B63F-4691-B68F-CD807A45DA01}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2391d819-9d17-44ec-9ac1-f6aa07549469}	Reimage.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7584c670-2274-4efb-b00b-d6aaba6d3850}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D9BB4CEE-B87A-47F1-AC92-B08D9C7813FC}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{055CB2D7-2969-45CD-914B-76890722F112}\ProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2291478C-5EE3-4BEF-AB5D-B5FF2CF58352}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{49638B91-48AB-48B7-A47A-7D0E75A08EDE}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{577FAA18-4518-445E-8F70-1473F8CF4BA4}\TypeLib	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\MiscStatus\1	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8FE85D00-4647-40B9-87E4-5EB8A52F4759}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{233A9694-667E-11d1-9DFB-006097D50408}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{823535A0-0318-11D3-9D8E-00C04F72D980}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCC-9B79-11D3-B654-00C04F79498E}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCE-9B79-11D3-B654-00C04F79498E}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{d2d588b5-d081-11d0-99e0-00c04fc2f8ec}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0002df01-0000-0000-c000-000000000046}\TypeLib	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0149EEDF-D08F-4142-8D73-D23903D21E90}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0369B4E6-45B6-11D3-B650-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AE24FDAE-03C6-11D1-8B76-0080C744F389}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AE24FDAE-03C6-11D1-8B76-0080C744F389}\MiscStatus\1	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B0EDF163-910A-11D2-B632-00C04F79498E}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FA7C375B-66A7-4280-879D-FD459C84BB02}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}\Version	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3050F4F5-98B5-11CF-BB82-00AA00BDCE0B}\ProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5740A302-EF0B-45CE-BF3B-4470A14A8980}\Implemented Categories	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2E3074E-6C3D-11D3-B653-00C04F79498E}\Programmable	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}\Implemented Categories	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AED6483F-3304-11D2-86F1-006008B0E5D2}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C531D9FD-9685-4028-8B68-6E1232079F1E}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine\CLSID\ = "{10ECCE17-29B5-4880-A8F5-EAD298611484}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{03C06416-D127-407A-AB4C-FDD279ABBE5D}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}\Version	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{334125C0-77E5-11d3-B653-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}\Programmable	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCD-9B79-11D3-B654-00C04F79498E}\VersionIndependentProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\MiscStatus\1	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FD351EA1-4173-4AF4-821D-80D4AE979048}\Programmable	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\Version	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1138506a-b949-46a7-b6c0-ee26499fdeaf}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}	Reimage.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0CF32AA1-7571-11D0-93C4-00AA00A3DDEA}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3540D440-5B1D-49CB-821A-E84B8CF065A7}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D9BB4CEE-B87A-47F1-AC92-B08D9C7813FC}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\ProgID	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{37B0353C-A4C8-11D2-B634-00C04F79498E}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3}\Programmable	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BB530C63-D9DF-4B49-9439-63453962E598}\Implemented Categories	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C5702CCC-9B79-11D3-B654-00C04F79498E}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1d27f844-3a1f-4410-85ac-14651078412d}\shellex	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8A674B4C-1F63-11D3-B64C-00C04F79498E}\InprocServer32	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Reimage.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CC829A2F-3365-463F-AF13-81DBB6F3A555}\TypeLib	Reimage.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Reimage.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Reimage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Reimage.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2332	ReiGuard.exe
684	ReiGuard.exe
684	ReiGuard.exe
2332	ReiGuard.exe
684	ReiGuard.exe
2720	ReiSystem.exe
684	ReiGuard.exe
684	ReiGuard.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
684	ReiGuard.exe
684	ReiGuard.exe
684	ReiGuard.exe
684	ReiGuard.exe
684	ReiGuard.exe
684	ReiGuard.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	2112	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	2452	tasklist.exe
Token: SeDebugPrivilege	2500	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	1724	tasklist.exe
Token: SeBackupPrivilege	2112	Reimage.exe
Token: SeRestorePrivilege	2112	Reimage.exe
Token: SeTakeOwnershipPrivilege	2112	Reimage.exe
Token: SeDebugPrivilege	2112	Reimage.exe
Token: SeBackupPrivilege	2112	Reimage.exe
Token: SeBackupPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeBackupPrivilege	2112	Reimage.exe
Token: SeBackupPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe
Token: SeSecurityPrivilege	2112	Reimage.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2804	ReimageApp.exe
2112	Reimage.exe
2804	ReimageApp.exe
2804	ReimageApp.exe
2804	ReimageApp.exe
2112	Reimage.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2804	ReimageApp.exe
2112	Reimage.exe
2804	ReimageApp.exe
2804	ReimageApp.exe
2804	ReimageApp.exe
2112	Reimage.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe
2112	Reimage.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1708	2364	ReimagePackage.exe	28
PID 2364 wrote to memory of 1708	2364	ReimagePackage.exe	28
PID 2364 wrote to memory of 1708	2364	ReimagePackage.exe	28
PID 2364 wrote to memory of 1708	2364	ReimagePackage.exe	28
PID 1708 wrote to memory of 2576	1708	cmd.exe	30
PID 1708 wrote to memory of 2576	1708	cmd.exe	30
PID 1708 wrote to memory of 2576	1708	cmd.exe	30
PID 1708 wrote to memory of 2576	1708	cmd.exe	30
PID 2364 wrote to memory of 2264	2364	ReimagePackage.exe	32
PID 2364 wrote to memory of 2264	2364	ReimagePackage.exe	32
PID 2364 wrote to memory of 2264	2364	ReimagePackage.exe	32
PID 2364 wrote to memory of 2264	2364	ReimagePackage.exe	32
PID 2264 wrote to memory of 2472	2264	cmd.exe	34
PID 2264 wrote to memory of 2472	2264	cmd.exe	34
PID 2264 wrote to memory of 2472	2264	cmd.exe	34
PID 2264 wrote to memory of 2472	2264	cmd.exe	34
PID 2364 wrote to memory of 2000	2364	ReimagePackage.exe	35
PID 2364 wrote to memory of 2000	2364	ReimagePackage.exe	35
PID 2364 wrote to memory of 2000	2364	ReimagePackage.exe	35
PID 2364 wrote to memory of 2000	2364	ReimagePackage.exe	35
PID 2364 wrote to memory of 1436	2364	ReimagePackage.exe	37
PID 2364 wrote to memory of 1436	2364	ReimagePackage.exe	37
PID 2364 wrote to memory of 1436	2364	ReimagePackage.exe	37
PID 2364 wrote to memory of 1436	2364	ReimagePackage.exe	37
PID 2364 wrote to memory of 1028	2364	ReimagePackage.exe	39
PID 2364 wrote to memory of 1028	2364	ReimagePackage.exe	39
PID 2364 wrote to memory of 1028	2364	ReimagePackage.exe	39
PID 2364 wrote to memory of 1028	2364	ReimagePackage.exe	39
PID 1028 wrote to memory of 2112	1028	cmd.exe	41
PID 1028 wrote to memory of 2112	1028	cmd.exe	41
PID 1028 wrote to memory of 2112	1028	cmd.exe	41
PID 1028 wrote to memory of 2112	1028	cmd.exe	41
PID 2364 wrote to memory of 3016	2364	ReimagePackage.exe	43
PID 2364 wrote to memory of 3016	2364	ReimagePackage.exe	43
PID 2364 wrote to memory of 3016	2364	ReimagePackage.exe	43
PID 2364 wrote to memory of 3016	2364	ReimagePackage.exe	43
PID 2364 wrote to memory of 3016	2364	ReimagePackage.exe	43
PID 2364 wrote to memory of 3016	2364	ReimagePackage.exe	43
PID 2364 wrote to memory of 3016	2364	ReimagePackage.exe	43
PID 3016 wrote to memory of 992	3016	regsvr32.exe	44
PID 3016 wrote to memory of 992	3016	regsvr32.exe	44
PID 3016 wrote to memory of 992	3016	regsvr32.exe	44
PID 3016 wrote to memory of 992	3016	regsvr32.exe	44
PID 3016 wrote to memory of 992	3016	regsvr32.exe	44
PID 3016 wrote to memory of 992	3016	regsvr32.exe	44
PID 3016 wrote to memory of 992	3016	regsvr32.exe	44
PID 2364 wrote to memory of 1096	2364	ReimagePackage.exe	45
PID 2364 wrote to memory of 1096	2364	ReimagePackage.exe	45
PID 2364 wrote to memory of 1096	2364	ReimagePackage.exe	45
PID 2364 wrote to memory of 1096	2364	ReimagePackage.exe	45
PID 2364 wrote to memory of 1096	2364	ReimagePackage.exe	45
PID 2364 wrote to memory of 1096	2364	ReimagePackage.exe	45
PID 2364 wrote to memory of 1096	2364	ReimagePackage.exe	45
PID 1096 wrote to memory of 1516	1096	regsvr32.exe	46
PID 1096 wrote to memory of 1516	1096	regsvr32.exe	46
PID 1096 wrote to memory of 1516	1096	regsvr32.exe	46
PID 1096 wrote to memory of 1516	1096	regsvr32.exe	46
PID 1096 wrote to memory of 1516	1096	regsvr32.exe	46
PID 1096 wrote to memory of 1516	1096	regsvr32.exe	46
PID 1096 wrote to memory of 1516	1096	regsvr32.exe	46
PID 2364 wrote to memory of 1544	2364	ReimagePackage.exe	47
PID 2364 wrote to memory of 1544	2364	ReimagePackage.exe	47
PID 2364 wrote to memory of 1544	2364	ReimagePackage.exe	47
PID 2364 wrote to memory of 1544	2364	ReimagePackage.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq Reimage.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq avupdate.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Program Files\Reimage\Reimage Repair\lzma.exe
  "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:2000
- C:\Program Files\Reimage\Reimage Repair\lzma.exe
  "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq REI_avira.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:992
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
    3⤵
    - Loads dropped DLL
    PID:1516
- C:\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\ProtectorUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\ProtectorUpdater.exe" /S /MinorSessionID=1b791f08fa234cdfbaf4851a27 /SessionID=0 /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
    "C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=1b791f08fa234cdfbaf4851a27 /SessionID=12b29711-2580-4a56-82e1-71f8abe64d11 /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:2560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ReiScanner.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:2920
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ReiProtectorM.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
  - - C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
      "C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq ReiGuard.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq ReiGuard.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq ReimageApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq ReimageApp.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /TN ReimageUpdater /F
  2⤵
  PID:2472
- C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe
  "C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2804
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\jscript.dll"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  PID:2424
- C:\Program Files\Reimage\Reimage Repair\Reimage.exe
  "C:\Program Files\Reimage\Reimage Repair\Reimage.exe" /DEFAULT /Locale=1033
  2⤵
  - Uses Session Manager for persistence
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Modifies WinLogon
  - Deletes itself
  - Drops file in Windows directory
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2112
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1776
- - C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe
    "C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe" "C:\rei\AV"
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Windows\system32\ipconfig.exe
    C:\Windows\system32\ipconfig.exe /all
    3⤵
    - Gathers network information
    PID:2284

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:684
- C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
  "C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
  commadnlinetogetexplorerhistory 3600 "C:\Users\Admin\AppData\Local\Temp\259480534_file.txt"
  2⤵
  - Executes dropped EXE
  PID:348

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll

Filesize
517KB

MD5
9fc5eab5cb90d5d3c1495dae779df986

SHA1
15347cb02ff6c04ee957a6f861a390c56a3fd8ca

SHA256
aa5d2d054b67847257926d95b8a8645799fb19d06a28473c8c18fdf4ad0b94d6

SHA512
37d24bd3fe80cffd8c650bcd724263be42460d18e2547da42dcfd7fba88adec98c01ac2122677af9b0338d7ebb74c535226b77fb17852413d565bb01bfa910da

Download Submit
C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza

Filesize
142KB

MD5
cd517a6523aeae7755380415214ecdd1

SHA1
dc94e7bfc2157c022eaef55b9132403a938e77c2

SHA256
92e59cf5a5f93b94011e2f1119ea9ab421177749fb7439e1017f6e37d4ec6ff0

SHA512
0076816a01acfc24d37a4a4729f6b9c18353ee3c1ceef2d7b8138d079f9237ea83e8b6a09df95ff9c0321ad42d249c25b6278e974ecddabfcf6b98600c46cfaf

Download Submit
C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll

Filesize
11.4MB

MD5
85912149fdd8098d6ae2a183f8b18ea3

SHA1
23afc9e77e9731fc416abe91b1e5cae3eeeeb8c9

SHA256
41218635867d1c1ec4ff045e29a908aa9e0006c760cbb057302b2fb92b295181

SHA512
63fdc4186358110d1d80fe10a01bd476eefb0a08ae931f54c234c635cb9524143afb0f91dcb1044b7402f9b8135f788afdda9896ae344bf9bb010e3228354236

Download Submit
C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza

Filesize
3.7MB

MD5
f8f13a4be08dd40baeced5083d12e0aa

SHA1
bb513d5a2833555b26c4493b80d7de4c9cd1e773

SHA256
f3f76537f7a71cc15458c527b56724a9c508c817fae6cb5b70005ef2d17b99ec

SHA512
c99a1992f1dc2f97d0460d0a28d400aba424131fe2e5b742faa2701fa6e278e6d3d954c0e21d0051915877b52b3bc208ff9f899600d395e8ab4e64576a3dbbc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_F70553637B9F26717122C4DAFA3ADB11

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\events4mem[1].htm

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReimageRepair.exe

Filesize
572KB

MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5873.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfl.rei

Filesize
971KB

MD5
41b797743d2d08233b680501b086d669

SHA1
e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5

SHA256
5805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5

SHA512
13fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_version.xml

Filesize
2KB

MD5
919d48cafc7b57dfb2c01f986da92f61

SHA1
df594b0569821ab449a05ae9824d0f7965308536

SHA256
0e303a2be594711cd28768e44d98edbeabe110acce0f4c76da4c842d1db55686

SHA512
039eb656f0335a4f4e230768c51749a589c5d98c89506c619b6bac40f59bf22a8ac56419f6c04c42e6c8e0072546028489e4b8bff218d151779c5e9fed962a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4B64.tmp\SimpleSC.dll

Filesize
39KB

MD5
3f1be1321461c7b7a3b4322391c818f0

SHA1
f59b7a1e65f60a446f4355e22f0a10bddec3d21b

SHA256
3d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd

SHA512
2f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7

Download Submit
C:\Windows\Reimage.ini

Filesize
64B

MD5
64942eaf77bd55be3bf729ba920d6a4b

SHA1
8f85e14923c3cb14d27f711866830b3e2968f776

SHA256
8e820b374c745053b02368cd569b93529af5de28bd4d0992ea649cda6377c8d2

SHA512
72190532f3c5f6bf036130ecbdb7faef42c265eddbba27884432d25c7e3d6a5239d9a36d7323289f348d5092d73e951ef707a06105a48e9d84f782cf09eacfb3

Download Submit
C:\Windows\Reimage.ini

Filesize
99B

MD5
efb7b0404702920854b63263944a9551

SHA1
47beb6e4b68f87b38f273224529ad381851735a4

SHA256
716c7dd11ac541ef29d8b9d9c7dd8cb9a5c1508692c4a14ebd54b7d9c18bff14

SHA512
706f926ed092f58cc3ce73056a18b7c721ffaab722be808be829dd5661815c939e91647947e7419d0dc1d1e90f0984f17e1654e1cd7e2ce72dbe20ac4f37cac0

Download Submit
C:\Windows\Temp\Cab7CEF.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Local State

Filesize
130KB

MD5
afa18aa12a6fbbb30d95ea7f8abdf4bc

SHA1
2c2c7901ce32d7b50ac09f8ca5ee6e278e0f4959

SHA256
ab639ace250b79abba419d77f36cbabadb3054908dd2d46dcdced8c49d1ffb75

SHA512
2c70599d66623ee9ef92925fc06be1c9a4365f0a808240634a12e260158f5b94a70f483633190f14200a954cf66ba89a05e9ad4fbb2c82b315358ff82fd5d828

Download Submit
C:\Windows\Temp\Secure Preferences

Filesize
10KB

MD5
b04cac6bcbee5fe50aa26eba5d488812

SHA1
c5d04887b88e0a7af8d89650db66880ce9c7231e

SHA256
ff2198e29a7d7c13ff074d5a1d40fe452e90373f2b9e74cb2e167f283a547f9d

SHA512
d1edbb8978b79aec5275a234e2156a34956a9066099e6604ea3b8d311fac954a063c51982c586ad95e15dda34e0d948d05aeafde8fc6d2fc352e361001a5d861

Download Submit
C:\Windows\reimage.ini

Filesize
111B

MD5
c9447abb28e3b8f5324d158045b9ea2c

SHA1
af88eb3a4281a9e4ec79f761634dad6239b62813

SHA256
04089fa2d7ab67d4dae67fad9b31565f413bf5883fd6d6e6610c8c1ac2bc414b

SHA512
0588699360bdf857656d67e3ff7e41cafc82ffa81c574f14420a4203e381583823ffc3840c52631fdf8ea8bdf58c2ae11ad87ab5dc399603a2ed60c04798bbfd

Download Submit
C:\Windows\reimage.ini

Filesize
140B

MD5
7f0406476990e30bbe46e0bebad40c76

SHA1
c0efcfb61e9d9219d9cc8d4cface803d2ea9bf10

SHA256
afe420d573dfd21447c97e4fe672b1866a9d0645efc98b8b3c57195b44c5d277

SHA512
bcd050dad50b50e73dee5d62ac6544a008a400ef37a59f5651ac42be8b22e9c673494b301c2fc4cf2419afaf8b51ee0cc9569e2a30857e7cdd0c8c0f82ad88ff

Download Submit
C:\rei\Temp\20240418_1306\ApplicationList.ini

Filesize
260KB

MD5
2507e773eddc41e844e0126a7f97be68

SHA1
e073ebf173622d463895b2105e15127e47dec4c9

SHA256
a844dac72231881abac18df2fa03272ad9c64c766c35a4d4d9bbabfc7775e904

SHA512
3fa4158b4a912a5735a8fe5e3169a7c6d738fc32f304f2641575cecdeeec402987f714692232d3b3ef8419e2d380c71120b2e339f978da946431719166c22da2

Download Submit
C:\rei\rei1971nvt.ini

Filesize
4KB

MD5
47c82cbd4a5cb71e9923a72ac9ba6f6d

SHA1
c2fbf954a49abe785ea166fb2edb8d760071a15a

SHA256
1ec8e5bf412f224e7e3e675f9b50e6c6e624de8aa0ee3b20731766acbcf8c7f6

SHA512
648acf839d107611f9e90d5a814032353bcd5909427263ab2c0c507c81321400f4ac2b09d39b8653ac8cae5ee5f88d544627151f7dec9e1c69337859866b5648

Download Submit
C:\rei\reimage.qsr

Filesize
194B

MD5
00148a62d1606c4af2a94af2d2e94f8f

SHA1
51fa900f1d7ed884efef0a2dc69873c856f4de88

SHA256
dd6ed530fc37a31d60f39ef0d99b6ee40437f406bcce828609c872321df521cf

SHA512
6ebf958fabd8448bb694e115a7f6bb4dabb173f13c9dcd22b818afff8beba1f3ba443c773f72d381afb7e0971c2f91ba0f1fb2b876576e4ef96c8e5b97213b24

Download Submit
C:\rei\reimage.qsr

Filesize
196B

MD5
5385c31eeb5388b455dfa38ad6fb2909

SHA1
dbddff0dd3eae172aa22cdb0653dd3d054264cc8

SHA256
7add2eb41b01b026c15a5abf5f6a9eb898f3c88d13eeedd0538ea0adf87cd9c2

SHA512
e87f4236e92229497e443912f35e95065f8da78fe63c0678785ca5d45d0b14dc1738b36e523538d4fcb64410583acc3ac4dcf942821088593ef1dd4ed2c4d11e

Download Submit
\Program Files\Reimage\Reimage Repair\LZMA.EXE

Filesize
99KB

MD5
a59ab79ec748d1da70e326b49b8aa820

SHA1
145d254525c6b41251733953e3d4e00e3370f0fd

SHA256
871361690289c50c81a6e38c28914121adceab3ff0ba93d043f1cc4e59635955

SHA512
5cd4fdfe9e20151313814551a36ab0aab8881fc1b12b5c41e0ccd64d6f4980e908b3493efd569964ce63290853785c10b151285ab19b37c7d3a411b5461275b9

Download Submit
\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe

Filesize
330KB

MD5
e1533eaffad6f6d5d25022e43126fa38

SHA1
6048cbf2b8a366b98f24c8b45a6003c805791d3f

SHA256
299d60f623698d7c00d998a5dd4636a0e40dadd03500f2ae8148b190feafe9ba

SHA512
7d12e8a63d07cdda57d28cadfc947561aee6413a302b6840ac8f077ab6350a6e1fa4e6ce61bbebdcafd7c01c73f4dbffdc96c3e0d0526ad8da424f6bdd070d7b

Download Submit
\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe

Filesize
6.0MB

MD5
0a21dab75a58f818abae4b824087a1e8

SHA1
6f0798ff9b9128233c1fb7b641332730b1702535

SHA256
99ebcdeab3f755f402bce0d8b59a736056b64e0db96d486466735d23ec856b86

SHA512
1ebfe810e2bd693bea4899f00d438bc0032abe15d47c4241fec14183bb45882185999f232a126ad885c51e9b6e9468e8333ed453880777a94b4545e88d7648a2

Download Submit
\Users\Admin\AppData\Local\Temp\nst3332.tmp\AccessControl.dll

Filesize
8KB

MD5
65d017ba65785b43720de6c9979a2e8c

SHA1
0aed2846e1b338077bae5a7f756c345a5c90d8a9

SHA256
ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac

SHA512
31a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95

Download Submit
\Users\Admin\AppData\Local\Temp\nst3332.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\DcryptDll.dll

Filesize
156KB

MD5
4c373143ee342a75b469e0748049cd24

SHA1
d4e0e5155e78b99ec9459136acece2364bc2e935

SHA256
b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589

SHA512
569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\ProtectorUpdater.exe

Filesize
371KB

MD5
7aa7e8423194f3edf6d1d82ade82acb3

SHA1
a4ca6d67fc43dd742e87b4c82237cdc8b1bb22d9

SHA256
1ba53128ef67d7e355b2e44c90c4bfe3dddff4546ad4e9c75e249d4850250361

SHA512
e5fc8a1b515f41f60810ec12f5e36263c889c60b06c6b94450eec910a32ba91fba74bd757d54966d657d37a5ca3c5e9bb23f58f3de4255c276e046b6f1be28bb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\inetc.dll

Filesize
31KB

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\stack.dll

Filesize
10KB

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy15C4.tmp\xml.dll

Filesize
182KB

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
memory/1544-235-0x0000000000820000-0x000000000082B000-memory.dmp

Filesize
44KB

Download
memory/1544-217-0x0000000074290000-0x000000007429B000-memory.dmp

Filesize
44KB

Download
memory/2112-2589-0x0000000002C90000-0x0000000002CE7000-memory.dmp

Filesize
348KB

Download
memory/2112-2611-0x0000000002C90000-0x0000000002CAE000-memory.dmp

Filesize
120KB

Download
memory/2112-769-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2112-600-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2112-2645-0x0000000002C90000-0x0000000002C9B000-memory.dmp

Filesize
44KB

Download
memory/2112-2646-0x0000000002C90000-0x0000000002CAE000-memory.dmp

Filesize
120KB

Download
memory/2112-2644-0x0000000002C90000-0x0000000002CA1000-memory.dmp

Filesize
68KB

Download
memory/2112-2564-0x000007FEF4F60000-0x000007FEF4FB8000-memory.dmp

Filesize
352KB

Download
memory/2112-2563-0x000007FEF4FC0000-0x000007FEF5018000-memory.dmp

Filesize
352KB

Download
memory/2112-2643-0x0000000002C90000-0x0000000002CD7000-memory.dmp

Filesize
284KB

Download
memory/2112-2586-0x0000000002C90000-0x0000000002CCE000-memory.dmp

Filesize
248KB

Download
memory/2112-2587-0x0000000002C90000-0x0000000002CCE000-memory.dmp

Filesize
248KB

Download
memory/2112-2588-0x0000000002C90000-0x0000000002CE7000-memory.dmp

Filesize
348KB

Download
memory/2112-2642-0x0000000002C90000-0x0000000002CD7000-memory.dmp

Filesize
284KB

Download
memory/2112-2594-0x0000000002C90000-0x0000000002C9A000-memory.dmp

Filesize
40KB

Download
memory/2112-2593-0x0000000002C90000-0x0000000002C9A000-memory.dmp

Filesize
40KB

Download
memory/2112-2595-0x0000000002C90000-0x0000000002D0B000-memory.dmp

Filesize
492KB

Download
memory/2112-2596-0x0000000002C90000-0x0000000002CE6000-memory.dmp

Filesize
344KB

Download
memory/2112-2598-0x0000000002C90000-0x0000000002CBF000-memory.dmp

Filesize
188KB

Download
memory/2112-2597-0x0000000002C90000-0x0000000002CBF000-memory.dmp

Filesize
188KB

Download
memory/2112-2599-0x0000000002C90000-0x0000000002D19000-memory.dmp

Filesize
548KB

Download
memory/2112-2600-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/2112-2601-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/2112-2603-0x0000000002C90000-0x0000000002C97000-memory.dmp

Filesize
28KB

Download
memory/2112-2602-0x0000000002C90000-0x0000000002C97000-memory.dmp

Filesize
28KB

Download
memory/2112-2605-0x0000000002C90000-0x0000000002CCE000-memory.dmp

Filesize
248KB

Download
memory/2112-2604-0x0000000002C90000-0x0000000002CCE000-memory.dmp

Filesize
248KB

Download
memory/2112-2606-0x0000000002C90000-0x0000000002CA7000-memory.dmp

Filesize
92KB

Download
memory/2112-2610-0x0000000002C90000-0x0000000002C9A000-memory.dmp

Filesize
40KB

Download
memory/2112-2609-0x0000000002C90000-0x0000000002C9A000-memory.dmp

Filesize
40KB

Download
memory/2112-2608-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/2112-2607-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/2112-2612-0x0000000002C90000-0x0000000002CAE000-memory.dmp

Filesize
120KB

Download
memory/2112-770-0x000007FEF21D0000-0x000007FEF220A000-memory.dmp

Filesize
232KB

Download
memory/2112-2614-0x0000000002C90000-0x0000000002CD7000-memory.dmp

Filesize
284KB

Download
memory/2112-2613-0x0000000002C90000-0x0000000002CD7000-memory.dmp

Filesize
284KB

Download
memory/2112-2615-0x0000000002C90000-0x0000000002CBF000-memory.dmp

Filesize
188KB

Download
memory/2112-2616-0x0000000002C90000-0x0000000002C9B000-memory.dmp

Filesize
44KB

Download
memory/2112-2617-0x0000000002C90000-0x0000000002C9B000-memory.dmp

Filesize
44KB

Download
memory/2112-2618-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/2112-2619-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/2112-2623-0x0000000002C90000-0x0000000002CA9000-memory.dmp

Filesize
100KB

Download
memory/2112-2622-0x0000000002C90000-0x0000000002CA9000-memory.dmp

Filesize
100KB

Download
memory/2112-2621-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/2112-2620-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/2112-2625-0x0000000002C90000-0x0000000002C97000-memory.dmp

Filesize
28KB

Download
memory/2112-2624-0x0000000002C90000-0x0000000002C97000-memory.dmp

Filesize
28KB

Download
memory/2112-2626-0x0000000002C90000-0x0000000002CAB000-memory.dmp

Filesize
108KB

Download
memory/2112-2627-0x0000000002C90000-0x0000000002CAB000-memory.dmp

Filesize
108KB

Download
memory/2112-2630-0x0000000002C90000-0x0000000002C9B000-memory.dmp

Filesize
44KB

Download
memory/2112-2629-0x0000000002C90000-0x0000000002C9B000-memory.dmp

Filesize
44KB

Download
memory/2112-2628-0x0000000002C90000-0x0000000002C97000-memory.dmp

Filesize
28KB

Download
memory/2112-2633-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/2112-2632-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/2112-2631-0x0000000002C90000-0x0000000002CA7000-memory.dmp

Filesize
92KB

Download
memory/2112-2634-0x0000000002C90000-0x0000000002D0B000-memory.dmp

Filesize
492KB

Download
memory/2112-2637-0x0000000002C90000-0x0000000002CD8000-memory.dmp

Filesize
288KB

Download
memory/2112-2636-0x0000000002C90000-0x0000000002CD8000-memory.dmp

Filesize
288KB

Download
memory/2112-2635-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/2112-2641-0x0000000002C90000-0x0000000002C9C000-memory.dmp

Filesize
48KB

Download
memory/2112-2640-0x0000000002C90000-0x0000000002C9C000-memory.dmp

Filesize
48KB

Download
memory/2112-2639-0x0000000002C90000-0x0000000002CAE000-memory.dmp

Filesize
120KB

Download
memory/2112-2638-0x0000000002C90000-0x0000000002CAE000-memory.dmp

Filesize
120KB

Download
memory/2364-42-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/2364-152-0x0000000005F70000-0x0000000005F7B000-memory.dmp

Filesize
44KB

Download
memory/2364-485-0x0000000005F80000-0x0000000005F8B000-memory.dmp

Filesize
44KB

Download
memory/2364-527-0x0000000005F90000-0x0000000005F9B000-memory.dmp

Filesize
44KB

Download
memory/3004-404-0x0000000000B70000-0x0000000000B7B000-memory.dmp

Filesize
44KB

Download