4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4

Analysis

max time kernel
159s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReimagePackage.exe
Size

12.3MB
MD5

0cf8715cbdee01676d24f4f78c7b431f
SHA1

74989063fd05ffb28d0d705c583c2c6b1e9aef99
SHA256

4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4
SHA512

248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327
SSDEEP

196608:pSjaAQ7Z8aVC/xE4hVS930UqN2FItiZESkM8ZCLfsFrrdTM4nGgAU1Q+osH:oOAQaBvWq0QiZH18ZaIr2qG/sH

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000232b8-183.dat	acprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000232b8-183.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Reimage = "\"C:\\Program Files\\Reimage\\Reimage Protector\\ReimageApp.exe\""	ReimagePackage.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	ReiGuard.exe
File opened (read-only)	\??\Z:	ReiGuard.exe
File opened (read-only)	\??\M:	ReiGuard.exe
File opened (read-only)	\??\R:	ReiGuard.exe
File opened (read-only)	\??\T:	ReiGuard.exe
File opened (read-only)	\??\W:	ReiGuard.exe
File opened (read-only)	\??\I:	ReiGuard.exe
File opened (read-only)	\??\L:	ReiGuard.exe
File opened (read-only)	\??\O:	ReiGuard.exe
File opened (read-only)	\??\Q:	ReiGuard.exe
File opened (read-only)	\??\A:	ReiGuard.exe
File opened (read-only)	\??\B:	ReiGuard.exe
File opened (read-only)	\??\E:	ReiGuard.exe
File opened (read-only)	\??\H:	ReiGuard.exe
File opened (read-only)	\??\V:	ReiGuard.exe
File opened (read-only)	\??\Y:	ReiGuard.exe
File opened (read-only)	\??\P:	ReiGuard.exe
File opened (read-only)	\??\S:	ReiGuard.exe
File opened (read-only)	\??\U:	ReiGuard.exe
File opened (read-only)	\??\G:	ReiGuard.exe
File opened (read-only)	\??\J:	ReiGuard.exe
File opened (read-only)	\??\K:	ReiGuard.exe
File opened (read-only)	\??\N:	ReiGuard.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ReimagePackage.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_10CFD21835FBC4730F33B8DAC8D7DB43	ReiGuard.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_uninstall.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_SafeMode.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Privacy Policy.url	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll	lzma.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Terms of Use.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\LZMA.EXE	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\engine.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageSafeMode.exe	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Help & Support.url	ReimagePackage.exe
File opened for modification	C:\Program Files\Reimage\Reimage Repair\Reimage Repair Uninstall Instructions.url	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\reimage.dat	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll	lzma.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\savapi.dll	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimageicon.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\Reimage_website.ico	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\version.rei	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_SupportInfoTool.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\msvcr120.dll	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza	ReimagePackage.exe
File created	C:\Program Files\Reimage\Reimage Repair\uninst.exe	ReimagePackage.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\reimage.ini	ReimagePackage.exe
File opened for modification	C:\Windows\Reimage.ini	ProtectorUpdater.exe
File opened for modification	C:\Windows\Reimage.ini	UniProtectorPackage.exe
File opened for modification	C:\Windows\TEMPregistrylog\.log	ReiGuard.exe

Executes dropped EXE 10 IoCs

pid	Process
1868	lzma.exe
1116	lzma.exe
1708	ProtectorUpdater.exe
548	UniProtectorPackage.exe
2252	ReiGuard.exe
3572	ReiGuard.exe
60	ReiSystem.exe
316	ReimageApp.exe
524	Reimage.exe
4724	ReiSystem.exe

Loads dropped DLL 64 IoCs

pid	Process
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
316	regsvr32.exe
3404	regsvr32.exe
3404	regsvr32.exe
3900	regsvr32.exe
1148	regsvr32.exe
4256	ReimagePackage.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
1708	ProtectorUpdater.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
548	UniProtectorPackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe
4256	ReimagePackage.exe

Registers COM server for autorun 1 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Repair\\REI_Axcontrol.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery

T1057

pid	Process
1020	tasklist.exe
4388	tasklist.exe
4992	tasklist.exe
4508	tasklist.exe
3580	tasklist.exe
1588	tasklist.exe
1736	tasklist.exe
3488	tasklist.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\VersionIndependentProgID\ = "REI_AxControl.ReiEngine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib\ = "{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ = "_IReiEngineEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Encoding"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine\CLSID\ = "{10ECCE17-29B5-4880-A8F5-EAD298611484}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1\CLSID\ = "{10ECCE17-29B5-4880-A8F5-EAD298611484}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0\HELPDIR\ = "C:\\Program Files\\Reimage\\Reimage Repair"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\REI_AxControl.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\OLESCRIPT	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2252	ReiGuard.exe
2252	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
2252	ReiGuard.exe
2252	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe
3572	ReiGuard.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	3488	tasklist.exe
Token: SeDebugPrivilege	1020	tasklist.exe
Token: SeDebugPrivilege	4388	tasklist.exe
Token: SeDebugPrivilege	4992	tasklist.exe
Token: SeDebugPrivilege	4508	tasklist.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
316	ReimageApp.exe
524	Reimage.exe
316	ReimageApp.exe
316	ReimageApp.exe
316	ReimageApp.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
316	ReimageApp.exe
524	Reimage.exe
316	ReimageApp.exe
316	ReimageApp.exe
316	ReimageApp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
524	Reimage.exe
524	Reimage.exe
524	Reimage.exe
524	Reimage.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2432	4256	ReimagePackage.exe	92
PID 4256 wrote to memory of 2432	4256	ReimagePackage.exe	92
PID 4256 wrote to memory of 2432	4256	ReimagePackage.exe	92
PID 2432 wrote to memory of 3580	2432	cmd.exe	94
PID 2432 wrote to memory of 3580	2432	cmd.exe	94
PID 2432 wrote to memory of 3580	2432	cmd.exe	94
PID 4256 wrote to memory of 5036	4256	ReimagePackage.exe	96
PID 4256 wrote to memory of 5036	4256	ReimagePackage.exe	96
PID 4256 wrote to memory of 5036	4256	ReimagePackage.exe	96
PID 5036 wrote to memory of 1588	5036	cmd.exe	98
PID 5036 wrote to memory of 1588	5036	cmd.exe	98
PID 5036 wrote to memory of 1588	5036	cmd.exe	98
PID 4256 wrote to memory of 1868	4256	ReimagePackage.exe	106
PID 4256 wrote to memory of 1868	4256	ReimagePackage.exe	106
PID 4256 wrote to memory of 1868	4256	ReimagePackage.exe	106
PID 4256 wrote to memory of 1116	4256	ReimagePackage.exe	108
PID 4256 wrote to memory of 1116	4256	ReimagePackage.exe	108
PID 4256 wrote to memory of 1116	4256	ReimagePackage.exe	108
PID 4256 wrote to memory of 5012	4256	ReimagePackage.exe	110
PID 4256 wrote to memory of 5012	4256	ReimagePackage.exe	110
PID 4256 wrote to memory of 5012	4256	ReimagePackage.exe	110
PID 5012 wrote to memory of 1736	5012	cmd.exe	112
PID 5012 wrote to memory of 1736	5012	cmd.exe	112
PID 5012 wrote to memory of 1736	5012	cmd.exe	112
PID 4256 wrote to memory of 316	4256	ReimagePackage.exe	113
PID 4256 wrote to memory of 316	4256	ReimagePackage.exe	113
PID 4256 wrote to memory of 316	4256	ReimagePackage.exe	113
PID 316 wrote to memory of 3404	316	regsvr32.exe	114
PID 316 wrote to memory of 3404	316	regsvr32.exe	114
PID 4256 wrote to memory of 3900	4256	ReimagePackage.exe	116
PID 4256 wrote to memory of 3900	4256	ReimagePackage.exe	116
PID 4256 wrote to memory of 3900	4256	ReimagePackage.exe	116
PID 3900 wrote to memory of 1148	3900	regsvr32.exe	117
PID 3900 wrote to memory of 1148	3900	regsvr32.exe	117
PID 4256 wrote to memory of 1708	4256	ReimagePackage.exe	118
PID 4256 wrote to memory of 1708	4256	ReimagePackage.exe	118
PID 4256 wrote to memory of 1708	4256	ReimagePackage.exe	118
PID 1708 wrote to memory of 4484	1708	ProtectorUpdater.exe	119
PID 1708 wrote to memory of 4484	1708	ProtectorUpdater.exe	119
PID 1708 wrote to memory of 4484	1708	ProtectorUpdater.exe	119
PID 4484 wrote to memory of 3488	4484	cmd.exe	121
PID 4484 wrote to memory of 3488	4484	cmd.exe	121
PID 4484 wrote to memory of 3488	4484	cmd.exe	121
PID 1708 wrote to memory of 548	1708	ProtectorUpdater.exe	123
PID 1708 wrote to memory of 548	1708	ProtectorUpdater.exe	123
PID 1708 wrote to memory of 548	1708	ProtectorUpdater.exe	123
PID 548 wrote to memory of 5100	548	UniProtectorPackage.exe	124
PID 548 wrote to memory of 5100	548	UniProtectorPackage.exe	124
PID 548 wrote to memory of 5100	548	UniProtectorPackage.exe	124
PID 5100 wrote to memory of 1020	5100	cmd.exe	126
PID 5100 wrote to memory of 1020	5100	cmd.exe	126
PID 5100 wrote to memory of 1020	5100	cmd.exe	126
PID 548 wrote to memory of 1712	548	UniProtectorPackage.exe	127
PID 548 wrote to memory of 1712	548	UniProtectorPackage.exe	127
PID 548 wrote to memory of 1712	548	UniProtectorPackage.exe	127
PID 1712 wrote to memory of 4388	1712	cmd.exe	129
PID 1712 wrote to memory of 4388	1712	cmd.exe	129
PID 1712 wrote to memory of 4388	1712	cmd.exe	129
PID 548 wrote to memory of 2252	548	UniProtectorPackage.exe	130
PID 548 wrote to memory of 2252	548	UniProtectorPackage.exe	130
PID 3572 wrote to memory of 60	3572	ReiGuard.exe	132
PID 3572 wrote to memory of 60	3572	ReiGuard.exe	132
PID 4256 wrote to memory of 680	4256	ReimagePackage.exe	133
PID 4256 wrote to memory of 680	4256	ReimagePackage.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
"C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq Reimage.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq avupdate.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Program Files\Reimage\Reimage Repair\lzma.exe
  "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:1868
- C:\Program Files\Reimage\Reimage Repair\lzma.exe
  "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq REI_avira.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:3404
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
    3⤵
    - Loads dropped DLL
    PID:1148
- C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\ProtectorUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\ProtectorUpdater.exe" /S /MinorSessionID=07307ee59dbc447c8ad59fd370 /SessionID=0 /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- - C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
    "C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=07307ee59dbc447c8ad59fd370 /SessionID=08449618-2811-47cc-b036-496d0e8e022f /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ReiScanner.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ReiProtectorM.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
  - - C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
      "C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq ReiGuard.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:680
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq ReiGuard.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq ReimageApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq ReimageApp.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /TN ReimageUpdater /F
  2⤵
  PID:4352
- C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe
  "C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:316
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\jscript.dll"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  PID:1384
- C:\Program Files\Reimage\Reimage Repair\Reimage.exe
  "C:\Program Files\Reimage\Reimage Repair\Reimage.exe" /DEFAULT /Locale=1033
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:5036

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
  "C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
  commadnlinetogetexplorerhistory 3600 "C:\Users\Admin\AppData\Local\Temp\240776109_file.txt"
  2⤵
  - Executes dropped EXE
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe

Filesize
261KB

MD5
88d21bbe0c15959cd71274ed6198804e

SHA1
eeca578e046963b359c9a124fe993347ce5b2fb3

SHA256
037a67a221096c076d162d5f0f3ad5720ed0d49308d041dea235c5785a557565

SHA512
66e4bf84706c69e49526529643911d92aa6be19fc7839c27e07b4d38fcf6648744b738ecb2e26adf83f9132c9a73bf734b4986ef21831224f8151f6b3be53e82

Download Submit
C:\Program Files\Reimage\Reimage Repair\LZMA.EXE

Filesize
99KB

MD5
a59ab79ec748d1da70e326b49b8aa820

SHA1
145d254525c6b41251733953e3d4e00e3370f0fd

SHA256
871361690289c50c81a6e38c28914121adceab3ff0ba93d043f1cc4e59635955

SHA512
5cd4fdfe9e20151313814551a36ab0aab8881fc1b12b5c41e0ccd64d6f4980e908b3493efd569964ce63290853785c10b151285ab19b37c7d3a411b5461275b9

Download Submit
C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll

Filesize
517KB

MD5
9fc5eab5cb90d5d3c1495dae779df986

SHA1
15347cb02ff6c04ee957a6f861a390c56a3fd8ca

SHA256
aa5d2d054b67847257926d95b8a8645799fb19d06a28473c8c18fdf4ad0b94d6

SHA512
37d24bd3fe80cffd8c650bcd724263be42460d18e2547da42dcfd7fba88adec98c01ac2122677af9b0338d7ebb74c535226b77fb17852413d565bb01bfa910da

Download Submit
C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza

Filesize
142KB

MD5
cd517a6523aeae7755380415214ecdd1

SHA1
dc94e7bfc2157c022eaef55b9132403a938e77c2

SHA256
92e59cf5a5f93b94011e2f1119ea9ab421177749fb7439e1017f6e37d4ec6ff0

SHA512
0076816a01acfc24d37a4a4729f6b9c18353ee3c1ceef2d7b8138d079f9237ea83e8b6a09df95ff9c0321ad42d249c25b6278e974ecddabfcf6b98600c46cfaf

Download Submit
C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll

Filesize
11.4MB

MD5
85912149fdd8098d6ae2a183f8b18ea3

SHA1
23afc9e77e9731fc416abe91b1e5cae3eeeeb8c9

SHA256
41218635867d1c1ec4ff045e29a908aa9e0006c760cbb057302b2fb92b295181

SHA512
63fdc4186358110d1d80fe10a01bd476eefb0a08ae931f54c234c635cb9524143afb0f91dcb1044b7402f9b8135f788afdda9896ae344bf9bb010e3228354236

Download Submit
C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza

Filesize
3.7MB

MD5
f8f13a4be08dd40baeced5083d12e0aa

SHA1
bb513d5a2833555b26c4493b80d7de4c9cd1e773

SHA256
f3f76537f7a71cc15458c527b56724a9c508c817fae6cb5b70005ef2d17b99ec

SHA512
c99a1992f1dc2f97d0460d0a28d400aba424131fe2e5b742faa2701fa6e278e6d3d954c0e21d0051915877b52b3bc208ff9f899600d395e8ab4e64576a3dbbc1

Download Submit
C:\Program Files\Reimage\Reimage Repair\Reimage.exe

Filesize
7.0MB

MD5
565319f9015978e86083f9cfbe81f3c5

SHA1
9ec39e7268ff6bccb65fd29a37cff66fccc0f461

SHA256
a42f5b0735c4e6dec3832ef8cc7c76884cc086e7323a2d03728f261936beb325

SHA512
ace0f3d19d7c2a4d2e357b9aefba35960e4513258679750d577b6f20755fe8b885b874e8f807aabf69e806ca21177c5d3dd55f9b1c001fd493a83f04532e5e75

Download Submit
C:\Program Files\Reimage\Reimage Repair\ReimageRepair.exe

Filesize
572KB

MD5
f5af9d859c9a031ab6bea66048fab6e1

SHA1
d0ee45d3534cc23cbd0d7c3765203ed926a7eb0a

SHA256
4efd1bc1bdc12da1bbdc597cf3f37f0c65e582f42e353cf781ac1fe422dfa68c

SHA512
c771c3e7ef88116168b9e3e0d0e4dbb2f2ad03dec0a87b9d3427faf7edb0a2510bb80dcb57b50fb6bcb9f683f23d876f35dc91a85006973bdb3fec41d51145a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\events4mem[1].htm

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe

Filesize
6.0MB

MD5
0a21dab75a58f818abae4b824087a1e8

SHA1
6f0798ff9b9128233c1fb7b641332730b1702535

SHA256
99ebcdeab3f755f402bce0d8b59a736056b64e0db96d486466735d23ec856b86

SHA512
1ebfe810e2bd693bea4899f00d438bc0032abe15d47c4241fec14183bb45882185999f232a126ad885c51e9b6e9468e8333ed453880777a94b4545e88d7648a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfl.rei

Filesize
971KB

MD5
41b797743d2d08233b680501b086d669

SHA1
e19aaa402c3e6fedbf4f8cfd0256b537cb001ca5

SHA256
5805c8a496c13e9085f624a9c4f20188587d7b13d9c3e5f79f0f78367df74cf5

SHA512
13fbcc4d53c65ce1b09fb6fa088824384659a9d4bcf1713ce8c75caa08a0f3df9e14061d42f4696608547b326a6fd1ef18fa92cbd3e3016559630d2e57358b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_version.xml

Filesize
2KB

MD5
919d48cafc7b57dfb2c01f986da92f61

SHA1
df594b0569821ab449a05ae9824d0f7965308536

SHA256
0e303a2be594711cd28768e44d98edbeabe110acce0f4c76da4c842d1db55686

SHA512
039eb656f0335a4f4e230768c51749a589c5d98c89506c619b6bac40f59bf22a8ac56419f6c04c42e6c8e0072546028489e4b8bff218d151779c5e9fed962a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\DcryptDll.dll

Filesize
156KB

MD5
4c373143ee342a75b469e0748049cd24

SHA1
d4e0e5155e78b99ec9459136acece2364bc2e935

SHA256
b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589

SHA512
569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\ProtectorUpdater.exe

Filesize
371KB

MD5
7aa7e8423194f3edf6d1d82ade82acb3

SHA1
a4ca6d67fc43dd742e87b4c82237cdc8b1bb22d9

SHA256
1ba53128ef67d7e355b2e44c90c4bfe3dddff4546ad4e9c75e249d4850250361

SHA512
e5fc8a1b515f41f60810ec12f5e36263c889c60b06c6b94450eec910a32ba91fba74bd757d54966d657d37a5ca3c5e9bb23f58f3de4255c276e046b6f1be28bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\inetc.dll

Filesize
31KB

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\stack.dll

Filesize
10KB

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3A66.tmp\xml.dll

Filesize
182KB

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC793.tmp\SimpleSC.dll

Filesize
39KB

MD5
3f1be1321461c7b7a3b4322391c818f0

SHA1
f59b7a1e65f60a446f4355e22f0a10bddec3d21b

SHA256
3d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd

SHA512
2f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA5C2.tmp\AccessControl.dll

Filesize
8KB

MD5
65d017ba65785b43720de6c9979a2e8c

SHA1
0aed2846e1b338077bae5a7f756c345a5c90d8a9

SHA256
ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac

SHA512
31a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA5C2.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Windows\Reimage.ini

Filesize
64B

MD5
f1a20ed4e7b91c00f105bf00ba650069

SHA1
05459f7722c34b33850c0207bb916739041aabcb

SHA256
f873527ad7fa12a2d276cc6953c0755e4d3e976567a4252093c1fe3ad401955f

SHA512
504c1f1e1c2e56dee8e9add33e4a9c05c75fce65299fdf38f5e3cd612c06b3b348829c033bc1f0281a278e9e87b2f256702d8d1d5ec0a2666fffaed0e5252426

Download Submit
C:\Windows\Reimage.ini

Filesize
99B

MD5
f53cbf0198b49733a5e74de6ae928afd

SHA1
fe6967b3d3d82c0d5cb651a7289b232f22977340

SHA256
786db4fab30e3c0755f55cde91317138ac8e24cda72fa929c10b37a3903a072d

SHA512
5448d7f77a78b336c588bc32f57e04807f7709d76a5f7fe3b84104c9b75984795463bc3a5c36ab8b076c80a72b37b5cbd222d69bc383532a3273c04a5421e9f3

Download Submit
C:\Windows\Temp\Local State

Filesize
128KB

MD5
f31c226181d5003872a77331412bed4a

SHA1
62866288f57a80062b34cc5196b176c5b423eaff

SHA256
06e262e39414d59267e5e1116442365b69e81cce82d89727c3a22b1593254c7b

SHA512
157364b8f240e2c0be11bab81a0b31bfce97c59f3ae917d5b1d93db94a07b18eeea54417ba983f53d73741bfae3088b359d59875cb900b54b609dd32c42f395d

Download Submit
C:\Windows\Temp\Secure Preferences

Filesize
10KB

MD5
b02a40a554ba541d09bb65338525fbc9

SHA1
755ab4322d7ae4d1c3c14adf8818eed12ce81208

SHA256
08d6ca9f2c24148cf9fbb1abfef439d27645df5db34b52913ce9f4723cce60d0

SHA512
361982eed15cacf44cab7c125143bfcf0176b697e7186eaf7a5a9aecdf929b97e724a186d8e5260bd930c92c8044b14bd4066f80e2ed1b9b9f916e681af06025

Download Submit
memory/524-586-0x0000019CA2820000-0x0000019CA3E97000-memory.dmp

Filesize
22.5MB

Download
memory/524-515-0x0000019CA2820000-0x0000019CA3E97000-memory.dmp

Filesize
22.5MB

Download
memory/524-517-0x0000019CA2820000-0x0000019CA3E97000-memory.dmp

Filesize
22.5MB

Download
memory/524-587-0x0000019CA2820000-0x0000019CA3E97000-memory.dmp

Filesize
22.5MB

Download
memory/524-516-0x0000019CA2820000-0x0000019CA3E97000-memory.dmp

Filesize
22.5MB

Download
memory/524-588-0x0000019CA2820000-0x0000019CA3E97000-memory.dmp

Filesize
22.5MB

Download
memory/524-514-0x0000019CA2820000-0x0000019CA3E97000-memory.dmp

Filesize
22.5MB

Download
memory/548-341-0x00000000025E0000-0x00000000025EB000-memory.dmp

Filesize
44KB

Download
memory/1708-216-0x0000000002A00000-0x0000000002A0B000-memory.dmp

Filesize
44KB

Download
memory/1708-326-0x0000000073940000-0x000000007394B000-memory.dmp

Filesize
44KB

Download
memory/1708-196-0x0000000073940000-0x000000007394B000-memory.dmp

Filesize
44KB

Download
memory/4256-447-0x0000000000E70000-0x0000000000E7B000-memory.dmp

Filesize
44KB

Download
memory/4256-430-0x00000000009A0000-0x00000000009AB000-memory.dmp

Filesize
44KB

Download
memory/4256-411-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/4256-137-0x00000000051D0000-0x00000000051DB000-memory.dmp

Filesize
44KB

Download
memory/4256-40-0x00000000050B0000-0x00000000050BB000-memory.dmp

Filesize
44KB

Download