62785bfab54aff8b4099c82fb0e47513803f90b424fe7aa60c4c3130e43094cd

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
Size

12.8MB
MD5

ad1af65ae75d3d4a3720b8f1a57e03fb
SHA1

569b5add3e119a317fa0414fb17f6546a0e17628
SHA256

62785bfab54aff8b4099c82fb0e47513803f90b424fe7aa60c4c3130e43094cd
SHA512

ee907d8173a961a39e6c0c41541960679c2fb84406f5be3cd62a0c7253a3ae96839d0d5a8b265f41bb4306450fb7e0cdf61874df61f88726922464f0125a0cd1
SSDEEP

393216:61MRhCobRSmt1QaoHR6iCqAddRpqqvMW99LHDlXOlK:66OWuao3CqAd7RvMWnx+A

Score

7^/10

discovery execution persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000174a5-156.dat	acprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/692-158-0x0000000074180000-0x000000007418B000-memory.dmp	upx
behavioral1/files/0x00060000000174a5-156.dat	upx

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	ReiExpressContainer.exe
File opened (read-only)	\??\O:	ReiExpressContainer.exe
File opened (read-only)	\??\R:	ReiExpressContainer.exe
File opened (read-only)	\??\S:	ReiExpressContainer.exe
File opened (read-only)	\??\T:	ReiExpressContainer.exe
File opened (read-only)	\??\W:	ReiExpressContainer.exe
File opened (read-only)	\??\A:	ReiExpressContainer.exe
File opened (read-only)	\??\E:	ReiExpressContainer.exe
File opened (read-only)	\??\I:	ReiExpressContainer.exe
File opened (read-only)	\??\K:	ReiExpressContainer.exe
File opened (read-only)	\??\N:	ReiExpressContainer.exe
File opened (read-only)	\??\V:	ReiExpressContainer.exe
File opened (read-only)	\??\Z:	ReiExpressContainer.exe
File opened (read-only)	\??\B:	ReiExpressContainer.exe
File opened (read-only)	\??\G:	ReiExpressContainer.exe
File opened (read-only)	\??\P:	ReiExpressContainer.exe
File opened (read-only)	\??\Q:	ReiExpressContainer.exe
File opened (read-only)	\??\X:	ReiExpressContainer.exe
File opened (read-only)	\??\Y:	ReiExpressContainer.exe
File opened (read-only)	\??\J:	ReiExpressContainer.exe
File opened (read-only)	\??\L:	ReiExpressContainer.exe
File opened (read-only)	\??\M:	ReiExpressContainer.exe
File opened (read-only)	\??\U:	ReiExpressContainer.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ReiGuard.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\reimageavmem[1].htm	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_64D9959813551C5DD3E92A0D7CBC5829	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_64D9959813551C5DD3E92A0D7CBC5829	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB	ReiGuard.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ReiGuard.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files\Reimage\Reimage Express\ReimageExpress.exe	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reimage\Reimage Express\ReiEngine.lza	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\expressicon.ico	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Protector\REI_AVIRA.exe	ProtectorAvPackage.exe
File created	C:\Program Files\Reimage\Reimage Express\ReiEngine.lza	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiProtectorM.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\ProtectorUpdater.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Express\ReimageExpress.dat	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\REI_Engine.lza	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\REI_Engine.dll	lzma.exe
File created	C:\Program Files\Reimage\Reimage Express\LanguageSelect.exe	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiScanner.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Express\uninst.exe	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\ReimageReminder.exe	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\engine.dat	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reimage\Reimage Express\REI_Engine.lza	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reimage\Reimage Express\Reimage Express.url	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\ReiEngine.dll	lzma.exe
File opened for modification	C:\Program Files\Reimage\Reimage Express\engine.dat	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe	UniProtectorPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\savapi.dll	ProtectorAvPackage.exe
File created	C:\Program Files\Reimage\Reimage Protector\msvcr120.dll	ProtectorAvPackage.exe
File created	C:\Program Files\Reimage\Reimage Express\LZMA.EXE	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\ReiExpressContainer.exe	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reimage\Reimage Express\ReimageExpress.dat	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
File created	C:\Program Files\Reimage\Reimage Express\reimagewebsite.ico	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Reimage.ini	ProtectorUpdater.exe
File opened for modification	C:\Windows\Reimage.ini	UniProtectorPackage.exe
File opened for modification	C:\Windows\reimage.ini	ReiExpressContainer.exe

Executes dropped EXE 9 IoCs

pid	Process
2452	lzma.exe
2504	lzma.exe
692	ProtectorUpdater.exe
1104	UniProtectorPackage.exe
2788	ProtectorAvPackage.exe
848	ReiGuard.exe
1280	ReiGuard.exe
2960	ReiSystem.exe
1348	ReiExpressContainer.exe

Loads dropped DLL 64 IoCs

pid	Process
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2316	regsvr32.exe
2148	regsvr32.exe
2148	regsvr32.exe
1648	regsvr32.exe
2344	regsvr32.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
692	ProtectorUpdater.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
2788	ProtectorAvPackage.exe
2788	ProtectorAvPackage.exe
2788	ProtectorAvPackage.exe
2788	ProtectorAvPackage.exe
2788	ProtectorAvPackage.exe
2788	ProtectorAvPackage.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe
1280	ReiGuard.exe
1104	UniProtectorPackage.exe
1104	UniProtectorPackage.exe

Registers COM server for autorun 1 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Express\\ReiEngine.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09CFDB88-F9F0-40ba-885E-F47A957D12E6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09CFDB88-F9F0-40ba-885E-F47A957D12E6}\InprocServer32\ = "C:\\Program Files\\Reimage\\Reimage Express\\ReiEngine.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09CFDB88-F9F0-40ba-885E-F47A957D12E6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ReiExpressContainer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ManufacturerIdentifier	ReiExpressContainer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ReiExpressContainer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ReiExpressContainer.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery

T1057

pid	Process
3008	tasklist.exe
1120	tasklist.exe
2864	tasklist.exe
1748	tasklist.exe
856	tasklist.exe
2956	tasklist.exe
1132	tasklist.exe
1644	tasklist.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	ReiExpressContainer.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ReiExpressContainer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	ReiExpressContainer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ReiExpressContainer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F6778D6-6084-4C66-927A-DC2A42130F35}\0a-fd-43-05-e3-85	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F6778D6-6084-4C66-927A-DC2A42130F35}\WpadNetworkName = "Network 3"	ReiGuard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F6778D6-6084-4C66-927A-DC2A42130F35}\WpadDecisionReason = "1"	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-fd-43-05-e3-85	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-fd-43-05-e3-85\WpadDecisionReason = "1"	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0046000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F6778D6-6084-4C66-927A-DC2A42130F35}	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-fd-43-05-e3-85\WpadDecisionTime = 8096fb2beabeda01	ReiGuard.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F6778D6-6084-4C66-927A-DC2A42130F35}\WpadDecisionTime = 8096fb2beabeda01	ReiGuard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F6778D6-6084-4C66-927A-DC2A42130F35}\WpadDecision = "0"	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	ReiGuard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-fd-43-05-e3-85\WpadDecision = "0"	ReiGuard.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	ReiGuard.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09CFDB88-F9F0-40ba-885E-F47A957D12E6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1\CLSID\ = "{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\MiscStatus\1\ = "132497"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ = "_IReiEngineEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib\ = "{F8A4FC32-DDA3-4DD9-8C62-49F778FF630B}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\ProgID\ = "REI_AxControl.ReiEngine.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09CFDB88-F9F0-40ba-885E-F47A957D12E6}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8A4FC32-DDA3-4DD9-8C62-49F778FF630B}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\ToolboxBitmap32\ = "C:\\Program Files\\Reimage\\Reimage Express\\ReiEngine.dll, 102"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1B440F-A9DB-46e3-ADCF-AA6E08143FB8}\ = "ReiEngine Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8A4FC32-DDA3-4DD9-8C62-49F778FF630B}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiExpressContainer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ReiGuard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ReiExpressContainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiExpressContainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ReiExpressContainer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ReiExpressContainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ReiExpressContainer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ReiExpressContainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ReiExpressContainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ReiExpressContainer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1280	ReiGuard.exe
1280	ReiGuard.exe
1280	ReiGuard.exe
2960	ReiSystem.exe
1280	ReiGuard.exe
1280	ReiGuard.exe
1348	ReiExpressContainer.exe
1348	ReiExpressContainer.exe
1348	ReiExpressContainer.exe
1348	ReiExpressContainer.exe
1280	ReiGuard.exe
1280	ReiGuard.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	tasklist.exe
Token: SeDebugPrivilege	1120	tasklist.exe
Token: SeDebugPrivilege	2864	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	856	tasklist.exe
Token: SeDebugPrivilege	2956	tasklist.exe
Token: SeDebugPrivilege	1132	tasklist.exe
Token: SeDebugPrivilege	1644	tasklist.exe
Token: SeBackupPrivilege	1348	ReiExpressContainer.exe
Token: SeRestorePrivilege	1348	ReiExpressContainer.exe
Token: SeTakeOwnershipPrivilege	1348	ReiExpressContainer.exe
Token: SeDebugPrivilege	1348	ReiExpressContainer.exe
Token: SeBackupPrivilege	1348	ReiExpressContainer.exe
Token: SeBackupPrivilege	1348	ReiExpressContainer.exe
Token: SeSecurityPrivilege	1348	ReiExpressContainer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1348	ReiExpressContainer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1348	ReiExpressContainer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1348	ReiExpressContainer.exe
1348	ReiExpressContainer.exe
1348	ReiExpressContainer.exe
1348	ReiExpressContainer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 820	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	28
PID 2216 wrote to memory of 820	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	28
PID 2216 wrote to memory of 820	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	28
PID 2216 wrote to memory of 820	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	28
PID 820 wrote to memory of 3008	820	cmd.exe	30
PID 820 wrote to memory of 3008	820	cmd.exe	30
PID 820 wrote to memory of 3008	820	cmd.exe	30
PID 820 wrote to memory of 3008	820	cmd.exe	30
PID 2216 wrote to memory of 2452	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2452	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2452	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2452	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2504	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	35
PID 2216 wrote to memory of 2504	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	35
PID 2216 wrote to memory of 2504	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	35
PID 2216 wrote to memory of 2504	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	35
PID 2216 wrote to memory of 2316	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	37
PID 2216 wrote to memory of 2316	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	37
PID 2216 wrote to memory of 2316	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	37
PID 2216 wrote to memory of 2316	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	37
PID 2216 wrote to memory of 2316	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	37
PID 2216 wrote to memory of 2316	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	37
PID 2216 wrote to memory of 2316	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	37
PID 2316 wrote to memory of 2148	2316	regsvr32.exe	38
PID 2316 wrote to memory of 2148	2316	regsvr32.exe	38
PID 2316 wrote to memory of 2148	2316	regsvr32.exe	38
PID 2316 wrote to memory of 2148	2316	regsvr32.exe	38
PID 2316 wrote to memory of 2148	2316	regsvr32.exe	38
PID 2316 wrote to memory of 2148	2316	regsvr32.exe	38
PID 2316 wrote to memory of 2148	2316	regsvr32.exe	38
PID 2216 wrote to memory of 1648	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	39
PID 2216 wrote to memory of 1648	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	39
PID 2216 wrote to memory of 1648	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	39
PID 2216 wrote to memory of 1648	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	39
PID 2216 wrote to memory of 1648	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	39
PID 2216 wrote to memory of 1648	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	39
PID 2216 wrote to memory of 1648	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	39
PID 1648 wrote to memory of 2344	1648	regsvr32.exe	40
PID 1648 wrote to memory of 2344	1648	regsvr32.exe	40
PID 1648 wrote to memory of 2344	1648	regsvr32.exe	40
PID 1648 wrote to memory of 2344	1648	regsvr32.exe	40
PID 1648 wrote to memory of 2344	1648	regsvr32.exe	40
PID 1648 wrote to memory of 2344	1648	regsvr32.exe	40
PID 1648 wrote to memory of 2344	1648	regsvr32.exe	40
PID 2216 wrote to memory of 692	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	42
PID 2216 wrote to memory of 692	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	42
PID 2216 wrote to memory of 692	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	42
PID 2216 wrote to memory of 692	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	42
PID 2216 wrote to memory of 692	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	42
PID 2216 wrote to memory of 692	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	42
PID 2216 wrote to memory of 692	2216	ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe	42
PID 692 wrote to memory of 1136	692	ProtectorUpdater.exe	43
PID 692 wrote to memory of 1136	692	ProtectorUpdater.exe	43
PID 692 wrote to memory of 1136	692	ProtectorUpdater.exe	43
PID 692 wrote to memory of 1136	692	ProtectorUpdater.exe	43
PID 1136 wrote to memory of 1120	1136	cmd.exe	45
PID 1136 wrote to memory of 1120	1136	cmd.exe	45
PID 1136 wrote to memory of 1120	1136	cmd.exe	45
PID 1136 wrote to memory of 1120	1136	cmd.exe	45
PID 692 wrote to memory of 1104	692	ProtectorUpdater.exe	46
PID 692 wrote to memory of 1104	692	ProtectorUpdater.exe	46
PID 692 wrote to memory of 1104	692	ProtectorUpdater.exe	46
PID 692 wrote to memory of 1104	692	ProtectorUpdater.exe	46
PID 692 wrote to memory of 1104	692	ProtectorUpdater.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad1af65ae75d3d4a3720b8f1a57e03fb_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq ReiExpressContainer.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq ReiExpressContainer.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Program Files\Reimage\Reimage Express\lzma.exe
  "C:\Program Files\Reimage\Reimage Express\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Express\ReiEngine.lza" "C:\Program Files\Reimage\Reimage Express\ReiEngine.dll"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:2452
- C:\Program Files\Reimage\Reimage Express\lzma.exe
  "C:\Program Files\Reimage\Reimage Express\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Express\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Express\REI_Engine.dll"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:2504
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files\Reimage\Reimage Express\ReiEngine.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Reimage\Reimage Express\ReiEngine.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2148
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files\Reimage\Reimage Express\REI_Engine.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Reimage\Reimage Express\REI_Engine.dll"
    3⤵
    - Loads dropped DLL
    PID:2344
- C:\Users\Admin\AppData\Local\Temp\ProtectorUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\ProtectorUpdater.exe" /S /MinorSessionID=68bca5b6-66ee-438c-b203-274329ec0067 /SessionID=95f018d7-f8e0-4702-8c6b-6e8f9402bed2 /Install=True
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
    "C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=68bca5b6-66ee-438c-b203-274329ec0067 /SessionID=95f018d7-f8e0-4702-8c6b-6e8f9402bed2 /Install=true /UpdateOnly=default /InstallPath= /Iav=True
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:1664
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ReiScanner.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ReiProtectorM.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\ProtectorAvPackage.exe
      "C:\Users\Admin\AppData\Local\Temp\ProtectorAvPackage.exe" /S /fU9I5Fv6rn=I4i0x2cXYe
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq REI_AVIRA.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:1904
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq REI_AVIRA.exe"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq REI_AVIRA.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:2812
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq REI_AVIRA.exe"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:1856
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avupdate.exe"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:2968
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avupdate.exe"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
  - - C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
      "C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
      4⤵
      Executes dropped EXE
      PID:848
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\jscript.dll"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  PID:2756
- C:\Program Files\Reimage\Reimage Express\ReiExpressContainer.exe
  "C:\Program Files\Reimage\Reimage Express\ReiExpressContainer.exe" http://www.reimageplus.com/GUI/express/1036/?SessionID=95f018d7-f8e0-4702-8c6b-6e8f9402bed2&MinorSessionID=68bca5b6-66ee-438c-b203-274329ec0067&version=1036&lang_code=en&trackutil=0 /X:926 /Y:617 /Locale=1033
  2⤵
  - Enumerates connected drives
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1348

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1280
- C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
  "C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2508.dummy.000

Filesize
4KB

MD5
b9620248b721583d3db39ce70d39bb94

SHA1
c0cd66c8c4b252daccc2020ed9605977a4967b61

SHA256
ac46e5e8f9d1d2491ea1b8a4af6a9acbe9227089c2ce0ed2e0e7cbfc4911dd80

SHA512
3a57f93cf0ff3236b57efff7ddb06a34eb7ad632430a8f3ee53a26e07d551220af60fce6c4794a96c6cc4bb72cb8a40daa704deacb17878674e3eff5066ba60e

Download Submit
C:\2508.dummy.000

Filesize
4KB

MD5
03a2de094d438bdc3cbf63d55fa998d1

SHA1
484773870abceeb858bc2a2d04da6f0e19bc3dca

SHA256
2e143619ff41c53d06170c2801fbbf64c80d6ea2248c5c0b95cfa43aa6754102

SHA512
3ec1fe43757461758bef97086cbcf59a4bbb35cd23863dca666cb2638da465fc59e2f845ca1dc2cab75f096eed477cbc2b95e1bc56d863337b7806470785a5f4

Download Submit
C:\Program Files\Reimage\Reimage Express\LZMA.EXE

Filesize
76KB

MD5
3ff9dca1a86b6eeb44c3d517c6d45d8a

SHA1
b7b580bbd809f6b3456053de16c7143ab85acbc9

SHA256
cd610cd8fae3ec0e1436e49f0865f8f7403a92dee4130e507152f24201b58a70

SHA512
a50d7b514f344e05e15feb869443f26392d9c5f93f43350a075a3cf8958e4d44c31dd837410f9036f0b85b189f5def2fab5ee43e7393eed42192b10ae48d6958

Download Submit
C:\Program Files\Reimage\Reimage Express\REI_Engine.DLL

Filesize
10.9MB

MD5
5bd957fe3757084b22bc834703a89395

SHA1
0f7ecca6bdbd6b7997300bba737c4f10cec5156d

SHA256
2245e60d4f6e95da4e82d8ed73ccd7bc0565fa1044bbd4d4b59e4ba91cd094cd

SHA512
0f4f4fec95d25c0007ad1571f0f9fb9cd3eaed414fc06f1953e4cbc985d993f48487b1dd001db0de44df7dddcd72bbcaf2f228d4105513e3feea7ab7fe2f056c

Download Submit
C:\Program Files\Reimage\Reimage Express\REI_Engine.lza

Filesize
3.4MB

MD5
61c26e1a5c154c84f86088e46a149244

SHA1
ab47eb18c60ec62e77e176513829bc6a75bd3bf7

SHA256
d73ec92460ab53fd204c61bd6487ccd74ba8f6be17595c5fc9b79d1732e5b10f

SHA512
f307aafd246a9f08b2e85b8d030eec0cd8876f6aef0aceaf4b09509ea41cb974f07f579a44503b5f7111cb86b3124b29558776d3d5362d2724b69938fc79a1ca

Download Submit
C:\Program Files\Reimage\Reimage Express\ReiEngine.lza

Filesize
86KB

MD5
b0995b29d85fc2fa00e627dc18d8b987

SHA1
8ec2a4d839bb78db4e0778698da208a6c57ac477

SHA256
fb0d12085b3ef6035707b11edff197d8e2ad89195205c40cbb89e67ce66972b5

SHA512
64cbfc577d6ed9988dbf7d049521d4e4ef9ee853152fa4107a20277f5fbccd2f7abd8b452c191b544504e8787a1dd700eeb19595ad6716c4a97a8a6af15837d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_F70553637B9F26717122C4DAFA3ADB11

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IVNQKIYA\express_events_mem[1].htm

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NU01M8LT\reimageavmem[3].htm

Filesize
34B

MD5
cde84a7ecaeec784a88a7d7c8f7213fa

SHA1
413c2c6776f661e6979001dc1a203ca7e6dbf512

SHA256
d6c472948b0b9631f73a359b61c3f340b47b78052763fd2c2730637a9244cec9

SHA512
ee8b2a67722ecb2fac209aa1e84a722f9c454793dbdf6a66d1cf7ed2470951a689b3f407e4133f2f2833cb496bef5736e76e93a7deda9830434373bf25cf64bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O0VMCZ5I\protector_version_re[1].xml

Filesize
659B

MD5
563384d1d7fd78195a24b77f2642a94f

SHA1
1c78164b390dbb52685150c7a8cd063c091145ef

SHA256
f823c7b8e9ebb633707ce50253e2e7d4a7f89ed0cd6af497530d28f493b98bbf

SHA512
cb91935671b59e8195f938bf890f53ece6e957092e80b5260c339d911fdf8b33ce27a53691e9ea0d8346a977e8394abf4486f97f6ce55ec7cde8b24fda6bc24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReimageExpress.exe

Filesize
578KB

MD5
0b08f5b105e9319bd125d83cab0001b4

SHA1
f20daf24998d665edcc822468c596d96e9b24019

SHA256
b80983fc8ce38388c7b4a8fcc7b33d90fe76ee363739e6352284742b6c927f51

SHA512
809b2aee53f2b55e8fcb6f1ef3b711c8a982d8a66d5c922d361bb6bcc91e5ef1ab92eba719c1c400d412a90704c277cf5215595d1abe6688e1d8c3bd3c95b7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGXCDD0.tmp

Filesize
890B

MD5
add7aab0e74a854d0e9c87feb264b231

SHA1
1e3595e4436e8850e0ccac09f09b8c345e182807

SHA256
9ebf21edaf10c4e5e95519a7bb660eb5f9df09cf5b3511450bf0b0fc45dd655c

SHA512
92ce3bfc3d2a15230c3227e5fb5bcd02cbe8ef427d286183c87d62802ffb05771814c84bbeaed93205d6e62a54df4444d14d3f6b13bdea788244e8dda8a25dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfl.rei

Filesize
943KB

MD5
4df254008471062ff5e1ea0e96180184

SHA1
0908053b749d19278cc3db03f2562c6da815900b

SHA256
5e4945a044c0e0ff83f959770078053f9d8d52a069c1b7c85b81200dfd5e2e33

SHA512
e41e0b67cd5c06d319b558d7262a695632a46f3713f68c343ee97c2e7dbe4c20e4647b08cd6ce2ee1ac409c1eb834bc77410ddf55dd9830b7fc0942aabdd7b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfl.rei

Filesize
124KB

MD5
797ea87ab30cb0657d5450df5245aca3

SHA1
e892efdf87b22322756b0041d1ed1e4faa6017d9

SHA256
3539a55fcaeeaa82af35dfc8c69e9e6ede23c2025576ade7fc7564574d66f843

SHA512
6a2a01de58a7758d548c6d46bf40c12e9c05ddeaa15c329ec32e4642298edb8f0e87061cfbdbf61babc65a8d700f36c61dc736c5d33d09bd3f04be29bce0aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\express_downloader.xml

Filesize
330B

MD5
96e4dbe4de11894fc894c912cefe7864

SHA1
5b8890f0090514b71dbaa5c7367b2673716fc919

SHA256
8216bc44307a0442061f23a79de897459f06b483a2ca33badd294c3dda7f2091

SHA512
a71dbc569869a8f9e14a64e157857788163f2962dcd90feee9eced86bf372d0e423480ccde87ca9898ee8e174bf83a509d54fa205d62bbdf88f2e8269f91103f

Download Submit
C:\Users\Admin\AppData\Local\Temp\express_version.xml

Filesize
1KB

MD5
92914c05933cee5d3329082ba463e482

SHA1
1b60f0a68608adf586989907ff9a6cc38de3effe

SHA256
9116186f472e92e0f1f46481ec90281788507dea31746f1e211d520339c971ee

SHA512
9fdf2cca0f302b2120183d520da9e6958e5a065983e5dbadf15800a850957984ab8b72691be6431feaf632e845aa3041d71c7ff5ff6575d830b2ddf1fb9f5d65

Download Submit
C:\Windows\Reimage.ini

Filesize
56B

MD5
b685b384f3fba1932c467be56bd04c03

SHA1
f4fe115499fede9a2c08f5d0c31f955b07c30de2

SHA256
e8b859416e05697157630d5520e0731faaaa4a783ebd4e0bdc80654021eef3e4

SHA512
9a11afce75ce0a53b3e29276cceb8471029c07c7921b260d2d1d763b503c35dad4a83de53b2ed632db1cfd29516260d4059269f75cc5d2bf89d8a567d4202c86

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\Cab8D82.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9009.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files\Reimage\Reimage Express\LanguageSelect.exe

Filesize
377KB

MD5
67f022173a2142264209bf2430c2a5fa

SHA1
fdc8855ce73ef185f28e7d7062c69359916575cf

SHA256
a798d9d62636ae56be34e6ebc85a9026df365db8b50330001a2721d055265dec

SHA512
7030ef127bd1fd7263d2120ad6f9d713d1745ff664e737272093f1992d1147d34a881af3bf077c4ffd1a13bda90eb2949f816612f9d0714328683859e4c71002

Download Submit
\Program Files\Reimage\Reimage Express\ReiEngine.dll

Filesize
233KB

MD5
ae81f5e7507175a2444a43a1c9637e9e

SHA1
a34435888b875e52e347cf84547e37e7980b90ae

SHA256
3ae705e46cca52308f53ec9cd86fd159c38d7fe947b71f1c023d32ae79f0d461

SHA512
05d46d4f9a729721a57dbef6e95d2ea78074442d563486bfd4335e93ea70c284051ea38a9c6d1aab3594fcc6bf20b705ff6619782cdf53ee639174ce753afd50

Download Submit
\Users\Admin\AppData\Local\Temp\ProtectorUpdater.exe

Filesize
362KB

MD5
a5cd4828b244d8a019cad5b39834073d

SHA1
dbd08733f1b22ffeb66ea1b0f4f4313b2d9ba36b

SHA256
4465dc9a641bcee44fa490f33ba9859b834e2d1677a1563843fc717fb123a56a

SHA512
98dcfb6a9f68830e694e5bb2abd3145a885d4313a7615f6078ce12388a7e76fa59ecd5a458153e48e1b8088991ac729800938578276594bea7a7e7a087b3eaa1

Download Submit
\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe

Filesize
5.9MB

MD5
f9678fd68160402fddd6406d647a8f47

SHA1
7a4dd2c1c067dec7485e52437ba3283f676a5e82

SHA256
1f4f195076443add312010361abbdfe7c2b5c26354bcbb58bde395b3605e4e23

SHA512
ec6a219e06c4a5e078a6e1bd9fe4dfeaee4c3f980583274a91602d9983b56c9f155e21a2bb1e3e8dfee3b1ad7b13ab591615ada1bdbd92abcefbcc40e7e73542

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2608.tmp\AccessControl.dll

Filesize
8KB

MD5
65d017ba65785b43720de6c9979a2e8c

SHA1
0aed2846e1b338077bae5a7f756c345a5c90d8a9

SHA256
ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac

SHA512
31a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2608.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\DcryptDll.dll

Filesize
156KB

MD5
4c373143ee342a75b469e0748049cd24

SHA1
d4e0e5155e78b99ec9459136acece2364bc2e935

SHA256
b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589

SHA512
569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\inetc.dll

Filesize
31KB

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\stack.dll

Filesize
10KB

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1086.tmp\xml.dll

Filesize
182KB

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
\Users\Admin\AppData\Local\Temp\nst4BE1.tmp\SimpleSC.dll

Filesize
39KB

MD5
3f1be1321461c7b7a3b4322391c818f0

SHA1
f59b7a1e65f60a446f4355e22f0a10bddec3d21b

SHA256
3d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd

SHA512
2f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7

Download Submit
memory/692-184-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/692-158-0x0000000074180000-0x000000007418B000-memory.dmp

Filesize
44KB

Download
memory/1104-288-0x0000000004D50000-0x0000000004D5B000-memory.dmp

Filesize
44KB

Download
memory/2216-508-0x0000000005FA0000-0x0000000005FAB000-memory.dmp

Filesize
44KB

Download
memory/2216-131-0x0000000005F40000-0x0000000005F99000-memory.dmp

Filesize
356KB

Download
memory/2216-426-0x0000000003250000-0x000000000325B000-memory.dmp

Filesize
44KB

Download
memory/2216-29-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download