URL:

http://www.nwaha.org

Full analysis: https://app.any.run/tasks/334f1f79-db0c-4bc7-bb1b-16a401ce55a8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 14:51:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

409F6045F538BD37AE2C8EA544C88FBD

SHA1:

BC7638F12CA49BDF98FF651C36237F61ADC49042

SHA256:

0618455A0A7E2803EF911E289C7CF20C1F054E5E32B6B792916D99128DE4204F

SSDEEP:

3:N1KJS4m0Sn:Cc4mNn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ReimageRepair[1].exe (PID: 3872)
      • ReimageRepair[1].exe (PID: 584)
      • ns47F2.tmp (PID: 2444)
      • sqlite3.exe (PID: 3428)
      • sqlite3.exe (PID: 2008)
      • ns4A27.tmp (PID: 3528)
      • sqlite3.exe (PID: 3916)
      • sqlite3.exe (PID: 2076)
      • sqlite3.exe (PID: 3816)
      • sqlite3.exe (PID: 3656)
      • ns4C3C.tmp (PID: 2700)
      • sqlite3.exe (PID: 1432)
      • ns55A4.tmp (PID: 3064)
      • sqlite3.exe (PID: 2496)
      • sqlite3.exe (PID: 1912)
      • nsF689.tmp (PID: 3548)
      • ns4E40.tmp (PID: 2676)
      • ns1D1D.tmp (PID: 868)
      • ns2338.tmp (PID: 2140)
      • ns2974.tmp (PID: 344)
      • sqlite3.exe (PID: 3104)
      • sqlite3.exe (PID: 2352)
      • sqlite3.exe (PID: 3292)
      • ns3194.tmp (PID: 3536)
      • ns37CF.tmp (PID: 2568)
      • ReimagePackage.exe (PID: 3684)
      • ns2B78.tmp (PID: 3392)
      • ns49B2.tmp (PID: 2404)
      • ns584A.tmp (PID: 3160)
      • lzma.exe (PID: 3924)
      • lzma.exe (PID: 3320)
      • ns5B39.tmp (PID: 1888)
      • ns5DCA.tmp (PID: 1160)
      • ns6A7D.tmp (PID: 2584)
      • ns7303.tmp (PID: 3988)
      • UniProtectorPackage.exe (PID: 2452)
      • ProtectorUpdater.exe (PID: 3860)
      • ns97A3.tmp (PID: 3676)
      • nsAB0D.tmp (PID: 3784)
      • ns9E2B.tmp (PID: 3028)
      • ReiSystem.exe (PID: 3136)
      • ReiGuard.exe (PID: 2548)
      • Reimage.exe (PID: 2684)
      • ReiGuard.exe (PID: 4084)
      • ns4404.tmp (PID: 3676)
      • REI_AVIRA.exe (PID: 1016)

    • Loads dropped or rewritten executable

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)
      • ProtectorUpdater.exe (PID: 3860)
      • regsvr32.exe (PID: 3520)
      • UniProtectorPackage.exe (PID: 2452)
      • regsvr32.exe (PID: 2772)
      • REI_AVIRA.exe (PID: 1016)
      • Reimage.exe (PID: 2684)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3972)
      • ReimageRepair[1].exe (PID: 584)
      • ProtectorUpdater.exe (PID: 3860)

    • Uses TASKLIST.EXE to search for antiviruses

      • cmd.exe (PID: 1864)
      • cmd.exe (PID: 692)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)

    • Uses TASKLIST.EXE to search for security tools

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 2280)

    • Loads the Task Scheduler COM API

      • ReiGuard.exe (PID: 2548)
      • Reimage.exe (PID: 2684)

    • Connects to CnC server

      • ReiGuard.exe (PID: 2548)

    • Changes settings of System certificates

      • Reimage.exe (PID: 2684)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • ns4A27.tmp (PID: 3528)
      • ns47F2.tmp (PID: 2444)
      • ns4C3C.tmp (PID: 2700)
      • ns4E40.tmp (PID: 2676)
      • ns55A4.tmp (PID: 3064)
      • nsF689.tmp (PID: 3548)
      • ns1D1D.tmp (PID: 868)
      • ns2338.tmp (PID: 2140)
      • ns2974.tmp (PID: 344)
      • ns2B78.tmp (PID: 3392)
      • ns3194.tmp (PID: 3536)
      • ns37CF.tmp (PID: 2568)
      • ns49B2.tmp (PID: 2404)
      • ns4404.tmp (PID: 3676)
      • ns5DCA.tmp (PID: 1160)
      • ns7303.tmp (PID: 3988)
      • ns97A3.tmp (PID: 3676)
      • ns9E2B.tmp (PID: 3028)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3972)
      • iexplore.exe (PID: 3336)
      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)
      • lzma.exe (PID: 3924)
      • lzma.exe (PID: 3320)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)

    • Creates files in the Windows directory

      • ReimageRepair[1].exe (PID: 584)
      • ReiGuard.exe (PID: 4084)

    • Starts application with an unusual extension

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)

    • Reads the cookies of Mozilla Firefox

      • sqlite3.exe (PID: 3816)
      • sqlite3.exe (PID: 2008)
      • sqlite3.exe (PID: 1432)
      • sqlite3.exe (PID: 3104)
      • ReiGuard.exe (PID: 4084)

    • Creates files in the user directory

      • sqlite3.exe (PID: 2008)
      • sqlite3.exe (PID: 3816)
      • sqlite3.exe (PID: 1432)
      • sqlite3.exe (PID: 3104)
      • ReiGuard.exe (PID: 2548)
      • Reimage.exe (PID: 2684)
      • ReiGuard.exe (PID: 4084)

    • Reads the cookies of Google Chrome

      • sqlite3.exe (PID: 3916)
      • sqlite3.exe (PID: 2076)
      • sqlite3.exe (PID: 3428)
      • sqlite3.exe (PID: 3656)
      • sqlite3.exe (PID: 2496)
      • sqlite3.exe (PID: 1912)
      • sqlite3.exe (PID: 2352)
      • sqlite3.exe (PID: 3292)
      • ReiGuard.exe (PID: 4084)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 3200)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 304)
      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 3436)
      • cmd.exe (PID: 2128)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 1724)
      • regsvr32.exe (PID: 3520)

    • Creates a software uninstall entry

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)

    • Creates files in the program directory

      • ReimagePackage.exe (PID: 3684)
      • lzma.exe (PID: 3924)
      • lzma.exe (PID: 3320)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)
      • ReiGuard.exe (PID: 2548)
      • ReiGuard.exe (PID: 4084)

    • Executed as Windows Service

      • ReiGuard.exe (PID: 4084)

    • Executed via COM

      • unsecapp.exe (PID: 356)

    • Reads internet explorer settings

      • Reimage.exe (PID: 2684)

    • Adds / modifies Windows certificates

      • Reimage.exe (PID: 2684)

    • Uses IPCONFIG.EXE to discover IP address

      • Reimage.exe (PID: 2684)

    • Reads CPU info

      • Reimage.exe (PID: 2684)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3336)

    • Changes internet zones settings

      • iexplore.exe (PID: 3336)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3972)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 3972)

    • Creates files in the user directory

      • iexplore.exe (PID: 3972)

    • Reads settings of System Certificates

      • Reimage.exe (PID: 2684)
      • ReiGuard.exe (PID: 4084)

    • Dropped object may contain Bitcoin addresses

      • Reimage.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
86
Malicious processes
10
Suspicious processes
26

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe reimagerepair[1].exe no specs reimagerepair[1].exe ns47f2.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4a27.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4c3c.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4e40.tmp no specs cmd.exe no specs tasklist.exe no specs ns55a4.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs nsf689.tmp no specs cmd.exe no specs tasklist.exe no specs ns1d1d.tmp no specs cmd.exe no specs tasklist.exe no specs ns2338.tmp no specs cmd.exe no specs tasklist.exe no specs ns2974.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns2b78.tmp no specs cmd.exe no specs tasklist.exe no specs ns3194.tmp no specs cmd.exe no specs tasklist.exe no specs ns37cf.tmp no specs cmd.exe no specs tasklist.exe no specs reimagepackage.exe ns4404.tmp no specs cmd.exe no specs tasklist.exe no specs ns49b2.tmp no specs cmd.exe no specs tasklist.exe no specs ns584a.tmp no specs lzma.exe ns5b39.tmp no specs lzma.exe ns5dca.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs regsvr32.exe no specs ns6a7d.tmp no specs protectorupdater.exe ns7303.tmp no specs cmd.exe no specs tasklist.exe no specs uniprotectorpackage.exe ns97a3.tmp no specs cmd.exe no specs tasklist.exe no specs ns9e2b.tmp no specs cmd.exe no specs tasklist.exe no specs nsab0d.tmp no specs reiguard.exe reiguard.exe reisystem.exe unsecapp.exe no specs reimage.exe ipconfig.exe no specs rei_avira.exe no specs ipconfig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Windows\system32\cmd.exens5DCA.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
344"C:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns2974.tmp" "C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txtC:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns2974.tmpReimageRepair[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsx46c7.tmp\ns2974.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
356C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Sink to receive asynchronous callbacks for WMI client application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\unsecapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
584"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ReimageRepair[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ReimageRepair[1].exe
iexplore.exe
User:
admin
Company:
Reimage
Integrity Level:
HIGH
Description:
Reimage Installer
Exit code:
2
Version:
1.551
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\reimagerepair[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
692cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Windows\system32\cmd.exens49B2.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
868"C:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns1D1D.tmp" cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns1D1D.tmpReimageRepair[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsx46c7.tmp\ns1d1d.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
992tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" C:\Windows\system32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tasklist.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1012cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Windows\system32\cmd.exens2B78.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1016"C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exe" "C:\rei\AV"C:\Program Files\Reimage\Reimage Repair\REI_AVIRA.exeReimage.exe
User:
admin
Company:
Reimage
Integrity Level:
HIGH
Description:
Reimage Malware Scanner
Exit code:
3
Version:
1.3.0.1
Modules
Images
c:\program files\reimage\reimage repair\rei_avira.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
1160"C:\Users\admin\AppData\Local\Temp\nsg41F0.tmp\ns5DCA.tmp" cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Users\admin\AppData\Local\Temp\nsg41F0.tmp\ns5DCA.tmpReimagePackage.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsg41f0.tmp\ns5dca.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
Total events
2 539
Read events
2 086
Write events
378
Delete events
75

Modification events

(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{6E519809-7E33-11E9-A09E-5254004A04AF}
Value:
0
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(3336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070500050018000E0033002600A002
Executable files
81
Suspicious files
19
Text files
230
Unknown types
56

Dropped files

PID
Process
Filename
Type
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UC4O0Z5S\nwaha_org[1].txt
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VRTJK86R\css[1].txttext
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VRTJK86R\index[1].php
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UC4O0Z5S\nwame[1].phptext
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UC4O0Z5S\ie[1].csstext
MD5:98C8DE81FF554BDFAC4A35DA5FDAE3A9
SHA256:AFAD11AF34D0A2F8B2627B752A644134FCB0D579BEC76695BEB07BA450A38EB2
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VRTJK86R\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
221
TCP/UDP connections
62
DNS requests
34
Threats
53

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3972
iexplore.exe
GET
301
206.221.185.92:80
http://www.nwaha.org/
US
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/wp-content/themes/twentytwelve/nwame.php?mvt=-1
US
text
281 b
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/images/win-old.png
US
image
694 b
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/fonts/segoeuid41d.eot?
US
eot
504 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/style.css
US
text
9.48 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/images/win.png
US
image
4.14 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/index.php?kw=Windows
US
html
15.6 Kb
unknown
3972
iexplore.exe
GET
200
216.58.207.74:80
http://fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,400,700&subset=latin,latin-ext
US
text
167 b
whitelisted
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/
US
html
23.1 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/wp-includes/js/jquery/jquery.js?ver=1.11.2
US
text
93.7 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3972
iexplore.exe
206.221.185.92:80
www.nwaha.org
Choopa, LLC
US
unknown
3336
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3972
iexplore.exe
216.58.207.74:80
fonts.googleapis.com
Google Inc.
US
whitelisted
3972
iexplore.exe
172.217.16.163:80
fonts.gstatic.com
Google Inc.
US
whitelisted
3972
iexplore.exe
104.20.2.47:80
www.statcounter.com
Cloudflare Inc
US
shared
3972
iexplore.exe
104.20.3.47:80
www.statcounter.com
Cloudflare Inc
US
shared
3972
iexplore.exe
161.47.7.14:80
www.reimageplus.com
Rackspace Ltd.
US
malicious
3972
iexplore.exe
205.185.208.80:80
cdnrep.reimageplus.com
Highwinds Network Group, Inc.
US
suspicious
584
ReimageRepair[1].exe
161.47.7.14:80
www.reimageplus.com
Rackspace Ltd.
US
malicious
584
ReimageRepair[1].exe
205.185.208.80:80
cdnrep.reimageplus.com
Highwinds Network Group, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.nwaha.org
  • 206.221.185.92
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fonts.googleapis.com
  • 216.58.207.74
whitelisted
fonts.gstatic.com
  • 172.217.16.163
whitelisted
www.statcounter.com
  • 104.20.2.47
  • 104.20.3.47
whitelisted
c.statcounter.com
  • 104.20.3.47
  • 104.20.2.47
whitelisted
nwaha.org
  • 206.221.185.92
unknown
www.reimageplus.com
  • 161.47.7.14
suspicious
cdnrep.reimageplus.com
  • 205.185.208.80
suspicious
cdnrep.reimage.com
  • 205.185.208.80
whitelisted

Threats

PID
Process
Class
Message
3972
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3972
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
17 ETPRO signatures available at the full report
Process
Message
Reimage.exe
CFtpUpload::CFtpUpload() .
Reimage.exe
\EXE1.8.9.1\20190524\4c1cf3aa-c9bb-43a9-81e0-8d999dc01d8a\USER-PC\1553\
Reimage.exe
CFtpUpload::CFtpUpload() .
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.nwaha.org