analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.nwaha.org

Full analysis: https://app.any.run/tasks/334f1f79-db0c-4bc7-bb1b-16a401ce55a8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 14:51:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

409F6045F538BD37AE2C8EA544C88FBD

SHA1:

BC7638F12CA49BDF98FF651C36237F61ADC49042

SHA256:

0618455A0A7E2803EF911E289C7CF20C1F054E5E32B6B792916D99128DE4204F

SSDEEP:

3:N1KJS4m0Sn:Cc4mNn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ReimageRepair[1].exe (PID: 3872)
      • ReimageRepair[1].exe (PID: 584)
      • ns4A27.tmp (PID: 3528)
      • sqlite3.exe (PID: 3428)
      • sqlite3.exe (PID: 2008)
      • sqlite3.exe (PID: 3916)
      • sqlite3.exe (PID: 3656)
      • sqlite3.exe (PID: 3816)
      • ns47F2.tmp (PID: 2444)
      • sqlite3.exe (PID: 1912)
      • sqlite3.exe (PID: 1432)
      • sqlite3.exe (PID: 2496)
      • sqlite3.exe (PID: 2076)
      • ns4C3C.tmp (PID: 2700)
      • ns4E40.tmp (PID: 2676)
      • nsF689.tmp (PID: 3548)
      • ns55A4.tmp (PID: 3064)
      • ns1D1D.tmp (PID: 868)
      • ns2338.tmp (PID: 2140)
      • sqlite3.exe (PID: 2352)
      • ns2974.tmp (PID: 344)
      • sqlite3.exe (PID: 3104)
      • sqlite3.exe (PID: 3292)
      • ns2B78.tmp (PID: 3392)
      • ns3194.tmp (PID: 3536)
      • ns37CF.tmp (PID: 2568)
      • ReimagePackage.exe (PID: 3684)
      • ns4404.tmp (PID: 3676)
      • ns49B2.tmp (PID: 2404)
      • ns584A.tmp (PID: 3160)
      • ns5B39.tmp (PID: 1888)
      • lzma.exe (PID: 3924)
      • lzma.exe (PID: 3320)
      • ns5DCA.tmp (PID: 1160)
      • ns6A7D.tmp (PID: 2584)
      • ns7303.tmp (PID: 3988)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)
      • ns97A3.tmp (PID: 3676)
      • nsAB0D.tmp (PID: 3784)
      • ns9E2B.tmp (PID: 3028)
      • ReiSystem.exe (PID: 3136)
      • ReiGuard.exe (PID: 2548)
      • ReiGuard.exe (PID: 4084)
      • REI_AVIRA.exe (PID: 1016)
      • Reimage.exe (PID: 2684)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3972)
      • ReimageRepair[1].exe (PID: 584)
      • ProtectorUpdater.exe (PID: 3860)

    • Loads dropped or rewritten executable

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)
      • regsvr32.exe (PID: 3520)
      • regsvr32.exe (PID: 2772)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)
      • Reimage.exe (PID: 2684)
      • REI_AVIRA.exe (PID: 1016)

    • Uses TASKLIST.EXE to search for antiviruses

      • cmd.exe (PID: 1864)
      • cmd.exe (PID: 692)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)

    • Uses TASKLIST.EXE to search for security tools

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 1240)

    • Loads the Task Scheduler COM API

      • ReiGuard.exe (PID: 2548)
      • Reimage.exe (PID: 2684)

    • Connects to CnC server

      • ReiGuard.exe (PID: 2548)

    • Changes settings of System certificates

      • Reimage.exe (PID: 2684)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3972)
      • iexplore.exe (PID: 3336)
      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)
      • lzma.exe (PID: 3924)
      • lzma.exe (PID: 3320)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)

    • Creates files in the Windows directory

      • ReimageRepair[1].exe (PID: 584)
      • ReiGuard.exe (PID: 4084)

    • Starts CMD.EXE for commands execution

      • ns47F2.tmp (PID: 2444)
      • ns4A27.tmp (PID: 3528)
      • ns4C3C.tmp (PID: 2700)
      • ns55A4.tmp (PID: 3064)
      • ns4E40.tmp (PID: 2676)
      • nsF689.tmp (PID: 3548)
      • ns2974.tmp (PID: 344)
      • ns1D1D.tmp (PID: 868)
      • ns2338.tmp (PID: 2140)
      • ns3194.tmp (PID: 3536)
      • ns37CF.tmp (PID: 2568)
      • ns2B78.tmp (PID: 3392)
      • ns4404.tmp (PID: 3676)
      • ns49B2.tmp (PID: 2404)
      • ns5DCA.tmp (PID: 1160)
      • ns7303.tmp (PID: 3988)
      • ns9E2B.tmp (PID: 3028)
      • ns97A3.tmp (PID: 3676)

    • Reads the cookies of Mozilla Firefox

      • sqlite3.exe (PID: 3816)
      • sqlite3.exe (PID: 2008)
      • sqlite3.exe (PID: 1432)
      • sqlite3.exe (PID: 3104)
      • ReiGuard.exe (PID: 4084)

    • Reads the cookies of Google Chrome

      • sqlite3.exe (PID: 3428)
      • sqlite3.exe (PID: 3656)
      • sqlite3.exe (PID: 3916)
      • sqlite3.exe (PID: 1912)
      • sqlite3.exe (PID: 2076)
      • sqlite3.exe (PID: 2496)
      • sqlite3.exe (PID: 3292)
      • sqlite3.exe (PID: 2352)
      • ReiGuard.exe (PID: 4084)

    • Creates files in the user directory

      • sqlite3.exe (PID: 3816)
      • sqlite3.exe (PID: 2008)
      • sqlite3.exe (PID: 1432)
      • sqlite3.exe (PID: 3104)
      • ReiGuard.exe (PID: 2548)
      • Reimage.exe (PID: 2684)
      • ReiGuard.exe (PID: 4084)

    • Starts application with an unusual extension

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 3200)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 304)
      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 3436)
      • cmd.exe (PID: 2128)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 1724)
      • regsvr32.exe (PID: 3520)

    • Creates a software uninstall entry

      • ReimageRepair[1].exe (PID: 584)
      • ReimagePackage.exe (PID: 3684)

    • Creates files in the program directory

      • lzma.exe (PID: 3320)
      • lzma.exe (PID: 3924)
      • ReimagePackage.exe (PID: 3684)
      • ProtectorUpdater.exe (PID: 3860)
      • UniProtectorPackage.exe (PID: 2452)
      • ReiGuard.exe (PID: 2548)
      • ReiGuard.exe (PID: 4084)

    • Executed as Windows Service

      • ReiGuard.exe (PID: 4084)

    • Executed via COM

      • unsecapp.exe (PID: 356)

    • Reads internet explorer settings

      • Reimage.exe (PID: 2684)

    • Reads CPU info

      • Reimage.exe (PID: 2684)

    • Adds / modifies Windows certificates

      • Reimage.exe (PID: 2684)

    • Uses IPCONFIG.EXE to discover IP address

      • Reimage.exe (PID: 2684)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3336)

    • Creates files in the user directory

      • iexplore.exe (PID: 3972)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3972)
      • iexplore.exe (PID: 3336)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3972)

    • Changes internet zones settings

      • iexplore.exe (PID: 3336)

    • Dropped object may contain Bitcoin addresses

      • Reimage.exe (PID: 2684)

    • Reads settings of System Certificates

      • ReiGuard.exe (PID: 4084)
      • Reimage.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
86
Malicious processes
10
Suspicious processes
26

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe reimagerepair[1].exe no specs reimagerepair[1].exe ns47f2.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4a27.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4c3c.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4e40.tmp no specs cmd.exe no specs tasklist.exe no specs ns55a4.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs nsf689.tmp no specs cmd.exe no specs tasklist.exe no specs ns1d1d.tmp no specs cmd.exe no specs tasklist.exe no specs ns2338.tmp no specs cmd.exe no specs tasklist.exe no specs ns2974.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns2b78.tmp no specs cmd.exe no specs tasklist.exe no specs ns3194.tmp no specs cmd.exe no specs tasklist.exe no specs ns37cf.tmp no specs cmd.exe no specs tasklist.exe no specs reimagepackage.exe ns4404.tmp no specs cmd.exe no specs tasklist.exe no specs ns49b2.tmp no specs cmd.exe no specs tasklist.exe no specs ns584a.tmp no specs lzma.exe ns5b39.tmp no specs lzma.exe ns5dca.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs regsvr32.exe no specs ns6a7d.tmp no specs protectorupdater.exe ns7303.tmp no specs cmd.exe no specs tasklist.exe no specs uniprotectorpackage.exe ns97a3.tmp no specs cmd.exe no specs tasklist.exe no specs ns9e2b.tmp no specs cmd.exe no specs tasklist.exe no specs nsab0d.tmp no specs reiguard.exe reiguard.exe reisystem.exe unsecapp.exe no specs reimage.exe ipconfig.exe no specs rei_avira.exe no specs ipconfig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3336"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3972"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3336 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3872"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ReimageRepair[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ReimageRepair[1].exeiexplore.exe
User:
admin
Company:
Reimage
Integrity Level:
MEDIUM
Description:
Reimage Installer
Exit code:
3221226540
Version:
1.551
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\reimagerepair[1].exe
c:\systemroot\system32\ntdll.dll
584"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ReimageRepair[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ReimageRepair[1].exe
iexplore.exe
User:
admin
Company:
Reimage
Integrity Level:
HIGH
Description:
Reimage Installer
Exit code:
2
Version:
1.551
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\reimagerepair[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2444"C:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns47F2.tmp" "C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txtC:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns47F2.tmpReimageRepair[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsx46c7.tmp\ns47f2.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2800cmd /c ""C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txt"C:\Windows\system32\cmd.exens47F2.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3816"C:\Users\admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"C:\Users\admin\AppData\Local\Temp\sqlite3.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\sqlite3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
3656"C:\Users\admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_trackid';"C:\Users\admin\AppData\Local\Temp\sqlite3.exeReimageRepair[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\sqlite3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
3428"C:\Users\admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_trackid_%';"C:\Users\admin\AppData\Local\Temp\sqlite3.exeReimageRepair[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\sqlite3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
3528"C:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns4A27.tmp" "C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txtC:\Users\admin\AppData\Local\Temp\nsx46C7.tmp\ns4A27.tmpReimageRepair[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsx46c7.tmp\ns4a27.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
Total events
2 539
Read events
2 086
Write events
0
Delete events
0

Modification events

No data
Executable files
81
Suspicious files
19
Text files
230
Unknown types
56

Dropped files

PID
Process
Filename
Type
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UC4O0Z5S\nwaha_org[1].txt
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VRTJK86R\css[1].txttext
MD5:8780921F6B54E4AC98429BD2350ECAAA
SHA256:D4DA3E1B7B1A4784FD533496181D30B7D05FFD1AC58B79AA51852114864FAFA5
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:91402243029ABDA90E598319C120823F
SHA256:8C633C5191FBC70A988CF53D10634C0DEA10320995D35B64E64225A12A51B988
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VRTJK86R\index[1].php
MD5:
SHA256:
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UC4O0Z5S\ie[1].csstext
MD5:98C8DE81FF554BDFAC4A35DA5FDAE3A9
SHA256:AFAD11AF34D0A2F8B2627B752A644134FCB0D579BEC76695BEB07BA450A38EB2
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UC4O0Z5S\nwaha_org[1].htmhtml
MD5:67664BCC64E8E9E7424DC9DE64C84A9E
SHA256:51D0D6BA3AAD7598C59FA7D4BD98493057941B4CBA10736DBD3B36A2FC4FB76E
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:38E98DFAAEE5959FB7BC7413B386F274
SHA256:6B7FB5378B51C6CC0552B01F27817698BCC15BE40CB95D7D02602DBD743E7BF0
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UA7H5DZ4\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
221
TCP/UDP connections
62
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3972
iexplore.exe
GET
301
206.221.185.92:80
http://www.nwaha.org/
US
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/index.php?kw=Windows
US
html
15.6 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/style.css
US
text
9.48 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/wp-content/themes/twentytwelve/nwame.php?mvt=-1
US
text
281 b
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/wp-content/themes/twentytwelve/css/ie.css?ver=20121010
US
text
5.00 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/
US
html
23.1 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/images/win.png
US
image
4.14 Kb
unknown
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/support/images/win-old.png
US
image
694 b
unknown
3972
iexplore.exe
GET
200
216.58.207.74:80
http://fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,400,700&subset=latin,latin-ext
US
text
167 b
whitelisted
3972
iexplore.exe
GET
200
206.221.185.92:80
http://nwaha.org/wp-content/themes/twentytwelve/style.css?ver=4.2.23
US
text
35.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3336
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3972
iexplore.exe
172.217.16.163:80
fonts.gstatic.com
Google Inc.
US
whitelisted
3972
iexplore.exe
216.58.207.74:80
fonts.googleapis.com
Google Inc.
US
whitelisted
3972
iexplore.exe
104.20.2.47:80
www.statcounter.com
Cloudflare Inc
US
shared
3972
iexplore.exe
206.221.185.92:80
www.nwaha.org
Choopa, LLC
US
unknown
3972
iexplore.exe
104.20.3.47:80
www.statcounter.com
Cloudflare Inc
US
shared
3336
iexplore.exe
206.221.185.92:80
www.nwaha.org
Choopa, LLC
US
unknown
3972
iexplore.exe
161.47.7.14:80
www.reimageplus.com
Rackspace Ltd.
US
malicious
3860
ProtectorUpdater.exe
205.185.208.80:80
cdnrep.reimageplus.com
Highwinds Network Group, Inc.
US
suspicious
2548
ReiGuard.exe
192.237.143.168:80
e-webservice.reimageplus.com
Rackspace Ltd.
US
unknown

DNS requests

Domain
IP
Reputation
www.nwaha.org
  • 206.221.185.92
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fonts.googleapis.com
  • 216.58.207.74
whitelisted
fonts.gstatic.com
  • 172.217.16.163
whitelisted
www.statcounter.com
  • 104.20.2.47
  • 104.20.3.47
whitelisted
c.statcounter.com
  • 104.20.3.47
  • 104.20.2.47
whitelisted
nwaha.org
  • 206.221.185.92
unknown
www.reimageplus.com
  • 161.47.7.14
suspicious
cdnrep.reimageplus.com
  • 205.185.208.80
suspicious
cdnrep.reimage.com
  • 205.185.208.80
whitelisted

Threats

PID
Process
Class
Message
3972
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3972
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
584
ReimageRepair[1].exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
584
ReimageRepair[1].exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
17 ETPRO signatures available at the full report
Process
Message
Reimage.exe
CFtpUpload::CFtpUpload() .
Reimage.exe
\EXE1.8.9.1\20190524\4c1cf3aa-c9bb-43a9-81e0-8d999dc01d8a\USER-PC\1553\
Reimage.exe
CFtpUpload::CFtpUpload() .
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.nwaha.org