URL:

http://nar.orionakhtar.com/lists/fo399lbfyb3a0/confirm-unsubscribe/xc033xyz8sc51/mb457w8fh8c28

Full analysis: https://app.any.run/tasks/ad7371f9-b3ce-42dd-8f0c-6f7103f32131
Verdict: Malicious activity
Analysis date: December 06, 2018, 09:33:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

4E2E30A5807CFED9F08E392A0C48664E

SHA1:

1DE4E1BB05702EF2DAAADE8FF4560FB62E91E577

SHA256:

063729A8EB22559E166E98B4A1F41919E187690DF354065EAFB44C0FC4921A40

SSDEEP:

3:N1KQ+/ONgSRYK4JCWbGKGAc8aODNdAd:CQAOHRnsbGKhcWPAd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2976)

    • Changes internet zones settings

      • iexplore.exe (PID: 2976)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3256)
      • iexplore.exe (PID: 2976)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3256)

    • Creates files in the user directory

      • iexplore.exe (PID: 3256)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3532)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3256"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2976 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3532C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
499
Read events
434
Write events
62
Delete events
3

Modification events

(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{10590DF5-F93A-11E8-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070C00040006000900220002000C03
Executable files
0
Suspicious files
0
Text files
71
Unknown types
10

Dropped files

PID
Process
Filename
Type
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\mb457w8fh8c28[1].txt
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\mb457w8fh8c28[1].htmhtml
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\app-custom[1].jstext
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\html5shiv[1].jshtml
MD5:0CE8F355891C26C28F057E195E97DCD5
SHA256:8C7A9C0470563367AB00307B4FB9BB3052D0A27F0B94E63B9DC0BB8C369449CB
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\respond.min[1].jshtml
MD5:972B9D5576BFE0A34B18CD9E4F99D747
SHA256:8369672CFA949065E3EC60D6F99CB8EFE3B6A61F94AF5726B5D92556A923FA48
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\adminlte[1].csstext
MD5:E26944645D188B183353D19AB2736B0B
SHA256:3601AA9FEFE786F7641B2ECB74C2C935A8A01E415D55F30E6E097F2D5E16F8D3
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\cookie[1].jstext
MD5:449DD3907404CEAD5D8BA6203B3550DC
SHA256:3585A42757908BA2ACE27F41B01256F6CF4FFB9679F7AC0FF8957817D5CCFDE1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
38
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/frontend/assets/js/app-custom.js?v=1543821870&av=383d138c
FR
text
386 b
unknown
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/assets/css/skin-blue.css?av=383d138c
FR
text
893 b
unknown
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/assets/css/bootstrap.min.css?av=383d138c
FR
text
21.0 Kb
unknown
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/assets/css/adminlte.css?av=383d138c
FR
text
35.5 Kb
unknown
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/frontend/assets/cache/bbe56c5a/jquery.min.js
FR
text
37.9 Kb
unknown
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/assets/js/knockout.min.js?av=383d138c
FR
text
24.7 Kb
unknown
3256
iexplore.exe
GET
200
23.111.8.154:80
http://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
US
html
2.08 Kb
whitelisted
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/assets/js/adminlte.js?av=383d138c
FR
text
3.29 Kb
unknown
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/frontend/assets/css/style.css?av=383d138c
FR
text
3.08 Kb
unknown
3256
iexplore.exe
GET
200
37.187.158.168:80
http://nar.orionakhtar.com/assets/js/app.js?av=383d138c
FR
text
934 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
iexplore.exe
23.111.8.154:80
oss.maxcdn.com
netDNA
US
unknown
2976
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3256
iexplore.exe
185.117.75.222:80
ff.potterzs.link
Host Sailor Ltd.
NL
suspicious
3256
iexplore.exe
161.47.7.14:80
www.reimageplus.com
Rackspace Ltd.
US
malicious
3256
iexplore.exe
191.101.34.10:80
7uuy6.cleanharborredirect.com
LT
unknown
3256
iexplore.exe
172.217.168.10:80
ajax.googleapis.com
Google Inc.
US
whitelisted
2976
iexplore.exe
37.187.158.168:80
nar.orionakhtar.com
OVH SAS
FR
unknown
3256
iexplore.exe
216.58.215.227:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3256
iexplore.exe
172.217.168.2:80
www.googleadservices.com
Google Inc.
US
whitelisted
3256
iexplore.exe
205.185.208.80:80
cdnrep.reimageplus.com
Highwinds Network Group, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
nar.orionakhtar.com
  • 37.187.158.168
unknown
fonts.googleapis.com
  • 216.58.215.234
whitelisted
cdnjs.cloudflare.com
  • 104.19.199.151
  • 104.19.196.151
  • 104.19.198.151
  • 104.19.197.151
  • 104.19.195.151
whitelisted
oss.maxcdn.com
  • 23.111.8.154
whitelisted
fonts.gstatic.com
  • 216.58.215.227
whitelisted
ff.potterzs.link
  • 185.117.75.222
malicious
7uuy6.cleanharborredirect.com
  • 191.101.34.10
  • 191.96.104.10
  • 179.61.143.10
unknown
www.reimageplus.com
  • 161.47.7.14
suspicious
ajax.googleapis.com
  • 172.217.168.10
  • 172.217.168.42
  • 216.58.215.234
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://nar.orionakhtar.com/lists/fo399lbfyb3a0/confirm-unsubscribe/xc033xyz8sc51/mb457w8fh8c28