URL:

https://anty.dolphin.ru.com/

Full analysis: https://app.any.run/tasks/f6c69c83-0bd7-4aec-84ab-b76ce585e514
Verdict: Malicious activity
Analysis date: January 10, 2022, 08:31:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3D225CCBE35C67D37C33C5E82937F7DC

SHA1:

550E5BF52A65A835CB2ECC6746D62FE568463583

SHA256:

749180F3D1B3E902A51C92F4AFBD7185A57FA7BC5C95C1D0B61DC0E4C5E6B26D

SSDEEP:

3:N8vXM:2PM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2684)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2684)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1408)
      • iexplore.exe (PID: 2684)

    • Reads the computer name

      • iexplore.exe (PID: 1408)
      • iexplore.exe (PID: 2684)

    • Application launched itself

      • iexplore.exe (PID: 1408)

    • Changes internet zones settings

      • iexplore.exe (PID: 1408)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 1408)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1408)
      • iexplore.exe (PID: 2684)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 1408)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2684)

    • Creates files in the user directory

      • iexplore.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1408"C:\Program Files\Internet Explorer\iexplore.exe" "https://anty.dolphin.ru.com/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2684"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1408 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
16 890
Read events
16 063
Write events
827
Delete events
0

Modification events

(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30934524
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30934524
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
1
Suspicious files
26
Text files
87
Unknown types
26

Dropped files

PID
Process
Filename
Type
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F85C09FA0289BD18FBD8E15C8A316E27
SHA256:254FC6DDDC9EB617B18D0FCD60DAE80C7A4A1D848C740874F4FCDE17EED447B8
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\en[1].htmhtml
MD5:F65CA23B7770CD056FA0F7C906427AF1
SHA256:A43BE9E14436CA3B23967E4C0D0C4F44620CDADFB9AA6F212D08B9A334FD205B
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:3447B0C50EB22669E5D187908A7ED1AA
SHA256:EA0CD9BCA6A5522F907E68667E5832E3DE78A9EDE24966BF64DCE3F72DD9B540
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\en[1].htmhtml
MD5:A791968DC792833CEAA32A4513437726
SHA256:72B73F8CAB24AFCBE70EDB9E6888DD67D43DBEC30A05485BEB1264BD8228E05A
2684iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\RQ9S7RGC.txttext
MD5:A36F138A83AE0DCCDC73F4C0F72D56BE
SHA256:7E4A830B96F16F749F305448684F0AD7DFC345183E3D2AA3DCB16A5DB4923510
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\slick-theme[1].csstext
MD5:CB794B43D1DC6BAAD92063ABF81A0E96
SHA256:E81396503CF6A9229AD94549E85FD09CD8C733A0FD3E7F446549FF2E1CBDF940
2684iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\QEIM51FK.txttext
MD5:B272B57EC01FD97B4BEEA44FD70AF9D7
SHA256:313769869EE3FDDA911B8B026159AAF4DC71D6EB234DD7B701222C6839FBB043
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:E77449B560C8625DAC3684AC2C0C05B6
SHA256:710603AFD54CA88D56B828BD668A48A2DFD3590BFBDC0555270113CFA71DC769
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\progress-bar[1].jstext
MD5:EB3B04AECFF3C15045D63FA94DEA3361
SHA256:33B7004A2D5EB200B09F200C2F49CC4508E3FE13BC0DBBEFD154867235B9CA2B
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\jquery.arcticmodal-0.3[1].csstext
MD5:8851A6C34C239781A3660ACD7D5E2682
SHA256:FF9F1037592D0FD0A3F381A7B086976B28C47D6250E56B5C73DF07C6E33F84E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
76
DNS requests
33
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2684
iexplore.exe
GET
301
104.21.95.220:80
http://anty.dolphin.ru.com/en/
US
malicious
2684
iexplore.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7b4aa066fff217d1
GB
compressed
4.70 Kb
whitelisted
1408
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2684
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.68 Kb
whitelisted
2684
iexplore.exe
GET
200
104.18.30.182:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2684
iexplore.exe
GET
200
104.18.30.182:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2684
iexplore.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD6vIn3vzMQlAoAAAABJf0y
US
der
472 b
whitelisted
2684
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAv0cvaEvJZyZuUmP3ocbeY%3D
US
der
279 b
whitelisted
2684
iexplore.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCECHMNwkPtKJCCgAAAAEl%2FQo%3D
US
der
471 b
whitelisted
2684
iexplore.exe
GET
142.250.186.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2684
iexplore.exe
104.21.95.220:443
anty.dolphin.ru.com
Cloudflare Inc
US
malicious
2684
iexplore.exe
142.250.186.110:443
analytics.google.com
Google Inc.
US
whitelisted
2684
iexplore.exe
95.140.236.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
malicious
2684
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1408
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1408
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2684
iexplore.exe
104.21.95.220:80
anty.dolphin.ru.com
Cloudflare Inc
US
malicious
104.16.85.20:443
cdn.jsdelivr.net
Cloudflare Inc
US
shared
104.18.10.207:443
maxcdn.bootstrapcdn.com
Cloudflare Inc
US
suspicious
69.16.175.42:443
code.jquery.com
Highwinds Network Group, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
anty.dolphin.ru.com
  • 104.21.95.220
  • 172.67.148.172
malicious
ctldl.windowsupdate.com
  • 95.140.236.128
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
cdn.jsdelivr.net
  • 104.16.85.20
  • 104.16.89.20
  • 104.16.88.20
  • 104.16.87.20
  • 104.16.86.20
whitelisted
maxcdn.bootstrapcdn.com
  • 104.18.10.207
  • 104.18.11.207
whitelisted
code.jquery.com
  • 69.16.175.42
  • 69.16.175.10
whitelisted
ocsp.comodoca.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://anty.dolphin.ru.com/