File name:

TeamViewer11_Exit.hta

Full analysis: https://app.any.run/tasks/47c08f70-36b4-41e2-b732-9db52808efc4
Verdict: Malicious activity
Analysis date: April 02, 2020, 20:31:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/octet-stream
File info: data
MD5:

2703F13A3876449D71A78182793D883A

SHA1:

90D25BA6E6F61FE9A1A8AF67444021A415C30FEF

SHA256:

1A1FF5EC6C6C7150124555B7714A4BD62C8C9BF96FECF1931EE20891DA06BEF4

SSDEEP:

24:p37rysGWgjN9TLk/4TolcTCTVcxBOU9m9TnG10taZl5B1S:pf1GVN9Hkq4mCTVPtGitab5BE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • mshta.exe (PID: 3692)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • mshta.exe (PID: 3692)

    • Creates files in the user directory

      • mshta.exe (PID: 3692)

    • Adds / modifies Windows certificates

      • mshta.exe (PID: 3692)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3692)

    • Reads settings of System Certificates

      • mshta.exe (PID: 3692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
3692"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\TeamViewer11_Exit.hta"C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
5 470
Read events
119
Write events
3 559
Delete events
1 792

Modification events

(PID) Process:(3692) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3692) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3692) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3692) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3692) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3692) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3692) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3692) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3692) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
Operation:writeName:Blob
Value:
0F0000000100000014000000391BE92883D52509155BFEAE27B9BD340170B76B030000000100000014000000CDD4EEAE6000AC7F40C3802C171E30148030C0720B000000010000004A0000004D006900630072006F0073006F0066007400200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F007200690074007900000069000000010000000E000000300C060A2B0601040182373C030220000000010000009D0500003082059930820381A003020102021079AD16A14AA0A5AD4C7358F407132E65300D06092A864886F70D0101050500305F31133011060A0992268993F22C6401191603636F6D31193017060A0992268993F22C64011916096D6963726F736F6674312D302B060355040313244D6963726F736F667420526F6F7420436572746966696361746520417574686F72697479301E170D3031303530393233313932325A170D3231303530393233323831335A305F31133011060A0992268993F22C6401191603636F6D31193017060A0992268993F22C64011916096D6963726F736F6674312D302B060355040313244D6963726F736F667420526F6F7420436572746966696361746520417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001A351304F300B0603551D0F0404030201C6300F0603551D130101FF040530030101FF301D0603551D0E041604140EAC826040562797E52513FC2AE10A539559E4A4301006092B06010401823715010403020100300D06092A864886F70D01010505000382020100C5114D033A60DD5D5211778FB2BB36C8B205BFB4B7A8D8209D5C1303B61C22FA061335B6C863D49A476F2657D255F104B1265FD6A95068A0BCD2B86ECCC3E9ACDF19CD78AC5974AC663436C41B3E6C384C330E30120DA326FE515300FFAF5A4E840D0F1FE46D052E4E854B8D6C336F54D264ABBF50AF7D7A39A037ED63030FFC1306CE1636D4543B951B51623AE54D17D40539929A27A85BAABDECBBBEE3208960716C56B3A513D06D0E237E9503ED683DF2D863B86B4DB6E830B5E1CA944BF7A2AA5D9930B23DA7C2516C28200124272B4B00B79D116B70BEB21082BC0C9B68D08D3B2487AA9928729D335F5990BDF5DE939E3A625A3439E288551DB906B0C1896B2DD769C319123684D0C9A0DAFF2F6978B2E57ADAEBD70CC0F7BD6317B8391338A2365B7BF285566A1D6462C138E2AABF5166A294F5129C6622106BF2B730922DF229F03D3B144368A2F19C2937CBCE3820256D7C67F37E24122403088147ECA59E97F518D7CFBBD5EF7696EFFDCEDB569D95A042F99758E1D73122D35F59E63E6E2200EA4384B625DBD9F3085668C0646B1D7CECB693A262576E2ED8E7588FC4314926DDDE293587F53071705B143C69BD89127DEB2EA3FED87F9E825A520A2BC1432BD930889FC810FB898DE6A18575337E6C9EDB7313646269A52F7DCA966D9FF8044D30923D6E211421C93DE0C3FD8A6B9D4AFDD1A19D9943773FB0DA
(PID) Process:(3692) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
Operation:delete keyName:
Value:
Executable files
0
Suspicious files
13
Text files
15
Unknown types
6

Dropped files

PID
Process
Filename
Type
3692mshta.exeC:\Users\admin\AppData\Local\Temp\Tar1FE0.tmp
MD5:
SHA256:
3692mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\index[1].htmhtml
MD5:7305E3A2E3E85740ED55BD8E1646A3A9
SHA256:C402DB419E8656B0B4650AE32048AD14B24AFC5D5041A1B7E4A468B9DD49E9F8
3692mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4der
MD5:B5ADDD2ABBC7E506EACC8E8B988E9AF2
SHA256:3E2F0576E3D1DD7C4858BC4D79313A2125E0987A53072ED698D0F5CBF75FB099
3692mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4binary
MD5:ACB49D80B74343DD296547A2A3ADFBB0
SHA256:8E1E99FC8C2FE59D6B9E42513D70EA4AD1258BA194375908F927E6A560BE14B6
3692mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\NNWGU9U4.txt
MD5:
SHA256:
3692mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_D5B2EE08D29F519EFCE98948F2CDEEFAder
MD5:468668361583D3C8813561E10DEBEAEB
SHA256:3D8E30AE9966A6167062830D77B7D7EB99648F5875A4513C7E4CED6FC8F99AEA
3692mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:E550DA03AEE5B546B436CD553D3233B9
SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7
3692mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\arrow-language[1].gifimage
MD5:1B3776A7278027EB6A7DEFE38E7FD980
SHA256:BBA51308DB49423B7858F56C5E50F166E68BDD7583706B9DBA00F0854594CF45
3692mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\sprite[1].pngimage
MD5:3B7156425D7C57367E36C4111FD687A7
SHA256:46DCEF9CE0FF85A4EAE4AF4B9FA43B60FC027FA484754E3C2A7F0F65F90BED3D
3692mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:35F85A9B62507A248324FE3916B5DCB7
SHA256:2A26B8D4E44E896945496956C1C885EC6FABA02878BE462EBDB0E1D0B9C78B3F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3692
mshta.exe
GET
301
104.16.62.16:80
http://www.teamviewer.com/favicon.ico
US
shared
3692
mshta.exe
GET
200
52.168.20.22:80
http://client.teamviewer.com/shutdown/index.aspx?lng=en
US
html
5.53 Kb
shared
3692
mshta.exe
GET
200
52.168.20.22:80
http://client.teamviewer.com/WebResource.axd?d=pynGkmcFUV13He1Qd6_TZJFj3HA2V0GFKBvexoSHjn0BAnqMPFYqhA4lxpHZVn581mQUrQ2&t=637194676569425762
US
text
5.87 Kb
shared
3692
mshta.exe
GET
200
52.168.20.22:80
http://client.teamviewer.com/shutdown/res/img/arrow-language.gif
US
image
179 b
shared
3692
mshta.exe
GET
200
52.168.20.22:80
http://client.teamviewer.com/shutdown/res/img/button-buy-center.png
US
image
180 b
shared
3692
mshta.exe
GET
200
52.168.20.22:80
http://client.teamviewer.com/shutdown/res/img/grey-arrow-center.png
US
image
88 b
shared
3692
mshta.exe
GET
200
172.217.22.35:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQC71JgJax1YIwIAAAAAXGhg
US
der
472 b
whitelisted
3692
mshta.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
3692
mshta.exe
GET
200
172.217.21.227:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3692
mshta.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
US
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3692
mshta.exe
104.16.62.16:80
www.teamviewer.com
Cloudflare Inc
US
shared
3692
mshta.exe
104.16.62.16:443
www.teamviewer.com
Cloudflare Inc
US
shared
3692
mshta.exe
52.168.20.22:80
client.teamviewer.com
Microsoft Corporation
US
whitelisted
3692
mshta.exe
172.217.16.142:443
www.google-analytics.com
Google Inc.
US
whitelisted
172.217.21.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
172.217.22.35:80
ocsp.pki.goog
Google Inc.
US
whitelisted
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
3692
mshta.exe
172.217.18.8:443
www.googletagmanager.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.teamviewer.com
  • 104.16.62.16
  • 104.16.63.16
shared
client.teamviewer.com
  • 52.168.20.22
shared
www.google-analytics.com
  • 172.217.16.142
whitelisted
www.googletagmanager.com
  • 172.217.18.8
whitelisted
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.pki.goog
  • 172.217.22.35
  • 172.217.21.227
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TeamViewer11_Exit.hta