File name:

DocumentsFolder_856491(Feb03).one

Full analysis: https://app.any.run/tasks/7fd5a350-94a3-4ba4-9639-201adef89db3
Verdict: Malicious activity
Analysis date: February 25, 2023, 20:11:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

1A0C8EC440048E4649149BA72512893C

SHA1:

7EE9497DB914CB38AD78EB84A7BB701A7695A21C

SHA256:

5EC773182B7AF67486494673EF32FD04F4A5DDD35BA50C7AFB8DFC0232ED506C

SSDEEP:

1536:zflBiZVfBWQdCj/UeG0wc4K0olXQwY2ZbhTh40EaU5MApEIBvwZAInb:zbAVfBWQdmUeG33ovY8bhTh45aU5SA2b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Probably malicious OneNote attachment is found

      • ONENOTE.EXE (PID: 3288)

  • SUSPICIOUS

    • Reads the Internet Settings

      • mshta.exe (PID: 752)
      • mshta.exe (PID: 1668)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1668)
      • mshta.exe (PID: 752)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 752)

  • INFO

    • Checks supported languages

      • ONENOTEM.EXE (PID: 3284)

    • The process checks LSA protection

      • mshta.exe (PID: 752)
      • mshta.exe (PID: 1668)

    • Checks proxy server information

      • mshta.exe (PID: 752)

    • Creates files or folders in the user directory

      • mshta.exe (PID: 1668)
      • mshta.exe (PID: 752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.one | Microsoft OneNote note (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start onenote.exe no specs onenotem.exe no specs mshta.exe mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\OneNote\14.0\NT\0\Open.hta" C:\Windows\System32\mshta.exe
ONENOTE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
3221225547
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1668"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\OneNote\14.0\NT\1\Open.hta" C:\Windows\System32\mshta.exe
ONENOTE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
3284/tsrC:\Program Files\Microsoft Office\Office14\ONENOTEM.EXEONENOTE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneNote Quick Launcher
Exit code:
0
Version:
14.0.6015.1000
Modules
Images
c:\program files\microsoft office\office14\onenotem.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
3288"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\admin\AppData\Local\Temp\DocumentsFolder_856491(Feb03).one"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneNote
Exit code:
0
Version:
14.0.6022.1000
Modules
Images
c:\program files\microsoft office\office14\onenote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
4 340
Read events
4 240
Write events
92
Delete events
8

Modification events

(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(3288) ONENOTE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
0
Text files
20
Unknown types
4

Dropped files

PID
Process
Filename
Type
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\CVR97E.tmp.cvr
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\5878f6a6-b1ec-4fc5-8342-b5f85607f76f.htahtml
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{34FB33DC-5BA9-413C-8AA0-D2241A8396F9}image
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{E1F38965-334A-4F55-8D19-0BF44B93D6A7}html
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\92f5c089-b41e-400e-abc8-2b4ddfd6cf2b.jpgimage
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\OneNote\14.0\NT\0\Open.htahtml
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\OneNote\14.0\NT\1\Open.htahtml
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\DocumentsFolder_856491(Feb03).oneone
MD5:
SHA256:
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\dd8ea5a6-9cc6-4c0e-ba1d-62db6998a4fd.pngimage
MD5:33DCA72504D567C57F95452A0358ED2F
SHA256:7E131D7DD2D98E5BF76866FFE0EB5C0AC994E1E791B07F61FB3A756F24D7317C
3288ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{E060A7AD-2B4D-4762-859C-8E6B2E8436C9}image
MD5:33DCA72504D567C57F95452A0358ED2F
SHA256:7E131D7DD2D98E5BF76866FFE0EB5C0AC994E1E791B07F61FB3A756F24D7317C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
mshta.exe
Invalid parameter passed to C runtime function.
mshta.exe
Invalid parameter passed to C runtime function.
mshta.exe
Invalid parameter passed to C runtime function.
mshta.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DocumentsFolder_856491(Feb03).one