analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\2022_January_Document_Review[1].hta

Full analysis: https://app.any.run/tasks/5d77cec2-6ab6-4472-8636-b9b54e318cc6
Verdict: Malicious activity
Analysis date: January 24, 2022, 19:51:30
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5:

332C32BA5EE435ED5133F3AF2540B5C2

SHA1:

59D627690FE8855BECEDD0958A7965979DD2D7B7

SHA256:

67C9F27FC0F57A92D636D238FAC04DBF335BB0527985F2747E5CF4FBF7AE6E56

SSDEEP:

1536:506LsUcQhSYsKWDpFizzXuFwDVbrewnRn35xGVKsB2Aw:W6gUcQYtK1/VbqARneXB8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • iexplore.exe (PID: 5064)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • IEXPLORE.EXE (PID: 3124)
      • IEXPLORE.EXE (PID: 1756)
      • mshta.exe (PID: 4268)
      • mshta.exe (PID: 3824)

    • Checks supported languages

      • mshta.exe (PID: 4268)
      • notepad++.exe (PID: 2580)
      • mshta.exe (PID: 3824)

    • Reads the computer name

      • mshta.exe (PID: 4268)
      • mshta.exe (PID: 3824)
      • notepad++.exe (PID: 2580)

    • Reads the date of Windows installation

      • OpenWith.exe (PID: 3592)

    • Executed via COM

      • OpenWith.exe (PID: 3592)
      • DllHost.exe (PID: 204)

    • Creates files in the user directory

      • notepad++.exe (PID: 2580)

  • INFO

    • Reads the computer name

      • IEXPLORE.EXE (PID: 3124)
      • iexplore.exe (PID: 5064)
      • IEXPLORE.EXE (PID: 1756)
      • IEXPLORE.EXE (PID: 2192)
      • OpenWith.exe (PID: 3592)
      • DllHost.exe (PID: 204)

    • Checks supported languages

      • iexplore.exe (PID: 5064)
      • IEXPLORE.EXE (PID: 3124)
      • IEXPLORE.EXE (PID: 1756)
      • IEXPLORE.EXE (PID: 2192)
      • OpenWith.exe (PID: 3592)

    • Changes internet zones settings

      • iexplore.exe (PID: 5064)

    • Application launched itself

      • IEXPLORE.EXE (PID: 3124)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 3124)
      • IEXPLORE.EXE (PID: 1756)
      • mshta.exe (PID: 4268)
      • mshta.exe (PID: 3824)

    • Reads settings of System Certificates

      • IEXPLORE.EXE (PID: 1756)
      • iexplore.exe (PID: 5064)
      • IEXPLORE.EXE (PID: 3124)

    • Reads the software policy settings

      • IEXPLORE.EXE (PID: 1756)
      • IEXPLORE.EXE (PID: 3124)
      • iexplore.exe (PID: 5064)

    • Checks Windows Trust Settings

      • IEXPLORE.EXE (PID: 1756)
      • IEXPLORE.EXE (PID: 3124)
      • iexplore.exe (PID: 5064)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 5064)

    • Manual execution by user

      • mshta.exe (PID: 4268)
      • mshta.exe (PID: 3824)
      • notepad++.exe (PID: 2580)

    • Creates files in the user directory

      • iexplore.exe (PID: 5064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Title: fax
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
100
Monitored processes
9
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe no specs mshta.exe no specs openwith.exe no specs Shell Security Editor no specs mshta.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
5064"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
3124"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:17410 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
1756"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:333058 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
2192"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:529666 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEIEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
4268"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta"C:\Windows\SysWOW64\mshta.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
3592C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\WINDOWS\system32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
204C:\WINDOWS\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\WINDOWS\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
3824"C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta"C:\Windows\SysWOW64\mshta.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
2580"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta"C:\Program Files\Notepad++\notepad++.exe
Explorer.EXE
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.91
Total events
13 242
Read events
13 057
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
17
Unknown types
13

Dropped files

PID
Process
Filename
Type
1756IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\173WC5EV\ef-a24652[1].csstext
MD5:172F1794263EA1FC4BCFCE2A3CBA8F8E
SHA256:58D444A20D0AC6F199EFCA28A8C232D7714651BF3A27E9A02C9EF5364AA20250
1756IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\KGQ0UDUE\css[1].csstext
MD5:5C2902930DEAC864113C013FF4B8895C
SHA256:4F89552D3E2EEF1F806FEA70172996503793ABBEB3FAEA258D647075E5AFB4E6
5064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{0814CA56-7D4F-11EC-B4A3-18F7786F96EE}.datbinary
MD5:B6E73693F9F4DC793D4CD78E1F86EA1E
SHA256:618EC52C5333DA36C88454E9DBB51EFB7A665816B7A174CCC367D03FB94DF028
1756IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.datbinary
MD5:6F850F15902DB5DF159F57510ECEA47E
SHA256:C7F80FB4B4A8B8C49C8E14926A62ACE0E69AC0481FD711AE0907C0A9511DBDC9
1756IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5X1K3HNA\edge[1].htmhtml
MD5:13C2D9AB70D9EEB3236A50120593D509
SHA256:D13A4224DF7A96652561DF4BF3A019C19563B9BDD34FBE905D39AEFE3443365F
5064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URLD358.tmpflc
MD5:9CF130AE7E2E78AF526EA38E00584FFA
SHA256:3816FC390B3B0913519B797E1B0A5064DC34A5116DED99019A4AB92597B2E400
5064iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6D7419CF1B963353.TMPgmc
MD5:32ED32D842D74F9673C4BED5FC9548C8
SHA256:F8F8F01137514CBCD62A1DA97C79369CA587F058D219E438531DF6BB92C54492
1756IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\1IGIBTY7\oneplayer[1].jstext
MD5:4C7F040A231452B0B15C159F6A68119E
SHA256:7364CEE8567868C4E8B863B11448632741AAC2774E7223108002EF4E5779BF49
1756IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5X1K3HNA\launch-EN7b3d710ac67a4a1195648458258f97dd.min[1].jstext
MD5:7B5A4D88AB84E64305CF3DA4355788DC
SHA256:8F31130076B5FC648B7A872CEE453C4EAD2FE23904D37CF2CFAC30FCFE05EA03
5064iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC9E8A4EDA15BBB2F.TMPgmc
MD5:863209889BFADDEF2D71E2C590838591
SHA256:59E21804E1E861ABA1700B67F14933F22B67ABB725682CAA5AF5DB16B5CD46F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
49
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1756
IEXPLORE.EXE
GET
301
2.18.233.62:443
https://www.microsoft.com/en-us/welcomeie11/
unknown
whitelisted
1756
IEXPLORE.EXE
GET
301
2.18.233.62:443
https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DL
unknown
whitelisted
1756
IEXPLORE.EXE
GET
302
104.111.242.51:443
https://go.microsoft.com/fwlink/?LinkId=517287
NL
whitelisted
1756
IEXPLORE.EXE
GET
301
2.18.233.62:443
https://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DL
unknown
whitelisted
1756
IEXPLORE.EXE
GET
302
104.111.242.51:80
http://go.microsoft.com/fwlink/?LinkId=838604
NL
whitelisted
1756
IEXPLORE.EXE
GET
200
2.18.233.62:443
https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/west-european/shell/_scrf/css/themes=default.device=uplevel_web_pc/79-4cdd0a/33-ae3d41/a5-4bf7a2/13-8e1ceb/81-32f0c0/5c-b7b685/dd-4224e1/ef-a24652?ver=2.0&_cf=20210618
unknown
text
166 Kb
whitelisted
1756
IEXPLORE.EXE
GET
200
2.18.233.62:443
https://www.microsoft.com/videoplayer/js/oneplayer.js
unknown
text
329 Kb
whitelisted
1756
IEXPLORE.EXE
GET
200
2.16.186.40:443
https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWMIHM
unknown
image
27.9 Kb
whitelisted
1756
IEXPLORE.EXE
GET
200
2.18.233.62:443
https://www.microsoft.com/en-us/edge/Assets/css?v1=01.13.suk
unknown
text
143 Kb
whitelisted
1756
IEXPLORE.EXE
GET
200
72.247.225.88:443
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
US
text
599 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1756
IEXPLORE.EXE
2.16.186.41:443
statics-marketingsites-neu-ms-com.akamaized.net
Akamai International B.V.
whitelisted
1756
IEXPLORE.EXE
151.101.65.26:443
polyfill.io
Fastly
US
suspicious
1756
IEXPLORE.EXE
2.18.233.62:443
www.microsoft.com
Akamai International B.V.
whitelisted
1756
IEXPLORE.EXE
152.199.19.160:443
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1756
IEXPLORE.EXE
104.111.242.51:443
go.microsoft.com
Akamai International B.V.
NL
unknown
1756
IEXPLORE.EXE
104.111.242.51:80
go.microsoft.com
Akamai International B.V.
NL
unknown
1756
IEXPLORE.EXE
72.247.225.88:443
assets.adobedtm.com
Akamai Technologies, Inc.
US
whitelisted
1756
IEXPLORE.EXE
72.247.226.83:443
c.s-microsoft.com
Akamai Technologies, Inc.
US
whitelisted
1756
IEXPLORE.EXE
13.107.246.45:443
wcpstatic.microsoft.com
Microsoft Corporation
US
suspicious
1756
IEXPLORE.EXE
2.16.186.40:443
img-prod-cms-rt-microsoft-com.akamaized.net
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.111.242.51
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted
assets.adobedtm.com
  • 72.247.225.88
whitelisted
polyfill.io
  • 151.101.65.26
  • 151.101.129.26
  • 151.101.193.26
  • 151.101.1.26
whitelisted
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
statics-marketingsites-neu-ms-com.akamaized.net
  • 2.16.186.41
  • 2.16.186.27
whitelisted
mwf-service.akamaized.net
  • 2.16.186.18
  • 2.16.186.9
whitelisted
wcpstatic.microsoft.com
  • 13.107.246.45
  • 13.107.213.45
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.186.40
  • 2.16.186.27
whitelisted
c.s-microsoft.com
  • 72.247.226.83
whitelisted

Threats

PID
Process
Class
Message
1756
IEXPLORE.EXE
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\2022_January_Document_Review[1].hta