File name: | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\2022_January_Document_Review[1].hta |
Full analysis: | https://app.any.run/tasks/5d77cec2-6ab6-4472-8636-b9b54e318cc6 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 19:51:30 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 332C32BA5EE435ED5133F3AF2540B5C2 |
SHA1: | 59D627690FE8855BECEDD0958A7965979DD2D7B7 |
SHA256: | 67C9F27FC0F57A92D636D238FAC04DBF335BB0527985F2747E5CF4FBF7AE6E56 |
SSDEEP: | 1536:506LsUcQhSYsKWDpFizzXuFwDVbrewnRn35xGVKsB2Aw:W6gUcQYtK1/VbqARneXB8 |
.html | | | HyperText Markup Language (100) |
---|
Title: | fax |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
5064 | "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta.html" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
3124 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:17410 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
1756 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:333058 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | IEXPLORE.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
2192 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:529666 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | — | IEXPLORE.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
4268 | "C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta" | C:\Windows\SysWOW64\mshta.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
3592 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
204 | C:\WINDOWS\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC} | C:\WINDOWS\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
3824 | "C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta" | C:\Windows\SysWOW64\mshta.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
2580 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\2022_January_Document_Review[1].hta" | C:\Program Files\Notepad++\notepad++.exe | Explorer.EXE | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.91 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1756 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\173WC5EV\ef-a24652[1].css | text | |
MD5:172F1794263EA1FC4BCFCE2A3CBA8F8E | SHA256:58D444A20D0AC6F199EFCA28A8C232D7714651BF3A27E9A02C9EF5364AA20250 | |||
1756 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\KGQ0UDUE\css[1].css | text | |
MD5:5C2902930DEAC864113C013FF4B8895C | SHA256:4F89552D3E2EEF1F806FEA70172996503793ABBEB3FAEA258D647075E5AFB4E6 | |||
5064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{0814CA56-7D4F-11EC-B4A3-18F7786F96EE}.dat | binary | |
MD5:B6E73693F9F4DC793D4CD78E1F86EA1E | SHA256:618EC52C5333DA36C88454E9DBB51EFB7A665816B7A174CCC367D03FB94DF028 | |||
1756 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat | binary | |
MD5:6F850F15902DB5DF159F57510ECEA47E | SHA256:C7F80FB4B4A8B8C49C8E14926A62ACE0E69AC0481FD711AE0907C0A9511DBDC9 | |||
1756 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5X1K3HNA\edge[1].htm | html | |
MD5:13C2D9AB70D9EEB3236A50120593D509 | SHA256:D13A4224DF7A96652561DF4BF3A019C19563B9BDD34FBE905D39AEFE3443365F | |||
5064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URLD358.tmp | flc | |
MD5:9CF130AE7E2E78AF526EA38E00584FFA | SHA256:3816FC390B3B0913519B797E1B0A5064DC34A5116DED99019A4AB92597B2E400 | |||
5064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF6D7419CF1B963353.TMP | gmc | |
MD5:32ED32D842D74F9673C4BED5FC9548C8 | SHA256:F8F8F01137514CBCD62A1DA97C79369CA587F058D219E438531DF6BB92C54492 | |||
1756 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\1IGIBTY7\oneplayer[1].js | text | |
MD5:4C7F040A231452B0B15C159F6A68119E | SHA256:7364CEE8567868C4E8B863B11448632741AAC2774E7223108002EF4E5779BF49 | |||
1756 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5X1K3HNA\launch-EN7b3d710ac67a4a1195648458258f97dd.min[1].js | text | |
MD5:7B5A4D88AB84E64305CF3DA4355788DC | SHA256:8F31130076B5FC648B7A872CEE453C4EAD2FE23904D37CF2CFAC30FCFE05EA03 | |||
5064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFC9E8A4EDA15BBB2F.TMP | gmc | |
MD5:863209889BFADDEF2D71E2C590838591 | SHA256:59E21804E1E861ABA1700B67F14933F22B67ABB725682CAA5AF5DB16B5CD46F3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1756 | IEXPLORE.EXE | GET | 301 | 2.18.233.62:443 | https://www.microsoft.com/en-us/welcomeie11/ | unknown | — | — | whitelisted |
1756 | IEXPLORE.EXE | GET | 301 | 2.18.233.62:443 | https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DL | unknown | — | — | whitelisted |
1756 | IEXPLORE.EXE | GET | 302 | 104.111.242.51:443 | https://go.microsoft.com/fwlink/?LinkId=517287 | NL | — | — | whitelisted |
1756 | IEXPLORE.EXE | GET | 301 | 2.18.233.62:443 | https://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DL | unknown | — | — | whitelisted |
1756 | IEXPLORE.EXE | GET | 302 | 104.111.242.51:80 | http://go.microsoft.com/fwlink/?LinkId=838604 | NL | — | — | whitelisted |
1756 | IEXPLORE.EXE | GET | 200 | 2.18.233.62:443 | https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/west-european/shell/_scrf/css/themes=default.device=uplevel_web_pc/79-4cdd0a/33-ae3d41/a5-4bf7a2/13-8e1ceb/81-32f0c0/5c-b7b685/dd-4224e1/ef-a24652?ver=2.0&_cf=20210618 | unknown | text | 166 Kb | whitelisted |
1756 | IEXPLORE.EXE | GET | 200 | 2.18.233.62:443 | https://www.microsoft.com/videoplayer/js/oneplayer.js | unknown | text | 329 Kb | whitelisted |
1756 | IEXPLORE.EXE | GET | 200 | 2.16.186.40:443 | https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWMIHM | unknown | image | 27.9 Kb | whitelisted |
1756 | IEXPLORE.EXE | GET | 200 | 2.18.233.62:443 | https://www.microsoft.com/en-us/edge/Assets/css?v1=01.13.suk | unknown | text | 143 Kb | whitelisted |
1756 | IEXPLORE.EXE | GET | 200 | 72.247.225.88:443 | https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js | US | text | 599 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1756 | IEXPLORE.EXE | 2.16.186.41:443 | statics-marketingsites-neu-ms-com.akamaized.net | Akamai International B.V. | — | whitelisted |
1756 | IEXPLORE.EXE | 151.101.65.26:443 | polyfill.io | Fastly | US | suspicious |
1756 | IEXPLORE.EXE | 2.18.233.62:443 | www.microsoft.com | Akamai International B.V. | — | whitelisted |
1756 | IEXPLORE.EXE | 152.199.19.160:443 | ajax.aspnetcdn.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1756 | IEXPLORE.EXE | 104.111.242.51:443 | go.microsoft.com | Akamai International B.V. | NL | unknown |
1756 | IEXPLORE.EXE | 104.111.242.51:80 | go.microsoft.com | Akamai International B.V. | NL | unknown |
1756 | IEXPLORE.EXE | 72.247.225.88:443 | assets.adobedtm.com | Akamai Technologies, Inc. | US | whitelisted |
1756 | IEXPLORE.EXE | 72.247.226.83:443 | c.s-microsoft.com | Akamai Technologies, Inc. | US | whitelisted |
1756 | IEXPLORE.EXE | 13.107.246.45:443 | wcpstatic.microsoft.com | Microsoft Corporation | US | suspicious |
1756 | IEXPLORE.EXE | 2.16.186.40:443 | img-prod-cms-rt-microsoft-com.akamaized.net | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
go.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
assets.adobedtm.com |
| whitelisted |
polyfill.io |
| whitelisted |
ajax.aspnetcdn.com |
| whitelisted |
statics-marketingsites-neu-ms-com.akamaized.net |
| whitelisted |
mwf-service.akamaized.net |
| whitelisted |
wcpstatic.microsoft.com |
| whitelisted |
img-prod-cms-rt-microsoft-com.akamaized.net |
| whitelisted |
c.s-microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1756 | IEXPLORE.EXE | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: error while getting certificate informations
|