File name:

Journal-http.hta

Full analysis: https://app.any.run/tasks/7d08001e-36de-4f11-8209-c3ad71943ea1
Verdict: Malicious activity
Analysis date: November 15, 2024, 18:23:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (29716)
MD5:

439BA39A07845E334C3C4422A96BC72B

SHA1:

20D5B07D9D525E003886C8ED82DC5BF98D52F99C

SHA256:

836C97307357A8F7A318CF0206B6F1AFF82CC71C80FD37EBBFD0777A2DFF483A

SSDEEP:

384:kdeiNYnl3Q/2irLwQbyACD1JaSisfUD2O3Al3l0YKxAV6/a:kE3Q/T/weydi4s2O3Al3lqxRS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets path to any of the special folders (SCRIPT)

      • mshta.exe (PID: 5920)

    • Creates a new folder (SCRIPT)

      • mshta.exe (PID: 5920)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 5920)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 5920)

    • Connects to unusual port

      • Journal-http.exe (PID: 6884)

    • Writes binary data to a Stream object (SCRIPT)

      • mshta.exe (PID: 5920)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5920)

    • The process uses the downloaded file

      • mshta.exe (PID: 5920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe journal-http.exe

Process information

PID
CMD
Path
Indicators
Parent process
5920"C:\Windows\SysWOW64\mshta.exe" C:\Users\admin\Desktop\Journal-http.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}C:\Windows\SysWOW64\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
3221225547
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
6884"C:\Users\admin\AppData\Local\Temp\rad05E4D.tmp\Journal-http.exe" C:\Users\admin\AppData\Local\Temp\rad05E4D.tmp\Journal-http.exe
mshta.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1768843639
Modules
Images
c:\users\admin\appdata\local\temp\rad05e4d.tmp\journal-http.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
858
Read events
855
Write events
3
Delete events
0

Modification events

(PID) Process:(5920) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5920) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5920) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5920mshta.exeC:\Users\admin\AppData\Local\Temp\rad05E4D.tmp\Journal-http.exeexecutable
MD5:556D332B12FC2A7DB2D25CD985FA81DE
SHA256:0635B21EB0E6C08CC8E7188C78EB1FA569CCE9B48118D104BD6370C1B9B3D365
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.164.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1752
RUXIMICS.exe
GET
200
2.16.164.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1752
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5488
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1752
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.136:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.97:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.97:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1752
RUXIMICS.exe
2.16.164.97:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.136
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.131
  • 104.126.37.144
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.162
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.164.97
  • 2.16.164.43
  • 2.16.164.107
  • 2.16.164.106
  • 2.16.164.18
  • 2.16.164.34
  • 2.16.164.114
  • 2.16.164.24
  • 2.16.164.99
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Journal-http.hta