Should I block it?

No, this file is 100% safe to run.

Additional versions

9.00.8112.16443 (WIN7_IE9_GDR.120227-1545)	0.39%
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)	0.13%
8.00.7600.16385 (win7_rtm.090713-1255)	0.13%
8.00.7600.16385 (win7_rtm.090713-1255)	0.13%
8.00.7264.0 (win7_rtm.090622-1900)	0.13%
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)	45.89%
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)	0.13%
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)	0.39%
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)	0.13%
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)	0.13%
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)	0.26%
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)	0.13%
8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214)	0.13%
7.00.5730.13 (longhorn(wmbla).070711-1130)	2.35%
7.00.5730.13 (longhorn(wmbla).070711-1130)	0.13%
7.00.5730.13 (longhorn(wmbla).070711-1130)	0.13%
7.00.5730.13 (longhorn(wmbla).070711-1130)	0.13%
7.00.5730.11 (winmain(wmbla).061017-1135)	1.04%
10.00.9200.16521 (win8_gdr_soc_ie.130216-2100)	44.20%
10.00.9200.16438 (win8_gdr_soc_ie_beta.121108-2200)	3.00%
10.00.8400.0 (winmain_win8rc.120518-1423)	0.52%
10.00.8250.0 (winmain_win8beta.120217-1520)	0.13%
10.00.8102.0 (winmain_win8m3.110823-1455)	0.26%

Relationships

PE file structure

Show functions

Import table

advapi32.dll

RegQueryValueExA, RegCloseKey, RegOpenKeyExA

kernel32.dll

GetVersion, GetModuleHandleW, GetProcAddress, ExpandEnvironmentStringsA, LoadLibraryA, lstrlenA, MultiByteToWideChar, FreeLibrary, GetCommandLineA, GetVersionExA, GetStartupInfoA, SetUnhandledExceptionFilter, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCurrentThreadId, HeapDestroy, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, LeaveCriticalSection, EnterCriticalSection, OutputDebugStringA, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, Sleep, VirtualAlloc, HeapReAlloc, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, VirtualProtect, GetSystemInfo, VirtualQuery

MSHTA.exe

Windows Internet Explorer by Microsoft

Remove MSHTA.exe

Version:	8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
MD5:	ad8f83f16a3ce2b093b38b279b419387
SHA1:	5924007afda4703e2add2c44507cfcbfa98a55b7
SHA256:	22b96b75ce5407de1bdaedeba57b9a1cf9fe99964b7e07965e21ab5d35bca299

This is a Windows system installed file with Windows File Protection (WFP) enabled.

Overview

mshta.exe executes as a process under the SYSTEM account with extensive privileges (the system and the administrator accounts have the same file privileges). It has been configured with a firewall exception which allows both inbound and outbound network communication without being blocked. This is typically installed with the program Windows Internet Explorer 8 published by Microsoft Corporation. and is compiled as a 32 bit program.

Details

File name:	mshta.exe
Publisher:	Microsoft Corporation
Product name:	Windows® Internet Explorer
Description:	Microsoft (R) HTML Application host
Typical file path:	C:\Windows\System32\mshta.exe
File version:	8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
Product version:	8.00.6001.18702
Size:	44.5 KB (45,568 bytes)
Digital DNA
Entropy:	5.990163
File packed:	No
.NET CLR:	No

More details

Programs

The following program will install this file

Windows Internet Explorer 8

Microsoft Corporation

5% remove

Windows IE8 (Internet Explorer 8) is a web browser from Microsoft. IE8 contains many new features, including WebSlices and Accelerators (Accelerators are a form of selection-based search which allow a user to invoke an online service from any other page using only the mouse). The address bar features domain highlighting for added security so that the top-level domain is shown in black whereas the other parts of the URL are grayed out. I...

Behaviors

Shell open commands

htafile

Scheduled tasks

The job 'At9' runs in the path 'C:\WINDOWS\Tasks\At9.job'
The task 'At8' runs in the path 'C:\WINDOWS\Tasks\At8.job'
The job 'At7' runs in the path 'C:\WINDOWS\Tasks\At7.job'
The task 'At6' runs in the path 'C:\WINDOWS\Tasks\At6.job'
The job 'At5' runs in the path 'C:\WINDOWS\Tasks\At5.job'
The task 'At4' runs in the path 'C:\WINDOWS\Tasks\At4.job'
The job 'At3' runs in the path 'C:\WINDOWS\Tasks\At3.job'
The task 'At24' runs in the path 'C:\WINDOWS\Tasks\At24.job'
The job 'At23' runs in the path 'C:\WINDOWS\Tasks\At23.job'
The task 'At22' runs in the path 'C:\WINDOWS\Tasks\At22.job'
The job 'At21' runs in the path 'C:\WINDOWS\Tasks\At21.job'
The task 'At20' runs in the path 'C:\WINDOWS\Tasks\At20.job'
The job 'At2' runs in the path 'C:\WINDOWS\Tasks\At2.job'
The task 'At19' runs in the path 'C:\WINDOWS\Tasks\At19.job'
The job 'At18' runs in the path 'C:\WINDOWS\Tasks\At18.job'
The task 'At17' runs in the path 'C:\WINDOWS\Tasks\At17.job'
The job 'At16' runs in the path 'C:\WINDOWS\Tasks\At16.job'
The task 'At15' runs in the path 'C:\WINDOWS\Tasks\At15.job'
The job 'At14' runs in the path 'C:\WINDOWS\Tasks\At14.job'
The task 'At13' runs in the path 'C:\WINDOWS\Tasks\At13.job'
The job 'At12' runs in the path 'C:\WINDOWS\Tasks\At12.job'
The task 'At11' runs in the path 'C:\WINDOWS\Tasks\At11.job'

Windows firewall allowed programs

Exceptions allow programs to access to the Internet through an outbound connections

Firewall exception for 'C:\WINDOWS\system32\mshta.exe'

Network connections

Access through an approved Windows firewall exception

[UDP] listens on port 2729

[UDP] listens on port 1237

[UDP] listens on port 4785

[UDP] listens on port 3870

[UDP] listens on port 2184

[UDP] listens on port 2752

[UDP] listens on port 2129

[UDP] listens on port 1523

[UDP] listens on port 4752

[UDP] listens on port 4314

Resource utilization

(Note: statistics below are averages based on a minimum sample size of 200 unique participants)

Averages

CPU
Total CPU:	0.00008463%	0.028634%
Kernel CPU:	0.00005565%	0.013761%
User CPU:	0.00002897%	0.014873%
Kernel CPU time:	155 ms/min	100,923,805ms/min
Memory
Private memory:	4.89 MB	21.59 MB
Private (maximum):	9.18 MB
Private (minimum):	3.42 MB
Non-paged memory:	4.89 MB	21.59 MB
Virtual memory:	48.73 MB	140.96 MB
Virtual memory (peak):	63.22 MB	169.69 MB
Working set:	3.44 MB	18.61 MB
Working set (peak):	9.19 MB	37.95 MB
Page faults:	2,534/min	2,039/min
I/O
I/O read transfer:	29 Bytes/sec	1.02 MB/min
I/O read operations:	1/sec	343/min
I/O write transfer:	0 Bytes/sec	274.99 KB/min
I/O write operations:	1/sec	227/min
I/O other transfer:	81 Bytes/sec	448.09 KB/min
I/O other operations:	2/sec	1,671/min
Resource allocations
Threads:	3	12
Handles:	215	600
GUI GDI count:	13	103
GUI USER count:	8	49

Process properties

Integrety level:	Undefined
Platform:	32-bit
Command line:	mshta.exe httC://85.234.191.60/88.php?olala=565560139210452
Owner:	SYSTEM
Parent process:	svchost.exe (Generic Host Process for Win32 Services by Microsoft)

Threads