Windows Analysis Report
Tools.chm

Overview

General Information

Sample name:	Tools.chm
Analysis ID:	1566858
MD5:	a2d8bd5d5663f55d04f0a7c707fd4519
SHA1:	cad4045a7db598c972741225cb2acf3da16dfb88
SHA256:	df3a27254716fcec426384f34ee4aec7ac5576e938f3dabc502c3a5fa18bfcef

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

Source: hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3291304584.000001D986699000.00000004.00000800.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3290120004.000001D982899000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3W
Source: hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3X
Source: hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3k
Source: hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3291864590.000001E18A874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3p
Source: hh.exe, 00000000.00000002.3290120004.000001D982899000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/tools/

Source: classification engine

Classification label: clean1.winCHM@1/7@0/0

Source: C:\Windows\hh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\HTML Help

Jump to behavior

Source: C:\Windows\hh.exe

File created: C:\Users\user\AppData\Local\Temp\IMT91BB.tmp

Jump to behavior

Source: C:\Windows\hh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\hh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: itss.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Windows\hh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32

Jump to behavior

Source: C:\Windows\hh.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\hh.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\hh.exe	Memory allocated: 1D986640000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\hh.exe	Memory allocated: 1E18E7D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\hh.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1566858
Product:	CloudBasic
Start time:	18:58:28
Start date:	02.12.2024
Sample:	Tools.chm
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a2d8bd5d5663f55d04f0a7c707fd4519
SHA1:	cad4045a7db598c972741225cb2acf3da16dfb88
SHA256:	df3a27254716fcec426384f34ee4aec7ac5576e938f3dabc502c3a5fa18bfcef
Filetype:	Windows HELP File (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	data	0392ADA071EB68355BED625D8F9695F3	777253141235B6C6AC92E17E297A1482E82252CC	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\blue_gradient_1024x24[1].jpg	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1024x24, components 3	F9FFA1A2A3F52679C7603077DEED4A68	692744C333E3012C8063F20EB0F5BA721DB5485B	301A6AF579625C056818FB2AA295C62DC76183EB9FFFC28BDF459564E4B12274
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\default[1].css	ASCII text, with CRLF line terminators	CE9DF408BB2B70AB50C4093A5F5693D3	CC5742D649A97283294F3C3F945B3EFBDC444A0A	0DC932B0F4ABF98FA4B2522A15995A47E03A4AAD5504141B7D69F968D39BF39F
C:\Users\user\AppData\Local\Temp\IMT91BB.tmp	data	943D3CE711A5EBA4A01A9B4E8EDF1388	E8DFD5502B1413F4996CA43E2E76E45F2A32A1D7	BBB45CCB31607F92D62EE94204B0E2E4CA802EA6AE6A7B8B6AEBFE99655FA920
C:\Users\user\AppData\Local\Temp\~DF29B3D8AFCC4BE6F8.TMP	Composite Document File V2 Document, Cannot read section info	679672A5004E0AF50529F33DB5469699	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
C:\Users\user\AppData\Local\Temp\~DFD0C4254A30DAC0B9.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Roaming\Microsoft\HTML Help\hh.dat	MS Windows HtmlHelp Data	192472EC8B8BF628A64E607AB67B47D5	798DB745C424ED1CE4904630C4D625EAAC47093A	8D305C75DA32365C9CA9D95613E0E263FCB95AC25E7E5CFF0E79A7907BFB134D

Windows Analysis Report
Tools.chm

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Tools.chm

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Tools.chm