Edit tour

Windows Analysis Report
Tools.chm

Overview

General Information

Sample name:	Tools.chm
Analysis ID:	1566858
MD5:	a2d8bd5d5663f55d04f0a7c707fd4519
SHA1:	cad4045a7db598c972741225cb2acf3da16dfb88
SHA256:	df3a27254716fcec426384f34ee4aec7ac5576e938f3dabc502c3a5fa18bfcef

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64

hh.exe (PID: 2452 cmdline: "C:\Windows\hh.exe" C:\Users\user\Desktop\Tools.chm MD5: 2C8FE78D53C8CA27523A71DFD2938241)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3291304584.000001D986699000.00000004.00000800.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3290120004.000001D982899000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3W
Source: hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3X
Source: hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3k
Source: hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3291864590.000001E18A874000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3p
Source: hh.exe, 00000000.00000002.3290120004.000001D982899000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/tools/

Source: classification engine

Classification label: clean1.winCHM@1/7@0/0

Source: C:\Windows\hh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\HTML Help

Jump to behavior

Source: C:\Windows\hh.exe

File created: C:\Users\user\AppData\Local\Temp\IMT91BB.tmp

Jump to behavior

Source: C:\Windows\hh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\hh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: itss.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\hh.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Windows\hh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32

Jump to behavior

Source: C:\Windows\hh.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\hh.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\hh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\hh.exe	Memory allocated: 1D986640000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\hh.exe	Memory allocated: 1E18E7D0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\hh.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\hh.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Tools.chm	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3k	hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3	hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3291304584.000001D986699000.00000004.00000800.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3290120004.000001D982899000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/tools/	hh.exe, 00000000.00000002.3290120004.000001D982899000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3p	hh.exe, 00000000.00000002.3290120004.000001D982915000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.3291864590.000001E18A874000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3W	hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3X	hh.exe, 00000000.00000002.3291864590.000001E18A85E000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566858
Start date and time:	2024-12-02 18:58:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Tools.chm
Detection:	CLEAN
Classification:	clean1.winCHM@1/7@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .chm

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Tools.chm

Simulations

Behavior and APIs

Time	Type	Description
12:59:21	API Interceptor	1x Sleep call for process: hh.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Windows\hh.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\blue_gradient_1024x24[1].jpg

Download File

Process:	C:\Windows\hh.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1024x24, components 3
Category:	dropped
Size (bytes):	856
Entropy (8bit):	5.542372260188213
Encrypted:	false
SSDEEP:	24:tjnYjI/sU5fJTScvhemyEVccN+grRwfQ31FUcD:5YjI//hScBVccN+gr+/cD
MD5:	F9FFA1A2A3F52679C7603077DEED4A68
SHA1:	692744C333E3012C8063F20EB0F5BA721DB5485B
SHA-256:	301A6AF579625C056818FB2AA295C62DC76183EB9FFFC28BDF459564E4B12274
SHA-512:	9ECD527957A8CF3FA7AFCC0EEB50F27B582E94CC4676365D8765FBF97603F6F9D170115C071B10D130B8279A0E8CEB847CD60ED846D13C778357950813E5C2F6
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................................R............................................................................................?.....@lA....(.`......(.A."....@..@...(........8..(..(... P. p.".@..@..@...8..(!.. p. P."..............8!D......B.q..q..pB.............. P...!@(.`...6.@l........... @..... @..... @........(..6..`..l..Q.....(!DR..............@..@...8..8..8!......DC...............8........C.q..Q...@..@...(..8.@8.P. P. P..Q..q..Q...@.6....`.D(..l..Q..(...A....@..... @..... @..... @.X....... l....P. P.....(.PB.Q..q...@..................8.@8..(.q..q..Q...@..@...8..8.@8.p. p. pC.....@...8..(............ P. P. PB....8.@l.......P. ......(#`4T.. @..... @..... @.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\default[1].css

Download File

Process:	C:\Windows\hh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4128
Entropy (8bit):	5.438941984264733
Encrypted:	false
SSDEEP:	96:s5SJCJBJHJ0JJ4JwJaGJWoI5JFbxW4Je+JdiJiQJiGqaNgF/BEV:g6K/p0HE8aeWoIXFbEEVdqici7aN8/Bi
MD5:	CE9DF408BB2B70AB50C4093A5F5693D3
SHA1:	CC5742D649A97283294F3C3F945B3EFBDC444A0A
SHA-256:	0DC932B0F4ABF98FA4B2522A15995A47E03A4AAD5504141B7D69F968D39BF39F
SHA-512:	78C10A939A1371D67C143EAA05A94851C77D7C6CADBC78D01E53AEC3834CC04DE94E80D28214EC33E7224138F4BDA2CF4AA18CFC4F7F1738E5567ACA95EC4083
Malicious:	false
Reputation:	low
Preview:	/* Standard tags /..body{background-color:#FFFFFF;font-family: Verdana, Arial, Helvetica, sans-serif, "MS sans serif";font-size:x-small;font-weight:normal;color:#000000;}..table{font-family:Verdana, Arial, Helvetica, sans-serif, "MS sans serif";font-size:x-small;}..tr{font-family:Verdana, Arial, Helvetica, sans-serif, "MS sans serif";font-size:x-small;}..td{font-family:Verdana, Arial, Helvetica, sans-serif, "MS sans serif";font-size:x-small;}..b{font-weight:bold;}..p{...font-family:Verdana, Arial, Helvetica, sans-serif, "MS sans serif";...line-height: normal;...margin-top: 0.5em;...margin-bottom: 0.5em;........}..div{font-family:Verdana, Arial, Helvetica, sans-serif, "MS sans serif";}..a{font-family:Verdana, Arial, Helvetica, sans-serif, "MS sans serif";text-decoration:none;}..../ Normal body text links */..a:link {font-family:Verdana,Arial,Helvetica,sans-serif,"MS sans serif";text-decoration:none;color:#000099;}..a:visited{font-family:Verdana, Arial, Helvetica, sans-serif, "MS san

C:\Users\user\AppData\Local\Temp\IMT91BB.tmp

Download File

Process:	C:\Windows\hh.exe
File Type:	data
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	0.6274991512679713
Encrypted:	false
SSDEEP:	12:m0l6eohI+KKe+KjK9zh+KlE/KlEvt+KlEvdX:SQ1V2FlEClEvt1lEvdX
MD5:	943D3CE711A5EBA4A01A9B4E8EDF1388
SHA1:	E8DFD5502B1413F4996CA43E2E76E45F2A32A1D7
SHA-256:	BBB45CCB31607F92D62EE94204B0E2E4CA802EA6AE6A7B8B6AEBFE99655FA920
SHA-512:	C969D0EF61FFAC73436EC7F094F9C737AD0F26D05EAA8AA506A919F31ACF22E237CBB088F7291C1883C8BF3ABE764F9895F921B4B37EE87A0353F8E4229E68E3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ITSP....T........ ..................................j..].!......."..T...............PMGL?................/....::DataSpace/NameList..4<(::DataSpace/Storage/MSCompressed/Content...,::DataSpace/Storage/MSCompressed/ControlData....)::DataSpace/Storage/MSCompressed/SpanInfo..../::DataSpace/Storage/MSCompressed/Transform/List..p&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF29B3D8AFCC4BE6F8.TMP

Download File

Process:	C:\Windows\hh.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3613836054883338
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	679672A5004E0AF50529F33DB5469699
SHA1:	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0
SHA-256:	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
SHA-512:	F8615C5E5CF768A94E06961C7C8BEF99BEB43E004A882A4E384F5DD56E047CA59B963A59971F78DCF4C35D1BB92D3A9BC7055BFA3A0D597635DE1A9CE06A3476
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD0C4254A30DAC0B9.TMP

Download File

Process:	C:\Windows\hh.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\HTML Help\hh.dat

Download File

Process:	C:\Windows\hh.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	8590
Entropy (8bit):	0.7893000069151963
Encrypted:	false
SSDEEP:	12:om6ysNMqiNMvyc0Ke0l6eohI+KKe+KjK9zh+KlE/KlEvt+KlEvdX:2x5yc0JQ1V2FlEClEvt1lEvdX
MD5:	192472EC8B8BF628A64E607AB67B47D5
SHA1:	798DB745C424ED1CE4904630C4D625EAAC47093A
SHA-256:	8D305C75DA32365C9CA9D95613E0E263FCB95AC25E7E5CFF0E79A7907BFB134D
SHA-512:	09205254B666035D2C89C10E99F8F76A8464D61406EC224D9D0B8EC3C51CE3CD7929983AAA33FC65B79D109E7D4D83C452B1C89B30D91B77C612F911F60B840E
Malicious:	false
Preview:	ITSF....`............ .....\|.{.......".....\|.{......."..`.......(.......:.......T .......................!......................,...................j..].!......."..T.....................U.n.c.o.m.p.r.e.s.s.e.d.....M.S.C.o.m.p.r.e.s.s.e.d...{.7.F.C.2.8.9.4.0.-.9.D.3.1.-.1.1.D.0.............LZXC....................ITSP....T........ ..................................j..].!......."..T...............PMGL?................/....::DataSpace/NameList..4<(::DataSpace/Storage/MSCompressed/Content...,::DataSpace/Storage/MSCompressed/ControlData....)::DataSpace/Storage/MSCompressed/SpanInfo..../::DataSpace/Storage/MSCompressed/Transform/List..p&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable............................................................................................................................................................

Static File Info

General

File type:	MS Windows HtmlHelp Data
Entropy (8bit):	5.9937618044338645
TrID:	Windows HELP File (4004/1) 100.00%
File name:	Tools.chm
File size:	20'654 bytes
MD5:	a2d8bd5d5663f55d04f0a7c707fd4519
SHA1:	cad4045a7db598c972741225cb2acf3da16dfb88
SHA256:	df3a27254716fcec426384f34ee4aec7ac5576e938f3dabc502c3a5fa18bfcef
SHA512:	346bc55ab1fa8c32670cef21d3ccfd89eba77630467413759b0f8ce0851dd75d0fe589e7ba1c10b8832c4e1a3aec996033fbb29c7c2b5d3269d83c924d9a3266
SSDEEP:	384:RaliMj7MQe1CCsMHEySRY0Mzy3zAQ3xnvLnfDcLbAw0rXbMrxGK:RalPrtHySwqAQtznfQSrXsxL
TLSH:	1D92BF4123AA1202D1A68F3A3ED9FADDDE387D2EC7041215727FD53A9E48C0820D8EE5
File Content Preview:	ITSF....`.......G.'s.......\|.{.......".....\|.{......."..`...............x.......T........................P..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...;.../#ITBITS..

File Icon


Icon Hash:	56b6ae4c1b2b1b08

Static Microsoft Compiled HTML Help Info

Objects

Name	Type	Preview
html	directory
#TOPICS	Matlab v4 mat-file (little endian) , numeric, rows 4294967295, columns 36, imaginary	....$.......................Q...0...........c...........(...k...<.......X...}...H.......l..............
#WINDOWS	data	...................... %..................................................................................5...?........0..................................................................................
$WWAssociativeLinks	directory
#URLSTR	data	.........Table of Contents.hhc.........Index.hhk.........html/default.html.........html/license.html.........html/history.html.........html/PagefileConfig/default.html.........html/RemoteDelProf/default.html.
$FIftiMain	data	..(...............................................!......8... ...v......`........................................................................................................................................................................
Table of Contents.hhc	HTML document, ASCII text, with CRLF line terminators	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">..<HTML>..<HEAD>..<meta name="GENERATOR" content="Microsoft® HTML Help Workshop 4.1">..<!-- Sitemap 1.0 -->..</HEAD><BODY>..<OBJECT type="text/site properties">...<param name="Window Styles" value="0x
Index.hhk	HTML document, ASCII text, with CRLF line terminators	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">..<HTML>..<HEAD>..<meta name="GENERATOR" content="Microsoft® HTML Help Workshop 4.1">..<!-- Sitemap 1.0 -->..</HEAD><BODY>..<UL>..</UL>..</BODY></HTML>..
$WWKeywordLinks	directory
#SYSTEM	data	........5.J....HHA Version 4.74.8702...$......................'s.............html/default.html.....AutoIt Tools Help.....tools.....Help Window...................T#SMF.....................%....................
#URLTBL	data	..........e!5....K...{.A........K........Qr....1...*.....e............
$OBJINST	X11 SNF font data, MSB first	............_...w...$...bF.V.O.......................UU........................................................................................................................................................................................
#IDXHDR	data	T#SMF.....................%............................................................................................................................................................................................
#STRINGS	data	.Help Window.AutoIt Tools Help.Table of Contents.hhc.Index.hhk.html/default.html.AutoIt Tools Help.License.History.Utilities.PagefileConfig.RemoteDelProf.
#ITBITS	empty

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: hh.exePID: 2452, Parent PID: 1028

General

Target ID:	0
Start time:	12:59:21
Start date:	02/12/2024
Path:	C:\Windows\hh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\hh.exe" C:\Users\user\Desktop\Tools.chm
Imagebase:	0x7ff7ad460000
File size:	18'432 bytes
MD5 hash:	2C8FE78D53C8CA27523A71DFD2938241
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Tools.chm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\blue_gradient_1024x24[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\default[1].css

C:\Users\user\AppData\Local\Temp\IMT91BB.tmp

C:\Users\user\AppData\Local\Temp\~DF29B3D8AFCC4BE6F8.TMP

C:\Users\user\AppData\Local\Temp\~DFD0C4254A30DAC0B9.TMP

C:\Users\user\AppData\Roaming\Microsoft\HTML Help\hh.dat

Static File Info

General

File Icon

Static Microsoft Compiled HTML Help Info

Objects

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: hh.exePID: 2452, Parent PID: 1028

General

Chronological Activities

Disassembly

Windows Analysis Report
Tools.chm