File name:

LOLbins.chm

Full analysis: https://app.any.run/tasks/c1a7a7ed-0013-405c-b1c3-16853df176a3
Verdict: Malicious activity
Analysis date: July 18, 2019, 07:42:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

B63583CE89DB1CE34A3B3AD31C396931

SHA1:

402A1F4C1A068ED16461865C072D491DF30C3FFC

SHA256:

27CEB252A926D3D701FDD53B3AF38BFF42B77190A124AAF5906C28D93F6009B4

SSDEEP:

6144:6vByNgyLwvNrQxq4znEveROX/4RC9K/vpaJcScXNFIwcxHi5ZT:wNys1gJznEv5w8q7SwcxC5ZT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Perflog.exe (PID: 2188)

    • Application was dropped or rewritten from another process

      • Perflog.exe (PID: 2188)
      • CertMgr.exe (PID: 4080)
      • Un.exe (PID: 2676)

    • Changes the autorun value in the registry

      • regedit.exe (PID: 2480)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2408)

  • SUSPICIOUS

    • Creates files in the user directory

      • hh.exe (PID: 2964)

    • Executable content was dropped or overwritten

      • Un.exe (PID: 2676)
      • hh.exe (PID: 2736)

    • Starts CMD.EXE for commands execution

      • hh.exe (PID: 2964)

    • Reads internet explorer settings

      • hh.exe (PID: 2964)

    • Application launched itself

      • hh.exe (PID: 2964)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2408)

    • Reads Internet Cache Settings

      • hh.exe (PID: 2964)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chm | Windows HELP File (100)

EXIF

EXE

CHMVersion: 3
LanguageCode: Chinese (Simplified)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hh.exe hh.exe cmd.exe no specs mode.com no specs certmgr.exe no specs un.exe ping.exe no specs perflog.exe regedit.exe no specs regedit.exe no specs regedit.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2188c:\$RecycleBin$\Perflog.exe c:\$RecycleBin$\Perflog.exe
cmd.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
Tencent Online Education Dynamic Link Library
Exit code:
0
Version:

Modules
Images
c:\$recyclebin$\perflog.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2284regedit.exe /s c:\$recyclebin$\1.regC:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
2408cmd /c ""C:\$RecycleBin$\1.bat" "C:\Windows\system32\cmd.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2436attrib +s +h c:\$RecycleBin$C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2480"C:\Windows\regedit.exe" /s c:\$recyclebin$\1.regC:\Windows\regedit.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2676c:\$RecycleBin$\un.exe e -r -y -p996112 c:\$RecycleBin$\temp.txt c:\$RecycleBin$c:\$RecycleBin$\Un.exe
cmd.exe
User:
admin
Company:
WinRAR 压缩管理软件中文版
Integrity Level:
MEDIUM
Description:
命令行 RAR
Exit code:
0
Version:
5.21.0
Modules
Images
c:\$recyclebin$\un.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2736"C:\Windows\hh.exe" -decompile C:\$RecycleBin$\ C:\Users\admin\AppData\Local\Temp\LOLbins.chmC:\Windows\hh.exe
hh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\gdi32.dll
2964"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\LOLbins.chmC:\Windows\hh.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
3296attrib +s +h c:\$RecycleBin$\Perflog.exe C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3304attrib +s +h c:\$RecycleBin$\edudll.dll C:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
437
Read events
291
Write events
145
Delete events
1

Modification events

(PID) Process:(2964) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2964) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2964) hh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2964) hh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hh_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2964) hh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hh_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2964) hh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hh_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2964) hh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hh_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2964) hh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hh_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2964) hh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hh_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2964) hh.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hh_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
4
Suspicious files
3
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
2736hh.exeC:\$RecycleBin$\1.lnklnk
MD5:
SHA256:
2736hh.exeC:\$RecycleBin$\1.regtext
MD5:
SHA256:
2736hh.exeC:\$RecycleBin$\img.jpgimage
MD5:
SHA256:
2736hh.exeC:\$RecycleBin$\end.jpgbinary
MD5:
SHA256:
2736hh.exeC:\$RecycleBin$\system.txtder
MD5:
SHA256:
2736hh.exeC:\$RecycleBin$\1.battext
MD5:
SHA256:
2408cmd.exeC:\$RecycleBin$\temp.txtcompressed
MD5:
SHA256:
2736hh.exeC:\$RecycleBin$\Intro.htmhtml
MD5:
SHA256:
2736hh.exeC:\$RecycleBin$\Un.exeexecutable
MD5:
SHA256:
2676Un.exeC:\$RecycleBin$\Perflog.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
hh.exe
103.235.46.39:443
www.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
unknown
2188
Perflog.exe
58.221.55.158:8000
AS Number for CHINANET jiangsu province backbone
CN
unknown
2964
hh.exe
185.10.104.110:443
ss1.bdstatic.com
unknown

DNS requests

Domain
IP
Reputation
www.baidu.com
  • 103.235.46.39
whitelisted
ss1.bdstatic.com
  • 185.10.104.110
whitelisted
sp1.baidu.com
  • 103.235.46.39
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LOLbins.chm