File name:

hh.dat

Full analysis: https://app.any.run/tasks/f1d9f0a4-b460-4c4b-aee9-a5382bf5fad9
Verdict: Malicious activity
Analysis date: March 06, 2024, 10:42:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

1FB29BAC3E094E0057845BF93C0EDFFA

SHA1:

333F9BF0FE4D8DC4D5A38F56A2416148A6CA5B61

SHA256:

5364DA463BFB3076046C2DCD3020709EB3952B411A18F39B859075DA6524941C

SSDEEP:

48:Ow5sOP9e19eb9b9Q9I9K9A9W9kI9ky9k19ks9/9n9Bb9Bj9j9gU91939JB9J49Vu:OM3Pw4FuKoeIuIuyyNhJPHxWUzhlUjd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

    • Reads the Internet Settings

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

    • Reads Internet Explorer settings

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

  • INFO

    • Reads the machine GUID from the registry

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

    • Create files in a temporary directory

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

    • Reads security settings of Internet Explorer

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

    • Creates files or folders in the user directory

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

    • Checks proxy server information

      • hh.exe (PID: 3672)
      • hh.exe (PID: 2840)

    • Manual execution by a user

      • hh.exe (PID: 2840)
      • wmpnscfg.exe (PID: 2896)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2896)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chm | Windows HELP File (100)

EXIF

EXE

CHMVersion: 3
LanguageCode: Russian
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hh.exe no specs hh.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Windows\hh.exe" C:\Users\admin\Desktop\hh.dat.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
2896"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3672"C:\Windows\hh.exe" "C:\Users\admin\Desktop\hh.dat.chm"C:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
Total events
2 018
Read events
1 994
Write events
22
Delete events
2

Modification events

(PID) Process:(3672) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3672) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3672) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3672) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3672) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3672) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3672) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2840) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2840) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2840) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
0
Suspicious files
4
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3672hh.exeC:\Users\admin\AppData\Local\Temp\IMT8BB1.tmpbinary
MD5:5D0E5693027A0E5ADF1D49847779B65C
SHA256:AC0710AABAAEAAC65507050647FA9D97A82639DA0D1D6B436800B177478C6D6B
2840hh.exeC:\Users\admin\AppData\Local\Temp\~DFEBF23F4CE32A7002.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3672hh.exeC:\Users\admin\AppData\Local\Temp\~DF4E07B617C74A8E88.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3672hh.exeC:\Users\admin\AppData\Local\Temp\~DF84CB68E0987BB1C6.TMPbinary
MD5:72F5C05B7EA8DD6059BF59F50B22DF33
SHA256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
2840hh.exeC:\Users\admin\AppData\Local\Temp\~DFFE295A4C62A14C40.TMPbinary
MD5:72F5C05B7EA8DD6059BF59F50B22DF33
SHA256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
3672hh.exeC:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.datbinary
MD5:E1A8A62F52D049B24B8C06CB9B4CA9C6
SHA256:8BEA459C66DCBFD7030CD3F3BC09D7CA3C3FD800F547D1D1F113EED2D8E6070C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hh.dat