File name:

WinRAR.chm

Full analysis: https://app.any.run/tasks/638edced-ca3a-4d33-a531-aceff137b9b1
Verdict: Malicious activity
Analysis date: March 30, 2023, 10:49:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

07694464C25BAC4ECDB365E928FFE1FF

SHA1:

EBE42DD5830AEA54A21639CEE011D0B67B93433E

SHA256:

D7E601BCE098797F3F76F6CDD6FB49A011B4FB86EA060196C7CF2EC21BB9B5AE

SSDEEP:

6144:baTCsuE38YFPSca2OM1XoFAI+IFQ2RvgG2QnwL/LoOnHU3LVfs5OQHi8H:1E3pScCFAMt2QwL8OnHqx8HtH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • hh.exe (PID: 1048)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 1048)

    • Reads Internet Explorer settings

      • hh.exe (PID: 1048)

  • INFO

    • Reads the machine GUID from the registry

      • hh.exe (PID: 1048)

    • The process checks LSA protection

      • hh.exe (PID: 1048)

    • Checks proxy server information

      • hh.exe (PID: 1048)

    • Create files in a temporary directory

      • hh.exe (PID: 1048)

    • Creates files or folders in the user directory

      • hh.exe (PID: 1048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chm | Windows HELP File (100)

EXIF

EXE

LanguageCode: Russian
CHMVersion: 3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1048"C:\Windows\hh.exe" "C:\Users\admin\AppData\Local\Temp\WinRAR.chm"C:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
Total events
944
Read events
924
Write events
20
Delete events
0

Modification events

(PID) Process:(1048) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1048) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1048) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1048) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1048) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1048) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
14
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1048hh.exeC:\Users\admin\AppData\Local\Temp\WinRAR.chwchm
MD5:
SHA256:
1048hh.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\style[1].csstext
MD5:D0E81A97B0BF393FACB2790C89A03D54
SHA256:9F83FADD6AB0D45ACCAE671D0D13AAAAC730079F81D0539C374A251CD3FD0036
1048hh.exeC:\Users\admin\AppData\Local\Temp\iso9625.tmpbinary
MD5:9D8675AADDDCAB98F8D36F08A0910205
SHA256:325D1E420FB458A070671BF5F29C0656C69238473C1C58F276900E42B03D0415
1048hh.exeC:\Users\admin\AppData\Local\Temp\IMT9676.tmpbinary
MD5:A128074504A732E4F98C64E86FD64AF3
SHA256:294FCD5306BB0EFFC8B25307515CF670BE2FC937319AF5306913AC9390BE4BB3
1048hh.exeC:\Users\admin\AppData\Local\Temp\WWU95E3.tmpbinary
MD5:8E4DD00295FF0E2901BC657B98808D05
SHA256:38A775E3FDC4C4E98B765291E4DCAFDDFA0797813104D87FE27248EF8BF5AE3D
1048hh.exeC:\Users\admin\AppData\Local\Temp\IMT9636.tmpbinary
MD5:1FF017A0D5D60B395AAB848F1A74C753
SHA256:54CAF42E6373D992EA5B78391225481B2A2F561DCB219F6704794A7DEBA46B40
1048hh.exeC:\Users\admin\AppData\Local\Temp\IMT9698.tmpbinary
MD5:4ACE2DE2A028E29B592FF662441AAF40
SHA256:ED5DA8F7E48AB5184712B3D0E99BF88FA6E833790B900B611AF82714E5A1D276
1048hh.exeC:\Users\admin\AppData\Local\Temp\IMT9675.tmpbinary
MD5:EEA896B7533E6178258893A58505D73E
SHA256:8C8FE85D632F58F554F84BC3D75385A9C52638B6E4653B736FA2A5D5DCCAAF3F
1048hh.exeC:\Users\admin\AppData\Local\Temp\IMT9687.tmpbinary
MD5:00AC9236043DC21FB6D3577230976488
SHA256:3C8704526B171AC8ABB23C394D9B5168B35683BA9909B1959F0B20539CB8A355
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WinRAR.chm