Windows Analysis Report
ProduKey.chm

Overview

General Information

Sample Name: ProduKey.chm
Analysis ID: 800706
MD5: 182a4559a321819cff2bc87283253d09
SHA1: 79615bb7a3ef42ca9783f0e9e58dcb21a1b180b8
SHA256: 1c47f8ade1b23861436f7e58971990d99c66fcbf9e85bdf2a2b7bdd1e8641d60

Detection

Score: 0
Range: 0 - 100
Whitelisted: true
Confidence: 100%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Queries the volume information (name, serial number etc) of a device

Classification

Source: hh.exe, 00000000.00000003.256038817.000002977F2AA000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.0000029703415000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.304733003.0000029707B74000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256086124.000002977F2B3000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517281294.000002977F212000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.270025264.0000029707B75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/
Source: hh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/v
Source: hh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/z
Source: hh.exe, 00000000.00000003.270025264.0000029707B75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.nirsoft.net/2009/10/22/how-to-connect-a-remote-windows-7vistaxp-computer-with-nirsoft-ut
Source: hh.exe, 00000000.00000003.256073687.000002977F2A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html.
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html6
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlF
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlche
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlf
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256038817.000002977F2AA000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256086124.000002977F2B3000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256123169.000002977F2B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlheD
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.00000297033CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmll
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlrodukey.html9
Source: hh.exe, 00000000.00000003.342372315.000002977F24C000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F24C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlrodukey.htmlDAT
Source: hh.exe, 00000000.00000003.309121391.0000029707218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmls
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlv
Source: C:\Windows\hh.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32 Jump to behavior
Source: C:\Windows\hh.exe File created: C:\Users\user\AppData\Local\Temp\IMT4D03.tmp Jump to behavior
Source: C:\Windows\hh.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: clean1.winCHM@1/6@0/0
Source: C:\Windows\hh.exe File created: C:\Users\user\AppData\Roaming\Microsoft\HTML Help Jump to behavior
Source: C:\Windows\hh.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\hh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\hh.exe Memory allocated: 29703270000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\hh.exe Memory allocated: 29707200000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\hh.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\hh.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 800706 Sample: ProduKey.chm Startdate: 07/02/2023 Architecture: WINDOWS Score: 0 4 hh.exe 27 2->4         started       
No contacted IP infos