Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ProduKey.chm

Overview

General Information

Sample Name:ProduKey.chm
Analysis ID:800706
MD5:182a4559a321819cff2bc87283253d09
SHA1:79615bb7a3ef42ca9783f0e9e58dcb21a1b180b8
SHA256:1c47f8ade1b23861436f7e58971990d99c66fcbf9e85bdf2a2b7bdd1e8641d60

Detection

Score:0
Range:0 - 100
Whitelisted:true
Confidence:100%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64
  • hh.exe (PID: 5168 cmdline: "C:\Windows\hh.exe" C:\Users\user\Desktop\ProduKey.chm MD5: A50C9DF7603E2F1AEA6B54053794A326)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: hh.exe, 00000000.00000003.256038817.000002977F2AA000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.0000029703415000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.304733003.0000029707B74000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256086124.000002977F2B3000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517281294.000002977F212000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.270025264.0000029707B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/
Source: hh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/v
Source: hh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/z
Source: hh.exe, 00000000.00000003.270025264.0000029707B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.nirsoft.net/2009/10/22/how-to-connect-a-remote-windows-7vistaxp-computer-with-nirsoft-ut
Source: hh.exe, 00000000.00000003.256073687.000002977F2A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html.
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html6
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlF
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlche
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlf
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256038817.000002977F2AA000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256086124.000002977F2B3000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256123169.000002977F2B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlheD
Source: hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.00000297033CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmll
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlrodukey.html9
Source: hh.exe, 00000000.00000003.342372315.000002977F24C000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F24C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlrodukey.htmlDAT
Source: hh.exe, 00000000.00000003.309121391.0000029707218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmls
Source: hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.htmlv
Source: C:\Windows\hh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32Jump to behavior
Source: C:\Windows\hh.exeFile created: C:\Users\user\AppData\Local\Temp\IMT4D03.tmpJump to behavior
Source: C:\Windows\hh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: clean1.winCHM@1/6@0/0
Source: C:\Windows\hh.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\HTML HelpJump to behavior
Source: C:\Windows\hh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociationsJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\hh.exeMemory allocated: 29703270000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\hh.exeMemory allocated: 29707200000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\hh.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\hh.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading
OS Credential Dumping1
Virtualization/Sandbox Evasion
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion
LSASS Memory12
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Disable or Modify Tools
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ProduKey.chm0%ReversingLabs
ProduKey.chm0%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.nirsoft.net/utils/product_cd_key_viewer.htmlheDhh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256038817.000002977F2AA000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256086124.000002977F2B3000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256123169.000002977F2B9000.00000004.00000020.00020000.00000000.sdmpfalse
    high
    http://www.nirsoft.net/utils/product_cd_key_viewer.htmlFhh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      http://www.nirsoft.net/utils/product_cd_key_viewer.htmlfhh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        http://www.nirsoft.net/utils/product_cd_key_viewer.htmlchehh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/zhh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://www.nirsoft.net/utils/product_cd_key_viewer.htmlhh.exe, 00000000.00000003.256073687.000002977F2A5000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              http://www.nirsoft.net/utils/product_cd_key_viewer.htmlrodukey.html9hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/hh.exe, 00000000.00000003.256038817.000002977F2AA000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.0000029703415000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.304733003.0000029707B74000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.256086124.000002977F2B3000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517281294.000002977F212000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000003.270025264.0000029707B75000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  http://www.nirsoft.net/utils/product_cd_key_viewer.html.hh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/vhh.exe, 00000000.00000002.516565390.00000297033E0000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://www.nirsoft.net/utils/product_cd_key_viewer.htmllhh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.516565390.00000297033CA000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://www.nirsoft.net/utils/product_cd_key_viewer.htmlrodukey.htmlDAThh.exe, 00000000.00000003.342372315.000002977F24C000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F24C000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://www.nirsoft.net/utils/product_cd_key_viewer.html6hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://www.nirsoft.net/utils/product_cd_key_viewer.htmlvhh.exe, 00000000.00000003.342372315.000002977F2AF000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000000.00000002.517359915.000002977F2AF000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              http://www.nirsoft.net/utils/product_cd_key_viewer.htmlshh.exe, 00000000.00000003.309121391.0000029707218000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                No contacted IP infos
                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                Analysis ID:800706
                                Start date and time:2023-02-07 18:27:23 +01:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 5m 22s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample file name:ProduKey.chm
                                Detection:CLEAN
                                Classification:clean1.winCHM@1/6@0/0
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .chm
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                TimeTypeDescription
                                18:28:22API Interceptor2x Sleep call for process: hh.exe modified
                                No context
                                No context
                                No context
                                No context
                                No context
                                Process:C:\Windows\hh.exe
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):1040
                                Entropy (8bit):2.880106848979278
                                Encrypted:false
                                SSDEEP:6:NlGq9K5tqwnEIPa8lqdNQ9DPAPdYa7+xRgrXscvMS2iQ5zy+r:3GQKzqwnEQa8lqdNQ9YfYgQ3S2t5p
                                MD5:AA06955654EEF849A51DF89FDC9208BC
                                SHA1:23D978B8078DB5A3EE0649A6422C09A2D1B41B20
                                SHA-256:AB80BF76AC30775829501AD88F1A378C08BD4B6E4CBEBA3BC2A4629E575C25AD
                                SHA-512:100C2EE2E5CEE36046DE6362292A72E02C975265BC15CE7F0F7F44638673C01B7A88DC8D72F89089924362F405CD00A30097F781BAEDCF16FA2941C53D2F1E28
                                Malicious:false
                                Reputation:low
                                Preview:GIF89a . ..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,.... . ........H......*\.....R...!...(V.h.c../...Q#H.".........4...E.. ...rB..o.......1.>...........#.......t.....`.j."......x.*.[G..[..T.x..j........p...G..8i.......@...........3w.9!r....4.6n..{
                                Process:C:\Windows\hh.exe
                                File Type:assembler source, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4325
                                Entropy (8bit):5.131781973149786
                                Encrypted:false
                                SSDEEP:96:89g7yv0e+6zNDoBMq558yw3KiTAT/q0yHF:8iyv0MDoBz55xw6iTAbq0yl
                                MD5:EA2F0A6152B6C2EF85D08F9A4411069A
                                SHA1:84C0440CB77D6B7B78A71EA1DD6651C7C73AF07E
                                SHA-256:9345F60F069E163F4EE0518529A0260C0715AD93C35E808E3BC39D6890E19101
                                SHA-512:75A1925F36FD7A1651A3C0FE0373D0BC4A64B83F4BDFD689D8E74348078F0466484C978CD9BD681F45F36A51FB035CBBC1D8D14614586AE7E93B720786AFAD5F
                                Malicious:false
                                Reputation:low
                                Preview:BODY {background-color: #F8F8F8; color: #000000;scrollbar-face-color: #DEE3E7;scrollbar-highlight-color: #FFFFFF;scrollbar-shadow-color: #DEE3E7;scrollbar-3dlight-color: #D1D8DD;scrollbar-arrow-color: #006090;scrollbar-track-color: #EFEFEF;scrollbar-darkshadow-color: #98AAB0;}..A:LINK {color: #8040FF }..A:VISITED {color: #C020F0 }..A:HOVER {color: #FF0099 }...title1 {border-width: 2;border-style: outset ; background-color: #0000E0; color: #FFFFFF; width: 100%;font-weight:700;font-family: Arial, Helvetica, sans-serif;font-size: 13pt;}...title2 {border-width: 1;border-style: outset; background-color: #C8C8C8;color: #000080; width: 100%; font-weight:700;font-family: Arial, Helvetica, sans-serif;font-size: 13pt;}...filestable {border-width: 0; background-color: #ECECEC; color: #000000; width: 100%}...filesrow {background-color: #E6E6E6; color: #000000;}...filetitle {font-size:medium; font-weight:700; font-weight:700;font-family: Arial, Helvetica, sans-serif;font-size: 12pt;}...faquestion
                                Process:C:\Windows\hh.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8276
                                Entropy (8bit):0.6274991512679713
                                Encrypted:false
                                SSDEEP:12:m0l6eohI+KKe+KjK9zh+KlE/KlEvt+KlEvdX:SQ1V2FlEClEvt1lEvdX
                                MD5:943D3CE711A5EBA4A01A9B4E8EDF1388
                                SHA1:E8DFD5502B1413F4996CA43E2E76E45F2A32A1D7
                                SHA-256:BBB45CCB31607F92D62EE94204B0E2E4CA802EA6AE6A7B8B6AEBFE99655FA920
                                SHA-512:C969D0EF61FFAC73436EC7F094F9C737AD0F26D05EAA8AA506A919F31ACF22E237CBB088F7291C1883C8BF3ABE764F9895F921B4B37EE87A0353F8E4229E68E3
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:ITSP....T........ ..................................j..].!......."..T...............PMGL?................/....::DataSpace/NameList..4<(::DataSpace/Storage/MSCompressed/Content...,::DataSpace/Storage/MSCompressed/ControlData....)::DataSpace/Storage/MSCompressed/SpanInfo..../::DataSpace/Storage/MSCompressed/Transform/List..p&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Windows\hh.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):512
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3::
                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                Malicious:false
                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Windows\hh.exe
                                File Type:Composite Document File V2 Document, Cannot read section info
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.3613836054883338
                                Encrypted:false
                                SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                MD5:679672A5004E0AF50529F33DB5469699
                                SHA1:427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0
                                SHA-256:205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
                                SHA-512:F8615C5E5CF768A94E06961C7C8BEF99BEB43E004A882A4E384F5DD56E047CA59B963A59971F78DCF4C35D1BB92D3A9BC7055BFA3A0D597635DE1A9CE06A3476
                                Malicious:false
                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Windows\hh.exe
                                File Type:MS Windows HtmlHelp Data
                                Category:dropped
                                Size (bytes):8590
                                Entropy (8bit):0.7897229186550494
                                Encrypted:false
                                SSDEEP:12:1om6ysNMqiNMvyc0Ke0l6eohI+KKe+KjK9zh+KlE/KlEvt+KlEvdX:12x5yc0JQ1V2FlEClEvt1lEvdX
                                MD5:9741E5E3988CBCF1C7A1F4F02FC789C0
                                SHA1:C41598C950E0D47591194DF4BAAB06B4B435619E
                                SHA-256:9C8FCA6A0D5767F7C889FB51F0020580DEB34A251FCE8EF72E4A877540601309
                                SHA-512:0BC09FFBD6A180B1150C08739670E28B405A9AAF48763B16B8768FE9BC850E3291F6D3AFF1249E5C2685AB952C00FF0B00FB743DFA86030B5A2308924228914E
                                Malicious:false
                                Preview:ITSF....`..................|.{.......".....|.{......."..`.......(.......:.......T .......................!......................,...................j..].!......."..T.....................U.n.c.o.m.p.r.e.s.s.e.d.....M.S.C.o.m.p.r.e.s.s.e.d...{.7.F.C.2.8.9.4.0.-.9.D.3.1.-.1.1.D.0.............LZXC....................ITSP....T........ ..................................j..].!......."..T...............PMGL?................/....::DataSpace/NameList..4<(::DataSpace/Storage/MSCompressed/Content...,::DataSpace/Storage/MSCompressed/ControlData....)::DataSpace/Storage/MSCompressed/SpanInfo..../::DataSpace/Storage/MSCompressed/Transform/List..p&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable............................................................................................................................................................
                                File type:MS Windows HtmlHelp Data
                                Entropy (8bit):5.4586329774402795
                                TrID:
                                • Windows HELP File (4004/1) 100.00%
                                File name:ProduKey.chm
                                File size:17708
                                MD5:182a4559a321819cff2bc87283253d09
                                SHA1:79615bb7a3ef42ca9783f0e9e58dcb21a1b180b8
                                SHA256:1c47f8ade1b23861436f7e58971990d99c66fcbf9e85bdf2a2b7bdd1e8641d60
                                SHA512:9859d4e00192f1d13b9f882a26ce9a5543973c8ee49c7ca5db83818e1f29dcf1ad5332497e1ea4d872aed318440a8ad457c955ba47367c819e51a6a387a42fc1
                                SSDEEP:192:6tgcLqluN9rRwaLe8ofxzmxQdMCNlE0GoxH+0XyMw70PF:69L2A9rRGxzrdQzWe6yM
                                TLSH:FF828DF0A7258611C864473273E0314EFA483A2789E3496565DFF39F2549D02BEB2BBD
                                File Content Preview:ITSF....`..................|.{.......".....|.{......."..`...............x.......T.......................,E..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...7.../#ITBITS..
                                Icon Hash:60d0c86c7c7c9c20
                                NameTypePreview
                                $WWKeywordLinksdirectory
                                #URLSTRdata.........produkey.html.
                                #ITBITSempty
                                #IDXHDRdataT#SM...................................................................................................................................................................................................................................................
                                $OBJINSTX11 SNF font data, MSB first..................$...bF.V.O.......................UU........................................................................................................................................................................................
                                produkey.htmlHTML document, ASCII text, with CRLF line terminators<html>..<head>..<title>ProduKey</title>..<link rel="stylesheet" href="main.css">....</head>..<body>....<table border="0" class="utilcaption">..<tr><td><img src="produkey_icon.gif">..<td>ProduKey v1.90..<br>..Copyright (c) 2005 - 2017 Nir Sofer..<br>.
                                #STRINGSdata.main.ProduKey.ProduKey.
                                $WWAssociativeLinksdirectory
                                $FIftiMainempty
                                #URLTBLdatat........
                                produkey_icon.gifGIF image data, version 89a, 32 x 32GIF89a . ........................................................................................................................................................................................................
                                #SYSTEMdata........OX....HHA Version 4.74.8702...$....................................produkey.html.....produkey.....main.............T#SM.................................................................................................................
                                #TOPICSdata................
                                main.cssassembler source, ASCII text, with CRLF line terminatorsBODY {background-color: #F8F8F8; color: #000000;scrollbar-face-color: #DEE3E7;scrollbar-highlight-color: #FFFFFF;scrollbar-shadow-color: #DEE3E7;scrollbar-3dlight-color: #D1D8DD;scrollbar-arrow-color: #006090;scrollbar-track-color: #EFEFEF;scrollbar
                                #WINDOWSdata....................... ...................... ...X....................................................................0..................................................................................
                                Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                                Click to jump to process

                                Click to jump to process

                                Target ID:0
                                Start time:18:28:20
                                Start date:07/02/2023
                                Path:C:\Windows\hh.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\hh.exe" C:\Users\user\Desktop\ProduKey.chm
                                Imagebase:0x7ff665f20000
                                File size:17920 bytes
                                MD5 hash:A50C9DF7603E2F1AEA6B54053794A326
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                No disassembly