Cuckoo Sandbox

File 46814408d1951069_winhelp59.exe

Summary
Download Resubmit sample

Size	51.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`021109ebe1e4fd960188cc6b40a217a9`
SHA1	`f84bbf60db9c77e8d1b0deaa4f342753a2120e87`
SHA256	`46814408d1951069b28a6b6ba934118d117b295031f513ade47721c832a051ea`
SHA512	`d18e7d0b777e37838b18b2acefc961fa0183c9643f775c78acd456ce68a9f356283d3e4442fc4a3029da50531c6d869ea5919c01761be71139faeef2bc83b87e`
CRC32	`39F0BB97`
ssdeep	`None`
Yara	RSharedStrings - identifiers for remote and gmremote

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6770258

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	July 30, 2025, 4:40 p.m.	July 30, 2025, 4:47 p.m.	453 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-07-27 06:13:32,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpk4d6bl
2025-07-27 06:13:32,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\UcmdWEzCgUaNOLXYe
2025-07-27 06:13:32,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\XAHzdXpPBLtukVfx
2025-07-27 06:13:32,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-07-27 06:13:32,046 [analyzer] INFO: Automatically selected analysis package "exe"
2025-07-27 06:13:32,312 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-27 06:13:32,312 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-27 06:13:32,765 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-27 06:13:32,983 [analyzer] DEBUG: Loaded monitor into process with pid 512
2025-07-27 06:13:33,000 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-27 06:13:33,000 [analyzer] DEBUG: Started auxiliary module Human
2025-07-27 06:13:33,000 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-27 06:13:33,000 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-27 06:13:33,125 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-27 06:13:33,125 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-27 06:13:33,125 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-27 06:13:33,125 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-27 06:13:33,358 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\46814408d1951069_winhelp59.exe' with arguments '' and pid 1776
2025-07-27 06:13:33,546 [analyzer] DEBUG: Loaded monitor into process with pid 1776
2025-07-27 06:13:33,578 [analyzer] INFO: Added new file to list with pid 1776 and path C:\Users\Administrator\AppData\Local\Temp\20397593.reg
2025-07-27 06:13:33,687 [analyzer] INFO: Injected into process with pid 788 and name u'regedit.exe'
2025-07-27 06:13:33,687 [analyzer] INFO: Added new file to list with pid 1776 and path C:\Windows\SysWOW64\WinHelp93.exe
2025-07-27 06:13:33,905 [analyzer] DEBUG: Loaded monitor into process with pid 788
2025-07-27 06:13:34,375 [analyzer] INFO: Process with pid 788 has terminated
2025-07-27 06:13:38,592 [analyzer] INFO: Injected into process with pid 1896 and name u'WinHelp93.exe'
2025-07-27 06:13:38,750 [analyzer] DEBUG: Loaded monitor into process with pid 1896
2025-07-27 06:13:38,858 [analyzer] INFO: Injected into process with pid 1308 and name u'svchost.exe'
2025-07-27 06:13:39,375 [analyzer] INFO: Process with pid 1776 has terminated
2025-07-27 06:13:40,375 [analyzer] INFO: Process with pid 1896 has terminated
2025-07-27 06:13:41,375 [analyzer] INFO: Process with pid 1308 has terminated
2025-07-27 06:13:41,375 [analyzer] INFO: Process list is empty, terminating analysis.
2025-07-27 06:13:42,608 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-27 06:13:42,625 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-30 16:40:16,187 [cuckoo.core.scheduler] INFO: Task #6790810: acquired machine win7x6422 (label=win7x6422)
2025-07-30 16:40:16,188 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.222 for task #6790810
2025-07-30 16:40:16,803 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1671012 (interface=vboxnet0, host=192.168.168.222)
2025-07-30 16:40:16,886 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6422
2025-07-30 16:40:17,945 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6422 to vmcloak
2025-07-30 16:44:03,844 [cuckoo.core.guest] INFO: Starting analysis #6790810 on guest (id=win7x6422, ip=192.168.168.222)
2025-07-30 16:44:04,882 [cuckoo.core.guest] DEBUG: win7x6422: not ready yet
2025-07-30 16:44:09,913 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6422, ip=192.168.168.222)
2025-07-30 16:44:10,361 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6422, ip=192.168.168.222, monitor=latest, size=6660546)
2025-07-30 16:44:12,265 [cuckoo.core.resultserver] DEBUG: Task #6790810: live log analysis.log initialized.
2025-07-30 16:44:13,232 [cuckoo.core.resultserver] DEBUG: Task #6790810 is sending a BSON stream
2025-07-30 16:44:14,002 [cuckoo.core.resultserver] DEBUG: Task #6790810 is sending a BSON stream
2025-07-30 16:44:14,043 [cuckoo.core.resultserver] DEBUG: Task #6790810 is sending a BSON stream
2025-07-30 16:44:15,009 [cuckoo.core.resultserver] DEBUG: Task #6790810: File upload for 'shots/0001.jpg'
2025-07-30 16:44:15,033 [cuckoo.core.resultserver] DEBUG: Task #6790810 uploaded file length: 133449
2025-07-30 16:44:19,013 [cuckoo.core.resultserver] DEBUG: Task #6790810 is sending a BSON stream
2025-07-30 16:44:19,019 [cuckoo.core.resultserver] DEBUG: Task #6790810: File upload for 'files/46814408d1951069_46814408d1951069_winhelp59.exe'
2025-07-30 16:44:19,028 [cuckoo.core.resultserver] DEBUG: Task #6790810 uploaded file length: 53091
2025-07-30 16:44:22,595 [cuckoo.core.resultserver] DEBUG: Task #6790810: File upload for 'curtain/1753589622.47.curtain.log'
2025-07-30 16:44:22,599 [cuckoo.core.resultserver] DEBUG: Task #6790810 uploaded file length: 36
2025-07-30 16:44:22,730 [cuckoo.core.resultserver] DEBUG: Task #6790810: File upload for 'sysmon/1753589622.61.sysmon.xml'
2025-07-30 16:44:22,737 [cuckoo.core.resultserver] DEBUG: Task #6790810: File upload for 'files/4def8e574347fe3b_20397593.reg'
2025-07-30 16:44:22,739 [cuckoo.core.resultserver] DEBUG: Task #6790810 uploaded file length: 384
2025-07-30 16:44:22,741 [cuckoo.core.resultserver] DEBUG: Task #6790810 uploaded file length: 456996
2025-07-30 16:44:22,744 [cuckoo.core.resultserver] DEBUG: Task #6790810: File upload for 'files/17733aef2c7f1985_winhelp93.exe'
2025-07-30 16:44:22,746 [cuckoo.core.resultserver] DEBUG: Task #6790810 uploaded file length: 57552
2025-07-30 16:44:23,300 [cuckoo.core.resultserver] DEBUG: Task #6790810 had connection reset for <Context for LOG>
2025-07-30 16:44:24,056 [cuckoo.core.guest] INFO: win7x6422: analysis completed successfully
2025-07-30 16:44:24,068 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-30 16:44:24,096 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-30 16:44:25,636 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6422 to path /srv/cuckoo/cwd/storage/analyses/6790810/memory.dmp
2025-07-30 16:44:25,645 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6422
2025-07-30 16:47:48,980 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.222 for task #6790810
2025-07-30 16:47:49,310 [cuckoo.core.scheduler] DEBUG: Released database task #6790810
2025-07-30 16:47:49,330 [cuckoo.core.scheduler] INFO: Task #6790810: analysis procedure completed

Signatures

Yara rule detected for file (1 event)

description

identifiers for remote and gmremote

rule

RSharedStrings

Allocates read-write-execute memory (usually to unpack itself) (50 out of 172 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13152000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13151000 process_handle: 0xffffffff	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.ex_cod
section	.ex_rsc
section	.nwroh

The executable uses a known packer (1 event)

packer

eXPressor v1.3 -> CGSoftLabs

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

Device independent bitmap graphic, 48 x 96 x 32, image size 9216

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000140f0

size

0x000025a8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00016698

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000166ac

size

0x00000348

Creates executable files on the filesystem (2 events)

file	C:\Users\Administrator\AppData\Local\Temp\20397593.reg
file	C:\Windows\System32\WinHelp93.exe

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\46814408d1951069_winhelp59.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00004dcf', u'virtual_address': u'0x00001000', u'entropy': 7.992448818985285, u'name': u'.data', u'virtual_size': u'0x00011000'}

entropy

7.99244881899

description

A section with a high entropy has been found

entropy

0.534494324738

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 27, 2025, 7:13 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 6124418c6dac205e4d1cfd3b9ae52faff45fe65c

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1308 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath

reg_value

C:\Windows\system32\WinHelp93.exe

Deletes executed files from disk (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\46814408d1951069_winhelp59.exe

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 events)

Process injection

Process 1896 created a remote thread in non-child process 1308

Time & API	Arguments	Status	Return	Repeated
CreateRemoteThread July 27, 2025, 7:13 a.m.	thread_identifier: 0 process_identifier: 1308 function_address: 0x13157d20 flags: 0 stack_size: 0 parameter: 0x13150000 process_handle: 0x000000f0	1	236	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Process injection

Process 1896 manipulating memory of non-child process 1308

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 27, 2025, 7:13 a.m.	process_identifier: 1308 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000f0	1	0	0

File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)

G Data Antivirus (Windows)	Virus: Gen:Variant.Barys.494697 (Engine A)
Avast Core Security (Linux)	Win32:MalwareX-gen [Trj]
C4S ClamAV (Linux)	Win.Dropper.Gh0stRAT-7645027-0
Trellix (Linux)	Generic Malware.dq trojan
WithSecure (Linux)	Trojan.TR/Crypt.XPACK.Gen
eScan Antivirus (Linux)	Gen:Variant.Barys.494697(DB)
ESET Security (Windows)	Win32/Farfli.AAG trojan
Sophos Anti-Virus (Linux)	Troj/Farfli-DL
DrWeb Antivirus (Linux)	Trojan.DownLoad3.17387
ClamAV (Linux)	Win.Dropper.Gh0stRAT-7645027-0
Bitdefender Antivirus (Linux)	Gen:Variant.Barys.494697
Kaspersky Standard (Windows)	HEUR:Trojan-Dropper.Win32.Injector.gen
Emsisoft Commandline Scanner (Windows)	Gen:Variant.Barys.494697 (B)

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 46814408d1951069_winhelp59.exe

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample