» winhlp32.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

winhlp32.exe

Malwarebytes Anti-Malware

ManySign Inc.

The executable winhlp32.exe has been detected as malware by 10 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘winhlp32.exe’. While running, it connects to the Internet address parkingpage.namecheap.com on port 80 using the HTTP protocol.

File name:

winhlp32.exe

Publisher:

Malwarebytes (signed by ManySign Inc.)

Product:

Malwarebytes Anti-Malware

Version:

2.2.0

MD5:

9e511d841078d1480fc1a8bb34c1b89f

SHA-1:

4a69e9f79a27ea8683a4f2a589744d7642513d5e

SHA-256:

ddfbe0c335f09ff43ca87e15087492e7e6be51f2031a15c6dd9e84b073746821

Scanner detections:

10 / 68

Status:

Malware

Analysis date:

11/15/2024 4:38:16 PM UTC (today)

Scan engine

Detection

Engine version

AegisLab AV Signature

Uds.Dangerousobject.Multi!c

2.1.4+

AVG

MSIL9

2017.0.2811

ESET NOD32

MSIL/Injector.OJL (variant)

10.13138

G Data

Trojan.GenericKD.3086259

16.3.25

IKARUS anti.virus

Trojan.MSIL.Injector

t3scan.2.0.8.0

Kaspersky

UDS:DangerousObject.Multi.Generic

14.0.0.552

MicroWorld eScan

Trojan.GenericKD.3086259

17.0.0.201

Qihoo 360 Security

HEUR/QVM03.0.Malware.Gen

1.0.0.1120

Rising Antivirus

PE:Malware.Generic/QRS!1.9E2D [F]

23.00.65.16305

Sophos

Mal/Generic-S

4.98

File size:

257.3 KB (263,488 bytes)

Product version:

2.2.0

Original file name:

rawrrawrrawr.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\owzcen323f\winhlp32.exe

Digital Signature

Signed by:

ManySign Inc.

Authority:

ManySign Inc.

Valid from:

2/27/2016 10:36:13 AM

Valid to:

2/26/2017 10:36:13 AM

Subject:

E=contact@manysign.com, OU=ManySign Authority, O=ManySign Inc., L=Lansing, S=Michigan, C=US, CN=ManySign

Issuer:

E=contact@manysign.com, OU=ManySign Authority, O=ManySign Inc., L=Lansing, S=Michigan, C=US, CN=ManySign

Serial number:

00A9CE1EFF3DF92E00

File PE Metadata

Compilation timestamp:

3/6/2016 7:00:23 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:QLQNFjF73kgQewLSRr5j1bKi6/N7d8TDLgREwAz+u11gH6wjCx5V2eGCjnlpgefy:WC39wer5RbKi617jEhzq61VjGCtu

Entry address:

0x3A10E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

228 KB (233,472 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

winhlp32.exe

Command:

C:\users\{user}\appdata\roaming\owzcen323f\winhlp32.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to parkingpage.namecheap.com (198.54.117.212:80)

Remove winhlp32.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.