Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Avira: detection malicious, Label: HEUR/AGEN.1313480 |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
ReversingLabs: Detection: 91% |
Source: 2k632W2O.exe |
ReversingLabs: Detection: 91% |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Joe Sandbox ML: detected |
Source: 2k632W2O.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: unknown |
HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49712 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49713 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49715 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49719 version: TLS 1.2 |
Source: 2k632W2O.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Joe Sandbox View |
IP Address: 239.255.255.250 239.255.255.250 |
Source: Joe Sandbox View |
JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.46.214.6 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: global traffic |
HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGOe2sLEGIjCRQXKD8hfxz0ViO1eijFkmmx_OTjfe4iTZ5wTUpUMhz8i_7ZLVRoSzurhTqh7cwPUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=EPfNuXZZxunDCKtzaK5PA5YL2FhHt0ddP7D7URAgMaMPI9qJ-01Pj449ZfVvqh-5PANFxE8gntsRssIIuSLP7o8IfEfP4pBWKjkrYhuwoNDQwfYxFJ4bw8BAhb9yJFQFJXdDkmbkOu3k_gP9PdrTXnGRBpIpwnOFqobfvnLxRQ0 |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGOe2sLEGIjBr0MdO0BYOJHvE4c3r_MeYQPdjstJTWuR7MYyn8Z4PVcXCDLAhkZk0gANbn-kD57oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=EPfNuXZZxunDCKtzaK5PA5YL2FhHt0ddP7D7URAgMaMPI9qJ-01Pj449ZfVvqh-5PANFxE8gntsRssIIuSLP7o8IfEfP4pBWKjkrYhuwoNDQwfYxFJ4bw8BAhb9yJFQFJXdDkmbkOu3k_gP9PdrTXnGRBpIpwnOFqobfvnLxRQ0 |
Source: global traffic |
HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2FRsBOyrzU3y1Y1&MD=Eun64ssZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2FRsBOyrzU3y1Y1&MD=Eun64ssZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
DNS traffic detected: DNS query: www.google.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49674 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49672 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49702 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49725 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49701 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49712 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49698 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49698 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49677 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49703 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49671 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49723 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49703 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49725 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49702 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49701 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49723 |
Source: unknown |
HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49712 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49713 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49715 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49719 version: TLS 1.2 |
Source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown |
Source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown |
Source: 00000005.00000002.3665226219.0000000000651000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown |
Source: 00000000.00000002.1232588140.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown |
Source: 2k632W2O.exe |
Static PE information: section name: ."V/ |
Source: PerfWatson2.exe.0.dr |
Static PE information: section name: ."V/ |
Source: 2k632W2O.exe, 00000000.00000002.1233255330.0000000000FEF000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamePerfWatson2.exeT vs 2k632W2O.exe |
Source: 2k632W2O.exe |
Binary or memory string: OriginalFilenamePerfWatson2.exeT vs 2k632W2O.exe |
Source: 2k632W2O.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09 |
Source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09 |
Source: 00000005.00000002.3665226219.0000000000651000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09 |
Source: 00000000.00000002.1232588140.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09 |
Source: classification engine |
Classification label: mal100.spyw.evad.winEXE@29/5@2/4 |
Source: C:\Users\user\Desktop\2k632W2O.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03 |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Mutant created: \Sessions\1\BaseNamedObjects\3113225624820686 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_03 |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 2k632W2O.exe |
ReversingLabs: Detection: 91% |
Source: C:\Users\user\Desktop\2k632W2O.exe |
File read: C:\Users\user\Desktop\2k632W2O.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\2k632W2O.exe "C:\Users\user\Desktop\2k632W2O.exe" |
|
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// |
|
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe" |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2320,i,9069043476438568243,10755491246426050170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml" |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe" |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2320,i,9069043476438568243,10755491246426050170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: 2k632W2O.exe |
Static file information: File size 6861312 > 1048576 |
Source: 2k632W2O.exe |
Static PE information: Raw size of .VGF is bigger than: 0x100000 < 0x689e00 |
Source: 2k632W2O.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: initial sample |
Static PE information: section where entry point is pointing to: .VGF |
Source: 2k632W2O.exe |
Static PE information: section name: .WVa |
Source: 2k632W2O.exe |
Static PE information: section name: ."V/ |
Source: 2k632W2O.exe |
Static PE information: section name: .VGF |
Source: PerfWatson2.exe.0.dr |
Static PE information: section name: .WVa |
Source: PerfWatson2.exe.0.dr |
Static PE information: section name: ."V/ |
Source: PerfWatson2.exe.0.dr |
Static PE information: section name: .VGF |
Source: C:\Users\user\Desktop\2k632W2O.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe" |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Memory written: PID: 7092 base: 1580005 value: E9 8B 2F 1E 76 |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Memory written: PID: 7092 base: 77762F90 value: E9 7A D0 E1 89 |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Memory written: PID: 7092 base: 1590007 value: E9 EB DF 20 76 |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Memory written: PID: 7092 base: 7779DFF0 value: E9 1E 20 DF 89 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Memory written: PID: 2440 base: 11D0005 value: E9 8B 2F 59 76 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Memory written: PID: 2440 base: 77762F90 value: E9 7A D0 A6 89 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Memory written: PID: 2440 base: 11E0007 value: E9 EB DF 5B 76 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Memory written: PID: 2440 base: 7779DFF0 value: E9 1E 20 A4 89 |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: 2k632W2O.exe, 00000000.00000002.1233362169.000000000165E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLL?V |
Source: C:\Users\user\Desktop\2k632W2O.exe |
RDTSC instruction interceptor: First address: 7550FE second address: 755C22 instructions: 0x00000000 rdtsc 0x00000002 cmp cx, ax 0x00000005 cmc 0x00000006 sub ebp, 00000008h 0x0000000c jmp 00007FB084E2BF7Bh 0x00000011 mov dword ptr [ebp+00h], edx 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 rol dl, 00000074h 0x0000001b mov edx, dword ptr [edi] 0x0000001d test edi, 2BEE051Bh 0x00000023 clc 0x00000024 lea edi, dword ptr [edi+00000004h] 0x0000002a test di, cx 0x0000002d test di, 6F02h 0x00000032 xor edx, ebx 0x00000034 stc 0x00000035 xor edx, 59512E5Eh 0x0000003b bswap edx 0x0000003d cmc 0x0000003e rol edx, 03h 0x00000041 sub edx, 20631BC0h 0x00000047 xor ebx, edx 0x00000049 add esi, edx 0x0000004b jmp 00007FB084A14BD4h 0x00000050 jmp 00007FB084CD4BB6h 0x00000055 lea ecx, dword ptr [esp+60h] 0x00000059 cmp ebp, ecx 0x0000005b jmp 00007FB084BB6B64h 0x00000060 ja 00007FB084F68E25h 0x00000066 jmp esi 0x00000068 mov ecx, dword ptr [ebp+00h] 0x0000006c rdtsc |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
RDTSC instruction interceptor: First address: 7E50FE second address: 7E5C22 instructions: 0x00000000 rdtsc 0x00000002 cmp cx, ax 0x00000005 cmc 0x00000006 sub ebp, 00000008h 0x0000000c jmp 00007FB0849E30EBh 0x00000011 mov dword ptr [ebp+00h], edx 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 rol dl, 00000074h 0x0000001b mov edx, dword ptr [edi] 0x0000001d test edi, 2BEE051Bh 0x00000023 clc 0x00000024 lea edi, dword ptr [edi+00000004h] 0x0000002a test di, cx 0x0000002d test di, 6F02h 0x00000032 xor edx, ebx 0x00000034 stc 0x00000035 xor edx, 59512E5Eh 0x0000003b bswap edx 0x0000003d cmc 0x0000003e rol edx, 03h 0x00000041 sub edx, 20631BC0h 0x00000047 xor ebx, edx 0x00000049 add esi, edx 0x0000004b jmp 00007FB0845CBD44h 0x00000050 jmp 00007FB08488BD26h 0x00000055 lea ecx, dword ptr [esp+60h] 0x00000059 cmp ebp, ecx 0x0000005b jmp 00007FB08476DCD4h 0x00000060 ja 00007FB084B1FF95h 0x00000066 jmp esi 0x00000068 mov ecx, dword ptr [ebp+00h] 0x0000006c rdtsc |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Special instruction interceptor: First address: F2F857 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Special instruction interceptor: First address: EA78A2 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Special instruction interceptor: First address: FBF857 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Special instruction interceptor: First address: F378A2 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Window / User API: threadDelayed 1190 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Window / User API: threadDelayed 8805 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696 |
Thread sleep count: 1190 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696 |
Thread sleep time: -267750s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696 |
Thread sleep count: 8805 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696 |
Thread sleep time: -1981125s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\2k632W2O.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
System information queried: KernelDebuggerInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\2k632W2O.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" |
Jump to behavior |
Source: Yara match |
File source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE |