Create Interactive Tour

Windows Analysis Report
adobe.exe

Overview

General Information

Sample Name:	adobe.exe
Analysis ID:	681602
MD5:	5fc257144dd021e780cd0b216f92ae9f
SHA1:	d30127e641f56974143c12ce7ab6fad4fc1f96ee
SHA256:	aea0c2122e071934cd24add72b1102166d3db6a0ce2a13346fdbf075caf1d408
Tags:	exe
Infos:

Detection

Clipboard Hijacker

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Antivirus detection for dropped file

Yara detected Clipboard Hijacker

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Query firmware table information (likely to detect VMs)

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

PE file contains section with special chars

Uses 32bit PE files

Yara signature match

Sample file is different than original file name gathered from version info

One or more processes crash

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

PE file contains an invalid checksum

Drops PE files

Checks if the current process is being debugged

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

Classification

Process Tree

System is w10x64

adobe.exe (PID: 5804 cmdline: "C:\Users\user\Desktop\adobe.exe" MD5: 5FC257144DD021E780CD0B216F92AE9F)

schtasks.exe (PID: 1656 cmdline: /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6140 cmdline: /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5336 cmdline: /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml" MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 68 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 256 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

PerfWatson2.exe (PID: 4264 cmdline: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe MD5: 5FC257144DD021E780CD0B216F92AE9F)

cleanup

Malware Configuration

Threatname: Clipboard Hijacker

{
  "Crypto Addresses": [
    "bnb1zh48nf24wpcarq8clwfmxg5uggwwa9cqtpz6xk",
    "cosmos1ljx6qdfud54mhquec20nncrsp9zn0pmvlhjfuy",
    "AaK9Z1EG6sZLfeVM3SkqUXFuamkDvBRfMy",
    "ltc1qt4fcag0vqjuujuc39gqa22kagq0az8drknguqm",
    "15Fmv94XicaqA7UeaJ4wMzx7fYmKF4KQgp",
    "Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg",
    "RPHzCWgKCM51Yzn3zCpASWdwyLb4izgSix",
    "TCMGJNpge4zw8iT9jvMS5a6UqTBMBEieZE",
    "DDw5pbCEQamTaASmMqyQ3NnHt7cjL33PGQ",
    "bc1q5l98ufxnknwrtnrwf6h7e9kevmggsa22yp9als",
    "88KRHRk5N3s2YmcREbzrUWBxrY7yt1bPUjZMFvp2xPpuQwNKbVdCBN41mCggHtQH9NLt2aRwDdBWLgVC2Pz6uErqTJwzprf",
    "rhvuzJbAdQ5kxzQqqCNGddoR1SQ7qztj4D",
    "3KWYojB3s5QjWr212NSvSyaKYacWbqgYjS",
    "ronin:f99068a66aE783dCe4f7a811b09fe1CF071E4414",
    "LggmPWTNgTPpY6evKrED2dy72wN9EDzgBQ",
    "Ae2tdPwUPEZEAgnvyWXvbopoiiamxVYigjqeateW1mBjk2pCNddeS62oQEp",
    "t1T8AFPn2G9oXE5ZPgAQSiipGwYyvgxavyX",
    "MGNAjHC6L1vBT5LMxCdmc2C9pZjfFbRMLK",
    "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}",
    "44goBid5BbgGkkDU9yK5hDNfR8gYn8b3q4uvqrT8SZE8ES1Mx72NXMVZ2eCurQKFwx3noTNXJR13bHCTdTbSqv6MMJpZfos",
    "4RV2KFCD2RY4CLCHWVJOUUMOSPZWNI6EWK3NFPAZWJ5W6ENA3OVAUPWDPA",
    "2Xf2E6aEU7n685eHEbXGYHrmWn2y7a62UWBrtZzodVdD",
    "0xf99068a66aE783dCe4f7a811b09fe1CF071E4414",
    "addr1q95y8wltcak778c8jvsch4j69te4er4almzxwfl0rcvvf6ntd7skfyvy37enm6fa5446a2tchdc9e8waaayjvvp78wws3m5vtg"
  ]
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.270650568.0000000000371000.00000020.00000001.01000000.00000004.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x8e4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000001.00000002.332032654.0000000001171000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x8e4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000001.00000000.269918618.0000000001171000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x8e4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000001.00000000.266754109.0000000001171000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x8e4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.adobe.exe.1170000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xce4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
1.0.adobe.exe.1170000.2.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xce4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
7.2.PerfWatson2.exe.370000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
7.2.PerfWatson2.exe.370000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xce4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
1.0.adobe.exe.1170000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xce4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
1.0.adobe.exe.1170000.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0xce4:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
Click to see the 1 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: adobe.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Avira: detection malicious, Label: TR/Kryptik.tvtay

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: adobe.exe

Joe Sandbox ML: detected

Source: 7.2.PerfWatson2.exe.370000.0.unpack

Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["bnb1zh48nf24wpcarq8clwfmxg5uggwwa9cqtpz6xk", "cosmos1ljx6qdfud54mhquec20nncrsp9zn0pmvlhjfuy", "AaK9Z1EG6sZLfeVM3SkqUXFuamkDvBRfMy", "ltc1qt4fcag0vqjuujuc39gqa22kagq0az8drknguqm", "15Fmv94XicaqA7UeaJ4wMzx7fYmKF4KQgp", "Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg", "RPHzCWgKCM51Yzn3zCpASWdwyLb4izgSix", "TCMGJNpge4zw8iT9jvMS5a6UqTBMBEieZE", "DDw5pbCEQamTaASmMqyQ3NnHt7cjL33PGQ", "bc1q5l98ufxnknwrtnrwf6h7e9kevmggsa22yp9als", "88KRHRk5N3s2YmcREbzrUWBxrY7yt1bPUjZMFvp2xPpuQwNKbVdCBN41mCggHtQH9NLt2aRwDdBWLgVC2Pz6uErqTJwzprf", "rhvuzJbAdQ5kxzQqqCNGddoR1SQ7qztj4D", "3KWYojB3s5QjWr212NSvSyaKYacWbqgYjS", "ronin:f99068a66aE783dCe4f7a811b09fe1CF071E4414", "LggmPWTNgTPpY6evKrED2dy72wN9EDzgBQ", "Ae2tdPwUPEZEAgnvyWXvbopoiiamxVYigjqeateW1mBjk2pCNddeS62oQEp", "t1T8AFPn2G9oXE5ZPgAQSiipGwYyvgxavyX", "MGNAjHC6L1vBT5LMxCdmc2C9pZjfFbRMLK", "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}", "44goBid5BbgGkkDU9yK5hDNfR8gYn8b3q4uvqrT8SZE8ES1Mx72NXMVZ2eCurQKFwx3noTNXJR13bHCTdTbSqv6MMJpZfos", "4RV2KFCD2RY4CLCHWVJOUUMOSPZWNI6EWK3NFPAZWJ5W6ENA3OVAUPWDPA", "2Xf2E6aEU7n685eHEbXGYHrmWn2y7a62UWBrtZzodVdD", "0xf99068a66aE783dCe4f7a811b09fe1CF071E4414", "addr1q95y8wltcak778c8jvsch4j69te4er4almzxwfl0rcvvf6ntd7skfyvy37enm6fa5446a2tchdc9e8waaayjvvp78wws3m5vtg"]}

Source: adobe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: adobe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.adobe.exe.1170000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 1.0.adobe.exe.1170000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 7.2.PerfWatson2.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 1.0.adobe.exe.1170000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 1.0.adobe.exe.1170000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000007.00000002.270650568.0000000000371000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000001.00000002.332032654.0000000001171000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000001.00000000.269918618.0000000001171000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000001.00000000.266754109.0000000001171000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown

PE file contains section with special chars

Source: adobe.exe	Static PE information: section name: .?8V
Source: adobe.exe	Static PE information: section name: .4n#
Source: PerfWatson2.exe.1.dr	Static PE information: section name: .?8V
Source: PerfWatson2.exe.1.dr	Static PE information: section name: .4n#

Source: adobe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.adobe.exe.1170000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 1.0.adobe.exe.1170000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 7.2.PerfWatson2.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 1.0.adobe.exe.1170000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 1.0.adobe.exe.1170000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000007.00000002.270650568.0000000000371000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000001.00000002.332032654.0000000001171000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000001.00000000.269918618.0000000001171000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000001.00000000.266754109.0000000001171000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09

Source: adobe.exe, 00000001.00000000.268747043.0000000001BA0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAdobeXMPScript.dllj% vs adobe.exe
Source: adobe.exe	Binary or memory string: OriginalFilenameAdobeXMPScript.dllj% vs adobe.exe

Source: C:\Users\user\Desktop\adobe.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 256

Source: C:\Users\user\Desktop\adobe.exe

File read: C:\Users\user\Desktop\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\adobe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\adobe.exe "C:\Users\user\Desktop\adobe.exe"
Source: C:\Users\user\Desktop\adobe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\adobe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\adobe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\adobe.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 256
Source: C:\Users\user\Desktop\adobe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_01
Source: C:\Users\user\Desktop\adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\3113225624820686
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5804
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01

Source: C:\Users\user\Desktop\adobe.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER671F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@12/7@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: adobe.exe

Static file information: File size 6862862 > 1048576

Source: adobe.exe

Static PE information: Raw size of .g2v is bigger than: 0x100000 < 0x68a200

Source: adobe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: adobe.exe	Static PE information: real checksum: 0x6920f6 should be: 0x6922d7
Source: PerfWatson2.exe.1.dr	Static PE information: real checksum: 0x6920f6 should be: 0x6922d7

Source: adobe.exe	Static PE information: section name: .?8V
Source: adobe.exe	Static PE information: section name: .4n#
Source: adobe.exe	Static PE information: section name: .g2v
Source: PerfWatson2.exe.1.dr	Static PE information: section name: .?8V
Source: PerfWatson2.exe.1.dr	Static PE information: section name: .4n#
Source: PerfWatson2.exe.1.dr	Static PE information: section name: .g2v

Source: initial sample

Static PE information: section where entry point is pointing to: .g2v

Source: C:\Users\user\Desktop\adobe.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\adobe.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\adobe.exe	Memory written: PID: 5804 base: 10E0005 value: E9 FB 99 3E 76	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Memory written: PID: 5804 base: 774C9A00 value: E9 0A 66 C1 89	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Memory written: PID: 5804 base: 10F0007 value: E9 7B 4C 41 76	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Memory written: PID: 5804 base: 77504C80 value: E9 8E B3 BE 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 4264 base: 12A0005 value: E9 FB 99 22 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 4264 base: 774C9A00 value: E9 0A 66 DD 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 4264 base: 12B0007 value: E9 7B 4C 25 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 4264 base: 77504C80 value: E9 8E B3 DA 89	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\adobe.exe	Special instruction interceptor: First address: 00000000017845F3 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\adobe.exe	Special instruction interceptor: First address: 0000000001B62298 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Special instruction interceptor: First address: 00000000009845F3 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Special instruction interceptor: First address: 0000000000D62298 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\adobe.exe	RDTSC instruction interceptor: First address: 00000000015675CA second address: 0000000001567607 instructions: 0x00000000 rdtsc 0x00000002 inc sp 0x00000004 xadd edi, edx 0x00000007 inc ecx 0x00000008 pop edi 0x00000009 inc bp 0x0000000b cmovnle edx, esp 0x0000000e inc ebp 0x0000000f test ah, cl 0x00000011 pop edi 0x00000012 cwde 0x00000013 dec eax 0x00000014 sub ebx, 4BF925DCh 0x0000001a inc ecx 0x0000001b pop ebp 0x0000001c dec eax 0x0000001d neg eax 0x0000001f sal cx, 0073h 0x00000023 inc sp 0x00000025 shld ebx, esp, 00000022h 0x00000029 popfd 0x0000002a inc cx 0x0000002c xchg edx, ecx 0x0000002e dec eax 0x0000002f cwde 0x00000030 inc esp 0x00000031 mov dl, al 0x00000033 pop ecx 0x00000034 inc ecx 0x00000035 pop esp 0x00000036 pop ebx 0x00000037 dec ecx 0x00000038 arpl di, ax 0x0000003a lahf 0x0000003b inc ecx 0x0000003c pop esi 0x0000003d rdtsc
Source: C:\Users\user\Desktop\adobe.exe	RDTSC instruction interceptor: First address: 0000000001B1D5C6 second address: 0000000001B1D5DD instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 movsx eax, dx 0x00000006 inc ecx 0x00000007 pop esp 0x00000008 not si 0x0000000b dec ebp 0x0000000c arpl di, si 0x0000000e pop ebx 0x0000000f dec ebp 0x00000010 movsx esi, si 0x00000013 dec eax 0x00000014 cwde 0x00000015 inc ecx 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\adobe.exe	RDTSC instruction interceptor: First address: 000000000134AA0D second address: 00000000013A9550 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 test bh, 00000001h 0x00000006 sub esi, 00000008h 0x0000000c cmp ch, 00000000h 0x0000000f mov dword ptr [esi], edx 0x00000011 jmp 00007F35E0F7CA42h 0x00000016 mov dword ptr [esi+04h], eax 0x00000019 mov eax, dword ptr [ebp+00h] 0x0000001d cmp ebx, 1B3B7F0Bh 0x00000023 test ah, bl 0x00000025 clc 0x00000026 add ebp, 00000004h 0x0000002c xor eax, ebx 0x0000002e jmp 00007F35E11C807Ah 0x00000033 inc eax 0x00000034 clc 0x00000035 ror eax, 1 0x00000037 jmp 00007F35E11C5B7Ah 0x0000003c inc eax 0x0000003d cmc 0x0000003e rol eax, 1 0x00000040 cmc 0x00000041 stc 0x00000042 lea eax, dword ptr [eax-039B53DBh] 0x00000048 cmp ax, bx 0x0000004b test sp, cx 0x0000004e xor ebx, eax 0x00000050 cmp esi, ebp 0x00000052 test si, 28D4h 0x00000057 add edi, eax 0x00000059 jmp 00007F35E10F723Fh 0x0000005e jmp 00007F35E1019EECh 0x00000063 lea edx, dword ptr [esp+60h] 0x00000067 stc 0x00000068 cmp esi, edx 0x0000006a jmp 00007F35E0E6EE94h 0x0000006f ja 00007F35E10CE394h 0x00000075 push edi 0x00000076 ret 0x00000077 mov ecx, dword ptr [esi] 0x00000079 cwde 0x0000007a rdtsc
Source: C:\Users\user\Desktop\adobe.exe	RDTSC instruction interceptor: First address: 00000000014ED9EE second address: 00000000013A9550 instructions: 0x00000000 rdtsc 0x00000002 cmp cl, bh 0x00000004 lea esi, dword ptr [esi-00000008h] 0x0000000a test esi, 1CBD071Ch 0x00000010 clc 0x00000011 mov dword ptr [esi], edx 0x00000013 test bh, FFFFFF88h 0x00000016 cmp ax, 0000134Fh 0x0000001a jmp 00007F35E0AC14E2h 0x0000001f mov dword ptr [esi+04h], eax 0x00000022 bts ax, dx 0x00000026 test di, dx 0x00000029 mov eax, dword ptr [ebp+00h] 0x0000002d test sp, 3C25h 0x00000032 cmc 0x00000033 add ebp, 00000004h 0x00000039 xor eax, ebx 0x0000003b jmp 00007F35E0AC8E05h 0x00000040 inc eax 0x00000041 clc 0x00000042 ror eax, 1 0x00000044 jmp 00007F35E0B5B7D4h 0x00000049 inc eax 0x0000004a stc 0x0000004b rol eax, 1 0x0000004d stc 0x0000004e lea eax, dword ptr [eax-039B53DBh] 0x00000054 xor ebx, eax 0x00000056 add edi, eax 0x00000058 jmp 00007F35E0E7B476h 0x0000005d lea edx, dword ptr [esp+60h] 0x00000061 stc 0x00000062 cmp esi, edx 0x00000064 jmp 00007F35E09D18D4h 0x00000069 ja 00007F35E0C30DD4h 0x0000006f push edi 0x00000070 ret 0x00000071 mov ecx, dword ptr [esi] 0x00000073 cwde 0x00000074 rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	RDTSC instruction interceptor: First address: 00000000007675CA second address: 0000000000767607 instructions: 0x00000000 rdtsc 0x00000002 inc sp 0x00000004 xadd edi, edx 0x00000007 inc ecx 0x00000008 pop edi 0x00000009 inc bp 0x0000000b cmovnle edx, esp 0x0000000e inc ebp 0x0000000f test ah, cl 0x00000011 pop edi 0x00000012 cwde 0x00000013 dec eax 0x00000014 sub ebx, 4BF925DCh 0x0000001a inc ecx 0x0000001b pop ebp 0x0000001c dec eax 0x0000001d neg eax 0x0000001f sal cx, 0073h 0x00000023 inc sp 0x00000025 shld ebx, esp, 00000022h 0x00000029 popfd 0x0000002a inc cx 0x0000002c xchg edx, ecx 0x0000002e dec eax 0x0000002f cwde 0x00000030 inc esp 0x00000031 mov dl, al 0x00000033 pop ecx 0x00000034 inc ecx 0x00000035 pop esp 0x00000036 pop ebx 0x00000037 dec ecx 0x00000038 arpl di, ax 0x0000003a lahf 0x0000003b inc ecx 0x0000003c pop esi 0x0000003d rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	RDTSC instruction interceptor: First address: 0000000000D1D5C6 second address: 0000000000D1D5DD instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 movsx eax, dx 0x00000006 inc ecx 0x00000007 pop esp 0x00000008 not si 0x0000000b dec ebp 0x0000000c arpl di, si 0x0000000e pop ebx 0x0000000f dec ebp 0x00000010 movsx esi, si 0x00000013 dec eax 0x00000014 cwde 0x00000015 inc ecx 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	RDTSC instruction interceptor: First address: 000000000054AA0D second address: 00000000005A9550 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 test bh, 00000001h 0x00000006 sub esi, 00000008h 0x0000000c cmp ch, 00000000h 0x0000000f mov dword ptr [esi], edx 0x00000011 jmp 00007F35E0F7CA42h 0x00000016 mov dword ptr [esi+04h], eax 0x00000019 mov eax, dword ptr [ebp+00h] 0x0000001d cmp ebx, 1B3B7F0Bh 0x00000023 test ah, bl 0x00000025 clc 0x00000026 add ebp, 00000004h 0x0000002c xor eax, ebx 0x0000002e jmp 00007F35E11C807Ah 0x00000033 inc eax 0x00000034 clc 0x00000035 ror eax, 1 0x00000037 jmp 00007F35E11C5B7Ah 0x0000003c inc eax 0x0000003d cmc 0x0000003e rol eax, 1 0x00000040 cmc 0x00000041 stc 0x00000042 lea eax, dword ptr [eax-039B53DBh] 0x00000048 cmp ax, bx 0x0000004b test sp, cx 0x0000004e xor ebx, eax 0x00000050 cmp esi, ebp 0x00000052 test si, 28D4h 0x00000057 add edi, eax 0x00000059 jmp 00007F35E10F723Fh 0x0000005e jmp 00007F35E1019EECh 0x00000063 lea edx, dword ptr [esp+60h] 0x00000067 stc 0x00000068 cmp esi, edx 0x0000006a jmp 00007F35E0E6EE94h 0x0000006f ja 00007F35E10CE394h 0x00000075 push edi 0x00000076 ret 0x00000077 mov ecx, dword ptr [esi] 0x00000079 cwde 0x0000007a rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	RDTSC instruction interceptor: First address: 00000000006ED9EE second address: 00000000005A9550 instructions: 0x00000000 rdtsc 0x00000002 cmp cl, bh 0x00000004 lea esi, dword ptr [esi-00000008h] 0x0000000a test esi, 1CBD071Ch 0x00000010 clc 0x00000011 mov dword ptr [esi], edx 0x00000013 test bh, FFFFFF88h 0x00000016 cmp ax, 0000134Fh 0x0000001a jmp 00007F35E0AC14E2h 0x0000001f mov dword ptr [esi+04h], eax 0x00000022 bts ax, dx 0x00000026 test di, dx 0x00000029 mov eax, dword ptr [ebp+00h] 0x0000002d test sp, 3C25h 0x00000032 cmc 0x00000033 add ebp, 00000004h 0x00000039 xor eax, ebx 0x0000003b jmp 00007F35E0AC8E05h 0x00000040 inc eax 0x00000041 clc 0x00000042 ror eax, 1 0x00000044 jmp 00007F35E0B5B7D4h 0x00000049 inc eax 0x0000004a stc 0x0000004b rol eax, 1 0x0000004d stc 0x0000004e lea eax, dword ptr [eax-039B53DBh] 0x00000054 xor ebx, eax 0x00000056 add edi, eax 0x00000058 jmp 00007F35E0E7B476h 0x0000005d lea edx, dword ptr [esp+60h] 0x00000061 stc 0x00000062 cmp esi, edx 0x00000064 jmp 00007F35E09D18D4h 0x00000069 ja 00007F35E0C30DD4h 0x0000006f push edi 0x00000070 ret 0x00000071 mov ecx, dword ptr [esi] 0x00000073 cwde 0x00000074 rdtsc

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\adobe.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	System information queried: FirmwareTableInformation	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\adobe.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\adobe.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\adobe.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\adobe.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\adobe.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\adobe.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match

File source: 7.2.PerfWatson2.exe.370000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 Credential API Hooking	42 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	22 Virtualization/Sandbox Evasion	LSASS Memory	22 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
adobe.exe	100%	Avira	TR/Kryptik.tvtay
adobe.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	100%	Avira	TR/Kryptik.tvtay
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.adobe.exe.1170000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.adobe.exe.1170000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.0.PerfWatson2.exe.370000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.adobe.exe.1170000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.adobe.exe.1170000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.PerfWatson2.exe.370000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	681602
Start date and time:	2022-08-10 12:12:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	adobe.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@12/7@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.21
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:13:17	Task Scheduler	Run new task: PerformanceMonitor_{Y6F7A6L1Q3V2W4S7} path: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
12:13:50	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_adobe.exe_dd7d15bb85c383a52286d041f55c1399c0f3_3a60e45f_0009cb87\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8247719636418728
Encrypted:	false
SSDEEP:	192:xzAzrOlyi/Gm6HBUZMXIjgG/u7sBS274Ite:1CWylmSBUZMXIj7/u7sBX4Ite
MD5:	6AF6E7AB2D21659EAE703935DD08CD96
SHA1:	1CFB1FCA54B4F50B7D7941B2F41B00E62C3AEAA3
SHA-256:	AB9E4E36E65300727CA9CFF88833F7CFB2E6B1E6E466E149D4E69B23DA05CEBA
SHA-512:	A50809733BA99624DE7FAAE342D6EE9483ABAB89509AA0E9C03B8E6574B074E80B7D68EB5A847A8A3D17A2EE389A858ED8146B4532EC46CF7317511958B9305D
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.4.6.3.2.4.0.4.8.3.5.7.6.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.4.6.3.2.4.0.6.1.4.8.2.4.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.7.3.0.0.9.6.-.e.8.e.3.-.4.4.1.f.-.9.f.a.a.-.1.2.2.0.5.a.c.b.0.a.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.6.7.c.6.e.0.-.a.2.9.3.-.4.1.6.e.-.9.c.f.b.-.8.3.4.e.d.3.a.e.d.0.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.d.o.b.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.d.o.b.e.X.M.P.S.c.r.i.p.t...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.a.c.-.0.0.0.1.-.0.0.1.d.-.c.2.a.2.-.2.f.3.c.e.d.a.c.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.c.2.c.3.1.f.3.a.d.8.d.e.1.4.a.e.d.8.3.8.4.c.3.d.6.9.0.6.9.f.0.0.0.0.0.0.0.8.!.0.0.0.0.d.3.0.1.2.7.e.6.4.1.f.5.6.9.7.4.1.4.3.c.1.2.c.e.7.a.b.6.f.a.d.4.f.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER671F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 10 19:13:25 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	28486
Entropy (8bit):	2.5847862288169683
Encrypted:	false
SSDEEP:	192:LHz6eqBGnO/knkyveDBzm8mV5/pklAU53:aVMkyB8mV5/pkq
MD5:	80A3B6C53DA51B2CC967651B44158BB6
SHA1:	35A3B6C7F6470023218490DA28F4EF57BEE0392C
SHA-256:	AE184F6BF288B844BDB354C4DE94B79D7E2417D4C42CE4A2AAE1CEF249C7E9DD
SHA-512:	B883CFD411413BE7CFC6658071C534052BC2790A0DD138A6A3AAB5094CB790F1DF0CB12F9ACF337F4AE89654CF7B0BF1484D482355CF7FE6D2E6E9AAF2926E49
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......U..b............4...............<.......d...V ..........T.......8...........T................a..........T...........@....................................................................U...........B..............GenuineIntelW...........T...........H..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6982.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8286
Entropy (8bit):	3.6924930747003146
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNifNT66t46YWMSUF9WgmfQFSxCpra89bEdsfKMm:RrlsNiR6+46Y9SUF9WgmfQFSqEWfg
MD5:	BAF44526149D571DFE0E587914043952
SHA1:	95D3689A83B8E37DCA6FB5A2F13FBC6804960B5C
SHA-256:	4E881FA6465FD6253E923618418D3B5BEA1F8E82C0C95FD8FB3D00318293547C
SHA-512:	6264269A7EE47039634372DB32E013386680C1903BAB0FE0DA493E9C839DC29645A569D3A1627A42380543D15FBDB9AA1BB3E5C6CC7C72705A6913F5A6E3C354
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AAC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4624
Entropy (8bit):	4.441611647686767
Encrypted:	false
SSDEEP:	48:cvIwSD8zsKrJgtWI9L7Wgc8sqYjn8fm8M4JcNbEFE+q8ug+LVqwV2d:uITfCEKgrsqYoJ2ZwwV2d
MD5:	3DE3D77750D58FE58517E4B827853E80
SHA1:	9B455B39C55465967AFC40274FD945304199B489
SHA-256:	50A35D5615027394740F1ADF35DC02FD863D6C5CDC9E8858C8C9C14F10C239CB
SHA-512:	4D8A40C2FA9904D58A5582B895D16048D68CFDDBCD95699555B729A8159DBCE02B6A40A585C39EED5554C28D7C81861B4C19E77E15DFBC7499FDFED4B7913D87
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1641864" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml

Download File

Process:	C:\Users\user\Desktop\adobe.exe
File Type:	XML 1.0 document, ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	1336
Entropy (8bit):	5.25315149842725
Encrypted:	false
SSDEEP:	24:2dcd4+ScOb/QsNZXeKtMhEMO5pwHYeGaDt0fORYcb0qv9TuVln:cmtOb4sN1eK6dOQHuaDnNuH
MD5:	AA38B4D5403E8685C16108218A178581
SHA1:	427C6D90786567031DA9163D399B959565AA8722
SHA-256:	2F8DD622C4D74A4EDA15069616D6AE6247F8D8FD5927A8426B80843ECD3B8EEA
SHA-512:	04FF1169FAFFBDA19A2182E0732B5E9DF1C0B9F12E61ABC88BA720C622C6817235632D7EB3F0CD9A7624F5175E42E8CEEFBEB5232BE1AC312EAA1AB4BA4B5C03
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>...<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">... <RegistrationInfo>... <Date>2022-08-10T12:13:17</Date>... <Author>computer\user</Author>... <URI>\PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}</URI>... </RegistrationInfo>... <Principals>... <Principal id="Author">... <UserId>S-1-5-21-3853321935-2125563209-4053062332-1002</UserId>... <LogonType>InteractiveToken</LogonType>... </Principal>... </Principals>... <Settings>... <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>... <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>... <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>... <IdleSettings>... <Duration>PT10M</Duration>... <WaitTimeout>PT1H</WaitTimeout>... <StopOnIdleEnd>false</StopOnIdleEnd>... <RestartOnIdle>false</RestartOnIdle>... </IdleSettings>... </Settings>... <Triggers>... <TimeTrigger>... <Star

C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Download File

Process:	C:\Users\user\Desktop\adobe.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6862862
Entropy (8bit):	7.970624139952025
Encrypted:	false
SSDEEP:	98304:J0CaQ8TyhHrc/gtSgtuarNHO51D/OowHVCwub6pLVcp52geDczAaS+rGbl:OLQ8TiHY/J9SH71fumpfge5axGh
MD5:	5FC257144DD021E780CD0B216F92AE9F
SHA1:	D30127E641F56974143C12CE7AB6FAD4FC1F96EE
SHA-256:	AEA0C2122E071934CD24ADD72B1102166D3DB6A0CE2A13346FDBF075CAF1D408
SHA-512:	CFDA7FFF630510F6F78037DB7015A510CC9F7EF8AA2F90F032407EF56005AA5C28429FAE0A959A8DC0A39D516256942C36E3C98AB656940CE2FFFD71A38261D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.b..................... ......ne?......0....@.......................... ....... i...@...................................;.x.......!............................................................................@:.@............................text............................... ..`.rdata.......0......................@..@.data...d....P......................@....?8V....=.9..`...................... ..`.4n#.........@:.....................@....g2v.... .h..P:...h................. ..`.reloc................h.............@..@.rsrc...!.............h.............@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.970624139952025
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	adobe.exe
File size:	6862862
MD5:	5fc257144dd021e780cd0b216f92ae9f
SHA1:	d30127e641f56974143c12ce7ab6fad4fc1f96ee
SHA256:	aea0c2122e071934cd24add72b1102166d3db6a0ce2a13346fdbf075caf1d408
SHA512:	cfda7fff630510f6f78037db7015a510cc9f7ef8aa2f90f032407ef56005aa5c28429fae0a959a8dc0a39d516256942c36e3c98ab656940ce2fffd71a38261d7
SSDEEP:	98304:J0CaQ8TyhHrc/gtSgtuarNHO51D/OowHVCwub6pLVcp52geDczAaS+rGbl:OLQ8TiHY/J9SH71fumpfge5axGh
TLSH:	0D6633B7056911C5D5D6C83AC923FEA531F2132F1A81ACF8A9DD78C32601AF9E712E47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.b..................... ......ne?......0....@.......................... ....... i...@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x7f656e
Entrypoint Section:	.g2v
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62CD4C8D [Tue Jul 12 10:27:25 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d812527b5988192695ea156eae610de1

Entrypoint Preview

Instruction
call 00007F35E0C5336Ah
dec eax
ror eax, 1
neg eax
stc
jmp 00007F35E0C8B8E7h
not ecx
jmp 00007F35E122DBE0h
dec ecx
bswap ecx
cmc
stc
rol ecx, 03h
stc
sub ecx, 089E0121h
stc
jmp 00007F35E124C0B4h
dec edx
test eax, eax
cmp cl, FFFFFFEBh
not edx
cmc
clc
neg edx
clc
cmp esp, ebp
test cl, 00000047h
xor edx, 74021856h
jmp 00007F35E1249E6Eh
cmp dl, byte ptr [esi-408198E6h]
scasd
inc ebx
iretd
xchg eax, edx
mov bl, 00h
jne 00007F35E0C2C9BBh
wait
mov al, E5h
jns 00007F35E0C2C8E0h
add ecx, edi
rcr dword ptr [ecx-65CDDFDCh], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bfb08	0x78	.g2v
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa31000	0x721	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa30000	0x5e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3a4000	0x40	.4n#
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b1f	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1108	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x64	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.?8V	0x6000	0x39d93d	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.4n#	0x3a4000	0x398	0x400	False	0.0615234375	data	0.35491919931271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.g2v	0x3a5000	0x68a120	0x68a200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xa30000	0x5e0	0x600	False	0.5305989583333334	data	4.33498953129231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa31000	0x721	0x800	False	0.380859375	data	3.7884710321489434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa310a0	0x504	data	English	United States
RT_MANIFEST	0xa315a4	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	LoadLibraryW
SHELL32.dll	SHGetFolderPathW
KERNEL32.dll	GetSystemTimeAsFileTime
USER32.dll	CharUpperBuffW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• adobe.exe
• schtasks.exe
• conhost.exe
• schtasks.exe
• PerfWatson2.exe
• conhost.exe
• schtasks.exe
• conhost.exe
• WerFault.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• adobe.exe
• schtasks.exe
• conhost.exe
• schtasks.exe
• PerfWatson2.exe
• conhost.exe
• schtasks.exe
• conhost.exe
• WerFault.exe

Click to jump to process

Target ID:	1
Start time:	12:13:12
Start date:	10/08/2022
Path:	C:\Users\user\Desktop\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\adobe.exe"
Imagebase:	0x1170000
File size:	6862862 bytes
MD5 hash:	5FC257144DD021E780CD0B216F92AE9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000001.00000002.332032654.0000000001171000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000001.00000000.269918618.0000000001171000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000001.00000000.266754109.0000000001171000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	12:13:16
Start date:	10/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
Imagebase:	0xf40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	12:13:17
Start date:	10/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	12:13:17
Start date:	10/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"
Imagebase:	0xf40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	12:13:17
Start date:	10/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
Imagebase:	0x370000
File size:	6862862 bytes
MD5 hash:	5FC257144DD021E780CD0B216F92AE9F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000007.00000002.270650568.0000000000371000.00000020.00000001.01000000.00000004.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	12:13:17
Start date:	10/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	12:13:18
Start date:	10/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"
Imagebase:	0xf40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	12:13:19
Start date:	10/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	12:13:23
Start date:	10/08/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 256
Imagebase:	0xcf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report adobe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Clipboard Hijacker

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_adobe.exe_dd7d15bb85c383a52286d041f55c1399c0f3_3a60e45f_0009cb87\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER671F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6982.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AAC.tmp.xml

C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml

C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
adobe.exe