Windows Analysis Report
mSLEwIfTGL.exe

Overview

General Information

Sample name: mSLEwIfTGL.exe
renamed because original name is a hash value
Original sample name: bce5589932044903237879f0e9e4840e.exe
Analysis ID: 1520463
MD5: bce5589932044903237879f0e9e4840e
SHA1: 2df044c89198fde64eb0b5a7c8182addf3486a2b
SHA256: 1c123f8cd194d826aaa48e97fa67b9db9faa1a5a1ada139f367d56904f6e0c04
Tags: exeuser-abuse_ch
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: mSLEwIfTGL.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: mSLEwIfTGL.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D661CF0 CryptUnprotectData,LocalFree, 0_2_00007FF76D661CF0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D627C80 CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D627C80
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: mSLEwIfTGL.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AC088 FindClose,FindFirstFileExW,GetLastError, 0_2_00007FF76D6AC088
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AC138 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_00007FF76D6AC138
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67AB00 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D67AB00
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49730 -> 176.124.204.206:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49730 -> 176.124.204.206:15666
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49730 -> 176.124.204.206:15666
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 176.124.204.206:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GULFSTREAMUA GULFSTREAMUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D678A50 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task, 0_2_00007FF76D678A50
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: mSLEwIfTGL.exe, 00000000.00000003.1852899928.0000015830C51000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.2031707337.0000015830C60000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.2031677658.0000015830C60000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.2031796016.0000015830C64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsoft.t/Regi
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EFCE000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1853410663.000001582EFE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EF7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/AA
Source: mSLEwIfTGL.exe, 00000000.00000003.1878151731.000001582EFFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EFCE000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1878151731.000001582EFFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mSLEwIfTGL.exe, 00000000.00000003.1878151731.000001582EFFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EFCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4L
Source: mSLEwIfTGL.exe, 00000000.00000003.1878151731.000001582EFFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EFCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbW
Source: mSLEwIfTGL.exe, 00000000.00000003.1878151731.000001582EFFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: mSLEwIfTGL.exe, 00000000.00000003.1868698206.0000015830DE8000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877494395.0000015831A5E000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1873812276.0000015831DDB000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B42000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B4A000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1868698206.0000015830DE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: mSLEwIfTGL.exe, 00000000.00000003.1855374086.000001582EFFF000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831A6F000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831A89000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1855229278.00000158319F2000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831A5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: mSLEwIfTGL.exe, 00000000.00000003.1855374086.000001582EFFF000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831A6F000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831A89000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1855229278.00000158319F2000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854811805.0000015831A5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EFCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc9
Source: mSLEwIfTGL.exe, 00000000.00000003.1878151731.000001582EFFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: mSLEwIfTGL.exe, 00000000.00000003.1878151731.000001582EFFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: mSLEwIfTGL.exe, 00000000.00000003.1854232533.0000015831A46000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1854551100.0000015831A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: mSLEwIfTGL.exe, 00000000.00000003.1868698206.0000015830DE8000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877494395.0000015831A5E000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1873812276.0000015831DDB000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B42000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B4A000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1868698206.0000015830DE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: mSLEwIfTGL.exe, 00000000.00000003.1868698206.0000015830DEF000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1873812276.0000015831DE2000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: mSLEwIfTGL.exe, 00000000.00000003.1868698206.0000015830DEF000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1873812276.0000015831DE2000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1877326669.0000015831B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D679310 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,GetObjectW,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,DeleteObject,EnterCriticalSection,EnterCriticalSection,GdiplusShutdown,LeaveCriticalSection,LeaveCriticalSection,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D679310
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67DD50 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_00007FF76D67DD50
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67D610 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D67D610
Detected potential crypto function
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D621D4E 0_2_00007FF76D621D4E
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67ADB0 0_2_00007FF76D67ADB0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6800A8 0_2_00007FF76D6800A8
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6340B0 0_2_00007FF76D6340B0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D671F20 0_2_00007FF76D671F20
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D679FB0 0_2_00007FF76D679FB0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D680A90 0_2_00007FF76D680A90
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D651A80 0_2_00007FF76D651A80
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67BA60 0_2_00007FF76D67BA60
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D678A50 0_2_00007FF76D678A50
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D64BAF0 0_2_00007FF76D64BAF0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62C9C0 0_2_00007FF76D62C9C0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62EC50 0_2_00007FF76D62EC50
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D699D08 0_2_00007FF76D699D08
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D620BD0 0_2_00007FF76D620BD0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62E5A0 0_2_00007FF76D62E5A0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6677F0 0_2_00007FF76D6677F0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D679310 0_2_00007FF76D679310
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6212C0 0_2_00007FF76D6212C0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D682150 0_2_00007FF76D682150
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AC138 0_2_00007FF76D6AC138
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D678210 0_2_00007FF76D678210
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62D510 0_2_00007FF76D62D510
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D696504 0_2_00007FF76D696504
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D64E4E0 0_2_00007FF76D64E4E0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D673360 0_2_00007FF76D673360
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6A0E74 0_2_00007FF76D6A0E74
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65FE50 0_2_00007FF76D65FE50
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65DF00 0_2_00007FF76D65DF00
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D64AF00 0_2_00007FF76D64AF00
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D664EF0 0_2_00007FF76D664EF0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D689EE4 0_2_00007FF76D689EE4
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62BEE0 0_2_00007FF76D62BEE0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D627ED0 0_2_00007FF76D627ED0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D666D70 0_2_00007FF76D666D70
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67DD50 0_2_00007FF76D67DD50
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68BE00 0_2_00007FF76D68BE00
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62AE00 0_2_00007FF76D62AE00
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68E10C 0_2_00007FF76D68E10C
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6400ED 0_2_00007FF76D6400ED
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D5F60C0 0_2_00007FF76D5F60C0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67E0A0 0_2_00007FF76D67E0A0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D699F84 0_2_00007FF76D699F84
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D646F70 0_2_00007FF76D646F70
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CF60 0_2_00007FF76D65CF60
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AEFD0 0_2_00007FF76D6AEFD0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D668FD0 0_2_00007FF76D668FD0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D629A59 0_2_00007FF76D629A59
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D691B14 0_2_00007FF76D691B14
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68DAC4 0_2_00007FF76D68DAC4
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6899EC 0_2_00007FF76D6899EC
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6849BA 0_2_00007FF76D6849BA
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D66F9C0 0_2_00007FF76D66F9C0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68E9A4 0_2_00007FF76D68E9A4
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D698C2C 0_2_00007FF76D698C2C
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D663CC0 0_2_00007FF76D663CC0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D697CAC 0_2_00007FF76D697CAC
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D63CB90 0_2_00007FF76D63CB90
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AEB50 0_2_00007FF76D6AEB50
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65DBD0 0_2_00007FF76D65DBD0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6B3BC0 0_2_00007FF76D6B3BC0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D69762C 0_2_00007FF76D69762C
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D66F620 0_2_00007FF76D66F620
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68D6F4 0_2_00007FF76D68D6F4
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6666D0 0_2_00007FF76D6666D0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65D590 0_2_00007FF76D65D590
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D659600 0_2_00007FF76D659600
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6745D0 0_2_00007FF76D6745D0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65F820 0_2_00007FF76D65F820
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D5F6900 0_2_00007FF76D5F6900
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6218F0 0_2_00007FF76D6218F0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68D8DC 0_2_00007FF76D68D8DC
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65D8B0 0_2_00007FF76D65D8B0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D676783 0_2_00007FF76D676783
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D616770 0_2_00007FF76D616770
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D676773 0_2_00007FF76D676773
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D619760 0_2_00007FF76D619760
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D672750 0_2_00007FF76D672750
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6177B0 0_2_00007FF76D6177B0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D668270 0_2_00007FF76D668270
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65D260 0_2_00007FF76D65D260
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D655220 0_2_00007FF76D655220
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6712F0 0_2_00007FF76D6712F0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D660180 0_2_00007FF76D660180
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D69717C 0_2_00007FF76D69717C
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D5F6480 0_2_00007FF76D5F6480
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D63E419 0_2_00007FF76D63E419
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D69A50C 0_2_00007FF76D69A50C
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D63C4E0 0_2_00007FF76D63C4E0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68E49C 0_2_00007FF76D68E49C
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6983D8 0_2_00007FF76D6983D8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: String function: 00007FF76D61D510 appears 63 times
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: String function: 00007FF76D621D20 appears 54 times
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: String function: 00007FF76D626990 appears 41 times
Source: classification engine Classification label: mal96.troj.spyw.winEXE@1/0@1/2
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62E5A0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D62E5A0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65F820 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D65F820
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69633C615BB6
Source: mSLEwIfTGL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mSLEwIfTGL.exe ReversingLabs: Detection: 31%
Source: mSLEwIfTGL.exe String found in binary or memory: --help
Source: mSLEwIfTGL.exe String found in binary or memory: --help
Source: mSLEwIfTGL.exe String found in binary or memory: --help
Source: mSLEwIfTGL.exe String found in binary or memory: --help
Source: mSLEwIfTGL.exe String found in binary or memory: ipportgrabber_max_sizeextensionslinksbuild_nameself_destructtype must be boolean, but is type must be number, but is 0123456789ABCDEFntdll.dllFile DownloaderabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'runasopen bad variant accessfalsetrueBad any_cast[VAR... , [default: [required][nargs: or more] ..[nargs= to or more provided. argument(s) expected. : required.: no value provided.-=--help-hshows help message and exits--version-vprints version information and exitsNo such argument:
Source: mSLEwIfTGL.exe String found in binary or memory: ipportgrabber_max_sizeextensionslinksbuild_nameself_destructtype must be boolean, but is type must be number, but is 0123456789ABCDEFntdll.dllFile DownloaderabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'runasopen bad variant accessfalsetrueBad any_cast[VAR... , [default: [required][nargs: or more] ..[nargs= to or more provided. argument(s) expected. : required.: no value provided.-=--help-hshows help message and exits--version-vprints version information and exitsNo such argument:
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: mSLEwIfTGL.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: mSLEwIfTGL.exe Static file information: File size 1117696 > 1048576
Source: mSLEwIfTGL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mSLEwIfTGL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mSLEwIfTGL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mSLEwIfTGL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mSLEwIfTGL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mSLEwIfTGL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: mSLEwIfTGL.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: mSLEwIfTGL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mSLEwIfTGL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mSLEwIfTGL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mSLEwIfTGL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mSLEwIfTGL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mSLEwIfTGL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62D510 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D62D510
PE file contains sections with non-standard names
Source: mSLEwIfTGL.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CB00 push rsp; retf 0_2_00007FF76D65CBA1
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CBBC push rsp; retf 0_2_00007FF76D65CBBD
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CBB8 push rsp; retf 0_2_00007FF76D65CBB9
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CBC4 push rsp; retf 0_2_00007FF76D65CBC5
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CBC0 push rsp; retf 0_2_00007FF76D65CBC1
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CBAC push rsp; retf 0_2_00007FF76D65CBAD
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CBB4 push rsp; retf 0_2_00007FF76D65CBB5
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D65CBB0 push rsp; retf 0_2_00007FF76D65CBB1
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6677F0 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,ExitProcess,ExitProcess,OpenMutexA,ExitProcess,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D6677F0
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AC088 FindClose,FindFirstFileExW,GetLastError, 0_2_00007FF76D6AC088
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AC138 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_00007FF76D6AC138
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67AB00 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D67AB00
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D690220 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 0_2_00007FF76D690220
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EFCE000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EF89000.00000004.00000020.00020000.00000000.sdmp, mSLEwIfTGL.exe, 00000000.00000003.1853410663.000001582EFE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67DD50 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_00007FF76D67DD50
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D688A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF76D688A38
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6AE2B0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF76D6AE2B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D62D510 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF76D62D510
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D688A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF76D688A38
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D6A5870 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF76D6A5870
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: GetLocaleInfoW, 0_2_00007FF76D6950AC
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF76D69FFF0
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: EnumSystemLocalesW, 0_2_00007FF76D69FAE4
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_00007FF76D6ABC84
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: EnumSystemLocalesW, 0_2_00007FF76D694B68
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: EnumSystemLocalesW, 0_2_00007FF76D69FBB4
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF76D69F798
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF76D6A01CC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D68F67C GetSystemTimeAsFileTime, 0_2_00007FF76D68F67C
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D679A60 GetUserNameW, 0_2_00007FF76D679A60
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Code function: 0_2_00007FF76D67ADB0 GetTimeZoneInformation, 0_2_00007FF76D67ADB0

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: mSLEwIfTGL.exe PID: 2916, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: mSLEwIfTGL.exe PID: 2916, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EF89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum-LTC\config
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EF89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash\config
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EFCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: KHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EF89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EF89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Source: mSLEwIfTGL.exe, 00000000.00000002.2032359148.000001582EF89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\mSLEwIfTGL.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: mSLEwIfTGL.exe PID: 2916, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: mSLEwIfTGL.exe PID: 2916, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.124.204.206
 unknown Russian Federation
59652 GULFSTREAMUA true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown