Edit tour

Windows Analysis Report
mluxGOTw1e.exe

Overview

General Information

Sample name:	mluxGOTw1e.exe renamed because original name is a hash value
Original sample name:	26e5c31684960235c5ca7963770edc5488533b3fd58de9ffc46f3d297228ec3b.exe
Analysis ID:	1542727
MD5:	e516d0f273821697860cb7e606aa531e
SHA1:	28eda2de9a7acaad4fe4abc5ee927948e94d07de
SHA256:	26e5c31684960235c5ca7963770edc5488533b3fd58de9ffc46f3d297228ec3b
Tags:	CloudflareTunnelsRATexeuser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XWorm

Yara detected generic Shellcode Injector

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Found direct / indirect Syscall (likely to bypass EDR)

Hijacks the control flow in another process

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

mluxGOTw1e.exe (PID: 2140 cmdline: "C:\Users\user\Desktop\mluxGOTw1e.exe" MD5: E516D0F273821697860CB7E606AA531E)

conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

notepad.exe (PID: 6544 cmdline: C:\Windows\System32\notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/zcGavZvr"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mluxGOTw1e.exe	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
\Device\ConDrv	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
00000000.00000000.1259736705.00007FF74951D000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7995:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a32:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b47:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7643:$cnc4: POST / HTTP/1.1
00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1380d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1c7dc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x138aa:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1c894:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x139bf:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1c9c4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x134bb:$cnc4: POST / HTTP/1.1
00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xa4af:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xcf17:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_5c38878d	unknown	unknown	0xac06:$a: 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1
Process Memory Space: mluxGOTw1e.exe PID: 2140	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
Process Memory Space: notepad.exe PID: 6544	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.notepad.exe.2de31470000.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.notepad.exe.2de31470000.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7995:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a32:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b47:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7643:$cnc4: POST / HTTP/1.1
3.2.notepad.exe.2de31470000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.notepad.exe.2de31470000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5b95:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5c32:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d47:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5843:$cnc4: POST / HTTP/1.1
3.2.notepad.exe.2de317ace78.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.notepad.exe.2de317ace78.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5b95:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5c32:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d47:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5843:$cnc4: POST / HTTP/1.1
3.2.notepad.exe.2de317ace78.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.notepad.exe.2de317ace78.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.notepad.exe.2de317ace78.1.raw.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0x7fe6:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0x108a4:$s2: https://pastebin.com/raw/ 0x7fa1:$s3: My.Computer 0x7f1e:$s4: MyTemplate
3.2.notepad.exe.2de317ace78.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7995:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10964:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7a32:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10a1c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7b47:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10b4c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7643:$cnc4: POST / HTTP/1.1
0.2.mluxGOTw1e.exe.7ff7494f0000.0.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
0.0.mluxGOTw1e.exe.7ff7494f0000.0.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mluxGOTw1e.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/zcGavZvr"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.1"}

Multi AV Scanner detection for submitted file

Source: mluxGOTw1e.exe	ReversingLabs: Detection: 63%
Source: mluxGOTw1e.exe	Virustotal: Detection: 68%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: mluxGOTw1e.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack	String decryptor: https://pastebin.com/raw/zcGavZvr
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack	String decryptor: <123456789>
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack	String decryptor: <Xwormmm>
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack	String decryptor: XWorm V5.1
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack	String decryptor: USB.exe

Source: mluxGOTw1e.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/zcGavZvr

Yara detected Generic Downloader

Source: Yara match

File source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, type: UNPACKEDPE

Source: notepad.exe, 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: https://pastebin.com/raw/zcGavZvr

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.notepad.exe.2de31470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.notepad.exe.2de317ace78.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown

Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F8490 NtProtectVirtualMemory,	0_2_00007FF7494F8490
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F3A90 NtAllocateVirtualMemory,	0_2_00007FF7494F3A90
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F3B90 NtQuerySystemInformation,	0_2_00007FF7494F3B90
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F8580 NtResumeThread,	0_2_00007FF7494F8580
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F3340 NtWriteVirtualMemory,	0_2_00007FF7494F3340
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F8600 NtClose,	0_2_00007FF7494F8600
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F34A0 NtDelayExecution,	0_2_00007FF7494F34A0

Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F5350	0_2_00007FF7494F5350
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F3D00	0_2_00007FF7494F3D00
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F8670	0_2_00007FF7494F8670
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF749515590	0_2_00007FF749515590
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF74950AA70	0_2_00007FF74950AA70
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF749511C50	0_2_00007FF749511C50
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494F18B0	0_2_00007FF7494F18B0
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7495013A0	0_2_00007FF7495013A0
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF74950EFD0	0_2_00007FF74950EFD0
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7495061D0	0_2_00007FF7495061D0
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF7494FBBC0	0_2_00007FF7494FBBC0
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Code function: 0_2_00007FF74950D1B0	0_2_00007FF74950D1B0
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000002DE2F9CB503	3_2_000002DE2F9CB503
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000002DE2F9CB923	3_2_000002DE2F9CB923
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000002DE2F9CA8DB	3_2_000002DE2F9CA8DB
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000002DE2F9CC1E3	3_2_000002DE2F9CC1E3
Source: C:\Windows\System32\notepad.exe	Code function: 3_2_000002DE2F9CBD5B	3_2_000002DE2F9CBD5B

Source: mluxGOTw1e.exe, 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemmc.exej% vs mluxGOTw1e.exe
Source: mluxGOTw1e.exe	Binary or memory string: OriginalFilenamemmc.exej% vs mluxGOTw1e.exe

Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.notepad.exe.2de31470000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.notepad.exe.2de317ace78.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13

Source: mluxGOTw1e.exe

Static PE information: Section: .data ZLIB complexity 0.9976306352459017

Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Settings.cs	Base64 encoded string: 'xwoqsSmrUzNo5gXIWHk79SqXppaxaV51Jr6tg9sSxhqHJR0pvzkVEFZjcWn2KGIH'
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Settings.cs	Base64 encoded string: 'xwoqsSmrUzNo5gXIWHk79SqXppaxaV51Jr6tg9sSxhqHJR0pvzkVEFZjcWn2KGIH'

Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/2@0/0

Source: C:\Windows\System32\notepad.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log

Jump to behavior

Source: C:\Windows\System32\notepad.exe	Mutant created: \Sessions\1\BaseNamedObjects\re6wnw6XNd8YRfiR
Source: C:\Windows\System32\notepad.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03

Source: mluxGOTw1e.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mluxGOTw1e.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mluxGOTw1e.exe	ReversingLabs: Detection: 63%
Source: mluxGOTw1e.exe	Virustotal: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\mluxGOTw1e.exe "C:\Users\user\Desktop\mluxGOTw1e.exe"
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe	Jump to behavior

Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: mluxGOTw1e.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: mluxGOTw1e.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: mluxGOTw1e.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mluxGOTw1e.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mluxGOTw1e.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mluxGOTw1e.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mluxGOTw1e.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 3.2.notepad.exe.2de31470000.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: mluxGOTw1e.exe	Static PE information: section name: .00cfg
Source: mluxGOTw1e.exe	Static PE information: section name: .retplne
Source: mluxGOTw1e.exe	Static PE information: section name: _sysc

Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected generic Shellcode Injector

Source: Yara match	File source: mluxGOTw1e.exe, type: SAMPLE
Source: Yara match	File source: 0.2.mluxGOTw1e.exe.7ff7494f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.mluxGOTw1e.exe.7ff7494f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1259736705.00007FF74951D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mluxGOTw1e.exe PID: 2140, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Source: C:\Windows\System32\notepad.exe	Memory allocated: 2DE31450000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\System32\notepad.exe	Memory allocated: 2DE497A0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\notepad.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\notepad.exe TID: 1988

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\notepad.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\notepad.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\mluxGOTw1e.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mluxGOTw1e.exe

Code function: 0_2_00007FF74951CEF8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF74951CEF8

Source: C:\Windows\System32\notepad.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Users\user\Desktop\mluxGOTw1e.exe

Process created / APC Queued / Resumed: C:\Windows\System32\notepad.exe

Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\mluxGOTw1e.exe

Memory allocated: C:\Windows\System32\notepad.exe base: 2DE2F9C0000 protect: page read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\mluxGOTw1e.exe	NtQuerySystemInformation: Direct from: 0x7FF7494F3C15	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	NtAllocateVirtualMemory: Direct from: 0x7FF7494F3B59	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	NtDelayExecution: Direct from: 0x7FF7494F34E5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	NtWriteVirtualMemory: Direct from: 0x7FF7494F33F2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	NtProtectVirtualMemory: Direct from: 0x7FF7494F853F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	NtClose: Direct from: 0x7FF7494F8636
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	NtResumeThread: Direct from: 0x7FF7494F85CA	Jump to behavior

Hijacks the control flow in another process

Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: PID: 6544 base: 2DE2F9C0052 value: E9			Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: PID: 6544 base: 2DE2F9C0189 value: E9			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\mluxGOTw1e.exe

Thread APC queued: target process: C:\Windows\System32\notepad.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0000	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0001	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0002	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0003	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0004	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0005	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0006	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0007	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0008	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0009	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C000A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C000B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C000C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C000D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C000E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C000F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0010	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0011	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0012	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0013	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0014	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0015	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0016	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0017	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0018	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0019	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C001A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C001B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C001C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C001D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C001E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C001F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0020	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0021	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0022	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0023	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0024	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0025	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0026	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0027	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0028	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0029	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C002A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C002B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C002C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C002D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C002E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C002F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0030	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0031	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0032	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0033	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0034	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0035	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0036	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0037	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0038	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0039	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C003A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C003B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C003C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C003D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C003E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C003F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0040	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0041	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0042	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0043	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0044	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0045	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0046	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0047	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0048	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0049	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C004A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C004B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C004C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C004D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C004E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C004F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0050	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0051	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0052	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0053	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0054	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0055	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0056	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0057	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0058	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0059	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C005A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C005B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C005C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C005D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C005E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C005F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0060	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0061	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0062	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0063	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0064	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0065	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0066	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0067	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0068	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0069	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C006A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C006B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C006C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C006D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C006E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C006F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0070	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0071	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0072	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0073	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0074	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0075	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0076	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0077	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0078	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0079	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C007A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C007B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C007C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C007D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C007E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C007F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0080	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0081	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0082	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0083	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0084	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0085	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0086	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0087	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0088	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0089	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C008A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C008B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C008C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C008D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C008E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C008F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0090	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0091	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0092	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0093	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0094	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0095	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0096	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0097	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0098	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0099	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C009A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C009B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C009C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C009D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C009E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C009F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00A9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00AA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00AB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00AC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00AD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00AE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00AF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00B9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00BA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00BB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00BC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00BD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00BE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00BF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00C9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00CA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00CB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00CC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00CD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00CE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00CF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00D9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00DA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00DB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00DC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00DD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00DE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00DF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00E9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00EA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00EB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00EC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00ED	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00EE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00EF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00F9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00FA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00FB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00FC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00FD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00FE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C00FF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0100	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0101	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0102	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0103	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0104	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0105	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0106	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0107	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0108	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0109	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C010A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C010B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C010C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C010D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C010E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C010F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0110	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0111	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0112	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0113	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0114	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0115	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0116	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0117	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0118	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0119	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C011A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C011B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C011C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C011D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C011E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C011F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0120	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0121	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0122	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0123	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0124	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0125	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0126	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0127	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0128	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0129	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C012A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C012B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C012C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C012D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C012E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C012F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0130	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0131	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0132	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0133	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0134	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0135	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0136	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0137	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0138	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0139	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C013A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C013B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C013C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C013D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C013E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C013F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0140	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0141	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0142	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0143	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0144	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0145	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0146	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0147	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0148	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0149	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C014A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C014B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C014C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C014D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C014E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C014F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0150	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0151	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0152	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0153	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0154	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0155	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0156	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0157	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0158	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0159	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C015A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C015B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C015C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C015D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C015E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C015F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0160	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0161	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0162	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0163	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0164	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0165	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0166	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0167	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0168	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0169	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C016A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C016B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C016C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C016D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C016E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C016F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0170	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0171	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0172	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0173	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0174	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0175	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0176	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0177	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0178	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0179	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C017A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C017B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C017C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C017D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C017E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C017F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0180	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0181	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0182	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0183	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0184	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0185	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0186	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0187	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0188	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0189	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C018A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C018B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C018C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C018D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C018E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C018F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0190	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0191	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0192	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0193	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0194	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0195	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0196	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0197	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0198	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C0199	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C019A	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C019B	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C019C	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C019D	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C019E	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C019F	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01A9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01AA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01AB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01AC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01AD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01AE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01AF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01B9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01BA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01BB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01BC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01BD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01BE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01BF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01C9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01CA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01CB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01CC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01CD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01CE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01CF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01D9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01DA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01DB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01DC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01DD	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01DE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01DF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E3	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E4	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E5	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E6	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E7	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E8	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01E9	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01EA	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01EB	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01EC	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01ED	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01EE	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01EF	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01F0	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01F1	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01F2	Jump to behavior
Source: C:\Users\user\Desktop\mluxGOTw1e.exe	Memory written: C:\Windows\System32\notepad.exe base: 2DE2F9C01F3	Jump to behavior

Source: C:\Users\user\Desktop\mluxGOTw1e.exe

Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe

Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 3.2.notepad.exe.2de31470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.notepad.exe.2de31470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.notepad.exe.2de317ace78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6544, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 3.2.notepad.exe.2de31470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.notepad.exe.2de31470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.notepad.exe.2de317ace78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.notepad.exe.2de317ace78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 6544, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	511 Process Injection	1 Masquerading	1 Input Capture	1 Process Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	511 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mluxGOTw1e.exe	63%	ReversingLabs	Win64.Trojan.ShellcodeRunner
mluxGOTw1e.exe	69%	Virustotal		Browse
mluxGOTw1e.exe	100%	Avira	TR/Swrort.umxpz
mluxGOTw1e.exe	100%	Joe Sandbox ML

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/zcGavZvr	true		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542727
Start date and time:	2024-10-26 08:48:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mluxGOTw1e.exe renamed because original name is a hash value
Original Sample Name:	26e5c31684960235c5ca7963770edc5488533b3fd58de9ffc46f3d297228ec3b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 17 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtWriteVirtualMemory calls found.

Process:	C:\Windows\System32\notepad.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\mluxGOTw1e.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	754
Entropy (8bit):	4.933587194429315
Encrypted:	false
SSDEEP:	12:NF+lDB5G7hV1cTZDQN+GISEXQkg2nWxktjXYHAWXXQkqP2axoEbsgkvmr6aAedXc:NF+lD7G7NwZs+G7hkg2nXYTwkqP26Lba
MD5:	4E674CB4EB0CEF9AD95155EC5181E998
SHA1:	E7FDE4528AAF39F36996BECC3D14C34301108BD3
SHA-256:	9DA5603292203869E57547A72C29EAB419811B9C5CFC87B5AF29746D338C0B38
SHA-512:	C4166ACF08F5E62F5C93CCF1A53C641893E9F60C7ECE200CAC4D242FC52F780231D42B94C85E8D49C3A474CB6A758505A9C22DA94C4044544AC45EEBE933B23D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Shellcode_Injector, Description: Yara detected generic Shellcode Injector, Source: \Device\ConDrv, Author: Joe Security
Reputation:	low
Preview:	[+] Launching a sacrificial process. [] Spoofed parent process: explorer.exe (PID: 4056). [] Spawned process: .C:\Windows\System32\notepad.exe (PID: 6544)..[+] Injecting shellcode via Early Bird APC Queue. [] Memory allocated. [-] Size: ..65536 bytes. [-] Address: ..0x000002DE2F9C0000. [-] Protection: .PAGE_READWRITE. [] Payload decrypted and written. [-] Size: ..62208 bytes. [-] Address: ..0x000002DE2F9C0000. [] Memory protection changed. [-] Protection: .PAGE_EXECUTE_READ. [] APC queued. [-] Thread ID: ..5464. [] Thread resumed. [] Payload executed..[+] Closing opened handles. [] Process Handle: .0x00000000000000CC. [] Thread Handle: ..0x00000000000000C8.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.464068278316323
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mluxGOTw1e.exe
File size:	311'808 bytes
MD5:	e516d0f273821697860cb7e606aa531e
SHA1:	28eda2de9a7acaad4fe4abc5ee927948e94d07de
SHA256:	26e5c31684960235c5ca7963770edc5488533b3fd58de9ffc46f3d297228ec3b
SHA512:	eeaca4835bd55813971ac5bd08d808508be31587eb251e7ffcc341174cff41ee1c0c415a90c79e4fb4a686a9ca8b727d1c5321b1ec46b0f7b9e45416c20ff2ef
SSDEEP:	3072:FF3HAXuHm+WAEBDNNv+5M4qfY7naxiEHlN5WImrclZFmSlSu9huyqKo8wuIOvmlN:FtZudLhjhMzWCbh2Y+HbTWMH9O1BNI
TLSH:	156408032B76C160D05AC9BEB972C635E2353C1DD621B636EFF04E123F28750A6B6796
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...,..f.........."............................@.............................0............`........................................

File Icon


Icon Hash:	766a684f7db2e71f

Static PE Info

General

Entrypoint:	0x140029580
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6684D92C [Wed Jul 3 04:53:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9d63601b75db6820cb6e18c76c455c6b

Entrypoint Preview

Instruction
dec eax
sub esp, 00000FB8h
dec eax
mov eax, dword ptr [00014DB2h]
dec eax
xor eax, esp
dec eax
mov dword ptr [esp+00000FB0h], eax
mov dword ptr [esp+0000011Ch], 00000000h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov eax, dword ptr [eax+60h]
dec eax
mov dword ptr [esp+00000230h], eax
dec eax
mov eax, dword ptr [esp+00000230h]
dec eax
mov eax, dword ptr [eax+18h]
dec eax
mov dword ptr [esp+00000228h], eax
dec eax
mov eax, dword ptr [esp+00000228h]
dec eax
mov eax, dword ptr [eax+10h]
dec eax
mov dword ptr [esp+00000220h], eax
dec eax
mov eax, dword ptr [esp+00000220h]
dec eax
mov eax, dword ptr [eax]
dec eax
mov eax, dword ptr [eax+30h]
dec eax
mov dword ptr [esp+00000240h], eax
dec eax
lea eax, dword ptr [esp+00000D00h]
dec eax
mov dword ptr [esp+00000238h], eax
dec eax
mov eax, dword ptr [esp+00000238h]
dec eax
mov ecx, dword ptr [esp+00000240h]
dec eax
mov dword ptr [eax], ecx
dec eax
mov ecx, dword ptr [esp+00000240h]
dec eax
mov dword ptr [esp+00000280h], ecx
dec eax
mov ecx, dword ptr [esp+00000280h]
dec eax
mov edx, dword ptr [esp+00000280h]
dec eax
arpl word ptr [edx+3Ch], dx
dec eax
mov ecx, dword ptr [ecx+edx+00000088h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e448	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x43000	0xe4c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3f000	0x2ac	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0x30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d380	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e4c8	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2bf76	0x2c000	01bf8c79f6f2d60325e228f1634cc21e	False	0.3069402521306818	data	5.12895487642941	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0x1774	0x1800	c4b55c9831f7acd3dbf33c8a6b3dede2	False	0.3590494791666667	data	4.494189395720392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0xf900	0xf400	d11f03cff793430c8c81a3310aea7fb1	False	0.9976306352459017	Matlab v4 mat-file (little endian) \327\031\317\234\352 'S;\200\304j9\320\327\216\354, text, rows 0, columns 0	7.994461615277456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3f000	0x2ac	0x400	543ba09c5701d35b273bf167ef525f26	False	0.392578125	data	3.384165708202904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x40000	0x30	0x200	c12460e4de50bb5b8e8478aafd38bbb8	False	0.0546875	data	0.4096358800159221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.retplne	0x41000	0x8c	0x200	8c950f651287cbc1296bcb4e8cd7e990	False	0.126953125	data	1.050583247971927
_sysc	0x42000	0x48	0x200	e6b950bf051a75bce2af0f8393433de3	False	0.173828125	data	1.3462487408995174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x43000	0xe4c0	0xe600	b04d878cf7da98e3ee6d6b2523cabc1a	False	0.6816236413043478	data	6.979044009110158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x52000	0x30	0x200	b0eab88cc9b0b1c5bda4123e618330f7	False	0.11328125	data	0.5811974582600534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x43718	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3719512195121951
RT_ICON	0x43d80	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.47446236559139787
RT_ICON	0x44068	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.5122950819672131
RT_ICON	0x44250	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5540540540540541
RT_ICON	0x44378	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5229211087420043
RT_ICON	0x45220	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6683212996389891
RT_ICON	0x45ac8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.652073732718894
RT_ICON	0x46190	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3186416184971098
RT_ICON	0x466f8	0x6779	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9990562120125335
RT_ICON	0x4ce78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3399377593360996
RT_ICON	0x4f420	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4054878048780488
RT_ICON	0x504c8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4491803278688525
RT_ICON	0x50e50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.35726950354609927
RT_GROUP_ICON	0x512b8	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x43380	0x394	OpenPGP Secret Key	English	United States	0.4606986899563319
RT_MANIFEST	0x51378	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Imports

DLL	Import
KERNEL32.dll	GetCurrentProcess, InitializeProcThreadAttributeList, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, TerminateProcess, UnhandledExceptionFilter, UpdateProcThreadAttribute

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 08:50:06.353483915 CEST	53	49963	162.159.36.2	192.168.2.7
Oct 26, 2024 08:50:07.229715109 CEST	53	63761	1.1.1.1	192.168.2.7

Target ID:	0
Start time:	02:49:19
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\mluxGOTw1e.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mluxGOTw1e.exe"
Imagebase:	0x7ff7494f0000
File size:	311'808 bytes
MD5 hash:	E516D0F273821697860CB7E606AA531E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Shellcode_Injector, Description: Yara detected generic Shellcode Injector, Source: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Shellcode_Injector, Description: Yara detected generic Shellcode Injector, Source: 00000000.00000000.1259736705.00007FF74951D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:49:19
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:49:19
Start date:	26/10/2024
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\notepad.exe
Imagebase:	0x7ff711430000
File size:	201'216 bytes
MD5 hash:	27F71B12CB585541885A31BE22F61C83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.1912189653.000002DE31470000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.1912343597.000002DE317A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	47.9%
Total number of Nodes:	119
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF7494F5350 Relevance: 47.6, APIs: 13, Strings: 13, Instructions: 2081COMMON

Download Yara Rule

APIs

wprintf.KERNELBASE ref: 00007FF7494F5789
wprintf.KERNELBASE ref: 00007FF7494F5B43
wprintf.KERNELBASE ref: 00007FF7494F5EFD
wprintf.KERNELBASE ref: 00007FF7494F629C
wprintf.KERNELBASE ref: 00007FF7494F66AC
wprintf.KERNELBASE ref: 00007FF7494F6A4B
wprintf.KERNELBASE ref: 00007FF7494F6E3C
wprintf.KERNELBASE ref: 00007FF7494F71EB
wprintf.KERNELBASE ref: 00007FF7494F75AE
wprintf.KERNELBASE ref: 00007FF7494F793E
wprintf.KERNELBASE ref: 00007FF7494F7CB7
wprintf.KERNELBASE ref: 00007FF7494F80BD
wprintf.KERNELBASE ref: 00007FF7494F846C

Strings

%4s[*] Payload executed, xrefs: 00007FF7494F75BF
%4s[*] APC queued, xrefs: 00007FF7494F6AAE
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF7494F66BD
[+] Closing opened handles, xrefs: 00007FF7494F7940
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF7494F5F0E
%4s[*] Memory allocated, xrefs: 00007FF7494F53FB
%8s[-] Thread ID: %lu, xrefs: 00007FF7494F6E61
%4s[*] Thread Handle: 0x%p, xrefs: 00007FF7494F80E2
%8s[-] Size: %zu bytes, xrefs: 00007FF7494F57AA
%8s[-] Address: 0x%p, xrefs: 00007FF7494F5B64
%4s[*] Thread resumed, xrefs: 00007FF7494F722F
%4s[*] Memory protection changed, xrefs: 00007FF7494F631E
%4s[*] Process Handle: 0x%p, xrefs: 00007FF7494F7D33

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID: wprintf
String ID: [+] Closing opened handles$%4s[*] APC queued$%4s[*] Memory allocated$%4s[*] Memory protection changed$%4s[*] Payload executed$%4s[*] Process Handle: 0x%p$%4s[*] Thread Handle: 0x%p$%4s[*] Thread resumed$%8s[-] Address: 0x%p$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes$%8s[-] Thread ID: %lu
API String ID: 3614878089-4130125124
Opcode ID: b03e8184085685c0b15f89fc2bf5aaae87c080e51106d0f201fa5de4e0a45616
Instruction ID: 8a6da9ef004d00ec8276cff23eb9824d23cf9c4221d94ab58b7937c4887eb345
Opcode Fuzzy Hash: b03e8184085685c0b15f89fc2bf5aaae87c080e51106d0f201fa5de4e0a45616
Instruction Fuzzy Hash: 5543AE7A60DBC58ADB70DB09E4902AAB7A5F7C9B90F508126DA8D83B58DF3CD554CF00

Function 00007FF7494F3D00 Relevance: 14.9, APIs: 4, Strings: 4, Instructions: 926
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wprintf.KERNELBASE ref: 00007FF7494F49FE
UpdateProcThreadAttribute.KERNEL32 ref: 00007FF7494F4A47
CreateProcessW.KERNELBASE ref: 00007FF7494F4F54
wprintf.KERNELBASE ref: 00007FF7494F531E

Strings

p, xrefs: 00007FF7494F3D89
%4s[*] Spoofed parent process: %ws (PID: %lu), xrefs: 00007FF7494F4669
%4s[*] Spawned process: %ws (PID: %lu), xrefs: 00007FF7494F4F89
0, xrefs: 00007FF7494F4538

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID: wprintf$AttributeCreateProcProcessThreadUpdate
String ID: %4s[*] Spawned process: %ws (PID: %lu)$%4s[*] Spoofed parent process: %ws (PID: %lu)$0$p
API String ID: 799590655-4137158221
Opcode ID: 5c1a084f20434502c13e98adcf44d70e34134fdd123f2756eeaeba9661446e3a
Instruction ID: a1bdd9271b3bc03f0ee98e85492d9d705676c28b3f841be24a01b71b87dc2871
Opcode Fuzzy Hash: 5c1a084f20434502c13e98adcf44d70e34134fdd123f2756eeaeba9661446e3a
Instruction Fuzzy Hash: 2AC2AD7A60DBC18ADB71CB19E4903AEB7A5F7C8B80F504126DA8D83B58EF39D554CB40

Function 00007FF7494F2710 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 520
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wprintf.KERNELBASE ref: 00007FF7494F2BAC
wprintf.KERNELBASE ref: 00007FF7494F2F5A
wprintf.KERNELBASE ref: 00007FF7494F3305

Strings

%8s[-] Size: %zu bytes, xrefs: 00007FF7494F2BD9
%8s[-] Address: 0x%p, xrefs: 00007FF7494F2F7B
%4s[*] Payload decrypted and written, xrefs: 00007FF7494F2823

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID: wprintf
String ID: %4s[*] Payload decrypted and written$%8s[-] Address: 0x%p$%8s[-] Size: %zu bytes
API String ID: 3614878089-776308857
Opcode ID: d8a2e21752ae5db15ecfcab90fadc6382f2ba7b260ab4f50f809d3571b2b034b
Instruction ID: 9ea4ce1aeb2f046d5dfc1c8a66cee46c117bf9fc98cbb37fcbe7d71b4dad0262
Opcode Fuzzy Hash: d8a2e21752ae5db15ecfcab90fadc6382f2ba7b260ab4f50f809d3571b2b034b
Instruction Fuzzy Hash: 7162AE7660DBC5CADB71DB19E4903AAB7A4F7C9B80F508126DA8D83B68DF38D550CB10

Function 00007FF749519C53 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wprintf.KERNELBASE ref: 00007FF749519FD9
wprintf.KERNELBASE ref: 00007FF74951A3A6

Strings

[+] Launching a sacrificial process, xrefs: 00007FF749519C53
[+] Injecting shellcode via Early Bird APC Queue, xrefs: 00007FF74951A020

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID: wprintf
String ID: [+] Injecting shellcode via Early Bird APC Queue$[+] Launching a sacrificial process
API String ID: 3614878089-2372117104
Opcode ID: e54332d536c09d8b949f145737fdff91a6533a667f409690d1330770030bf511
Instruction ID: f72668a347d025375b4105f460cdb0046f8716ae69d59f913f33e74abc34e237
Opcode Fuzzy Hash: e54332d536c09d8b949f145737fdff91a6533a667f409690d1330770030bf511
Instruction Fuzzy Hash: 94129F7660DBC4CADB75DB05E4902AAB7A8F7C8B80F504126DA9D83B58DF38D650CB10

Function 00007FF7494F3510 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpW.KERNELBASE ref: 00007FF7494F3977

Strings

0, xrefs: 00007FF7494F399A

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4ace3f2ca766bdd23ffec80a05455e2f3abee82fe787fd454f2bcbdd8ca6bb26
Instruction ID: 0279dc613dd60ec18f34299b6e954d33d10df79f9234b8aa1ea616ea89d9d06e
Opcode Fuzzy Hash: 4ace3f2ca766bdd23ffec80a05455e2f3abee82fe787fd454f2bcbdd8ca6bb26
Instruction Fuzzy Hash: 50D1AE7660CBC5CADA70DB19E4903EAB7A4F789B94F504126DA8D83B98EF3CD454CB10

Non-executed Functions

Function 00007FF7495061D0 Relevance: 28.0, Strings: 20, Instructions: 3037COMMON

Download Yara Rule

Strings

%8s[-] Handle: 0x%p, xrefs: 00007FF749506DF7, 00007FF749509409
%4s[*] Payload executed, xrefs: 00007FF749509B87
s-0^WhY@, xrefs: 00007FF749506560
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF7495084CD
%8s[-] TID: %lu, xrefs: 00007FF74950904F
[+] Closing opened handles, xrefs: 00007FF749509F17
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF749507D24
%4s[*] Memory allocated, xrefs: 00007FF749507211
%4s[*] Thread Handle: 0x%p, xrefs: 00007FF74950A6C3
%4s[*] Thread created, xrefs: 00007FF749508CA0
%8s[-] Name: %ws, xrefs: 00007FF749506683
%4s[*] Target process, xrefs: 00007FF7495062D4
s-0^WhY@, xrefs: 00007FF749506411
%8s[-] Size: %zu bytes, xrefs: 00007FF7495075C0
%8s[-] Address: 0x%p, xrefs: 00007FF74950797A
%4s[*] Thread resumed, xrefs: 00007FF7495097E8
0, xrefs: 00007FF749506217
%8s[-] PID: %lu, xrefs: 00007FF749506A3D
%4s[*] Memory protection changed, xrefs: 00007FF74950812E
%4s[*] Process Handle: 0x%p, xrefs: 00007FF74950A318

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: [+] Closing opened handles$%4s[*] Memory allocated$%4s[*] Memory protection changed$%4s[*] Payload executed$%4s[*] Process Handle: 0x%p$%4s[*] Target process$%4s[*] Thread Handle: 0x%p$%4s[*] Thread created$%4s[*] Thread resumed$%8s[-] Address: 0x%p$%8s[-] Handle: 0x%p$%8s[-] Name: %ws$%8s[-] PID: %lu$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes$%8s[-] TID: %lu$0$s-0^WhY@$s-0^WhY@
API String ID: 0-440890281
Opcode ID: 9d161d0a500dea7931e0a661714e546086f279a0f836e623e0b89debef6fbfb9
Instruction ID: ff69feae511fbd5cbda0c0d96d30428cc1f973c6a83dfbe06a0aff0481b5344d
Opcode Fuzzy Hash: 9d161d0a500dea7931e0a661714e546086f279a0f836e623e0b89debef6fbfb9
Instruction Fuzzy Hash: 7583BE7A60DBC5CADBB0DB05E4902AAB7A5F7C9B80F508126DADD83B58DF38D550CB00

Function 00007FF7494FBBC0 Relevance: 27.4, Strings: 19, Instructions: 3639COMMON

Download Yara Rule

Strings

%8s[-] Handle: 0x%p, xrefs: 00007FF7494FF803
%4s[*] User32.dll loaded, xrefs: 00007FF7494FE498
%8s[-] PEB: 0x%p, xrefs: 00007FF7494FC055
%4s[*] Payload executed, xrefs: 00007FF7495003B4
%4s[*] Message sent, xrefs: 00007FF749500024
%8s[-] __fnCOPYDATA: 0x%016IX, xrefs: 00007FF7494FDC46
%4s[*] Window Handle: 0x%p, xrefs: 00007FF749500ECF
[+] Closing opened handles, xrefs: 00007FF749500735
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF7494FD3A5
%8s[-] KCT: 0x%p, xrefs: 00007FF7494FC475
%4s[*] Memory allocated, xrefs: 00007FF7494FC892
J, xrefs: 00007FF7494FFBDF
%4s[*] Target window found, xrefs: 00007FF7494FF096
%8s[-] Size: %zu bytes, xrefs: 00007FF7494FCC41
%4s[*] Location of addresses, xrefs: 00007FF7494FBCA6
%8s[-] Address: 0x%p, xrefs: 00007FF7494FCFFB
%4s[*] Target process PEB updated, xrefs: 00007FF7494FD897
%8s[-] PID: %lu, xrefs: 00007FF7494FF449
%4s[*] Process Handle: 0x%p, xrefs: 00007FF749500B24

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: [+] Closing opened handles$%4s[*] Location of addresses$%4s[*] Memory allocated$%4s[*] Message sent$%4s[*] Payload executed$%4s[*] Process Handle: 0x%p$%4s[*] Target process PEB updated$%4s[*] Target window found$%4s[*] User32.dll loaded$%4s[*] Window Handle: 0x%p$%8s[-] Address: 0x%p$%8s[-] Handle: 0x%p$%8s[-] KCT: 0x%p$%8s[-] PEB: 0x%p$%8s[-] PID: %lu$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes$%8s[-] __fnCOPYDATA: 0x%016IX$J
API String ID: 0-1583158047
Opcode ID: ca71be6298e9c2b01a4887ecdb09152adad67bbcc08df45b1fee3eda0e002fd6
Instruction ID: 9970afaa5049bf3af7763c9e40ddd8c7d09058d110eafcac28a3e8723c9ef355
Opcode Fuzzy Hash: ca71be6298e9c2b01a4887ecdb09152adad67bbcc08df45b1fee3eda0e002fd6
Instruction Fuzzy Hash: EAA3CF7A60DBC5CADB70DB19E4902EAB7A4F7C9B80F508126DA8D83B58DF38D550CB50

Function 00007FF7495013A0 Relevance: 24.3, Strings: 17, Instructions: 3077COMMON

Download Yara Rule

Strings

%8s[-] Handle: 0x%p, xrefs: 00007FF749501815, 00007FF749502FF0, 00007FF7495046E4
%4s[*] Memory section created, xrefs: 00007FF749501466
%8s[-] Remote address: 0x%p, xrefs: 00007FF7495033AA
%4s[*] Payload executed, xrefs: 00007FF749504A8E
%8s[-] Local address: 0x%p, xrefs: 00007FF749501FE1
%8s[-] TID: %lu, xrefs: 00007FF74950432A
%4s[*] Local section view unmapped, xrefs: 00007FF7495037A8
[+] Closing opened handles, xrefs: 00007FF749504E1E
%8s[-] Process: %ws, xrefs: 00007FF74950287C
%4s[*] Local section view created, xrefs: 00007FF749501C32
%4s[*] Thread Handle: 0x%p, xrefs: 00007FF7495059AB
%4s[*] Thread created, xrefs: 00007FF749503F7B
%4s[*] Remote section view created, xrefs: 00007FF7495024CD
%4s[*] Section Handle: 0x%p, xrefs: 00007FF749505255
%8s[-] PID: %lu, xrefs: 00007FF749502C36
0, xrefs: 00007FF74950239C
%4s[*] Process Handle: 0x%p, xrefs: 00007FF749505600

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: [+] Closing opened handles$%4s[*] Local section view created$%4s[*] Local section view unmapped$%4s[*] Memory section created$%4s[*] Payload executed$%4s[*] Process Handle: 0x%p$%4s[*] Remote section view created$%4s[*] Section Handle: 0x%p$%4s[*] Thread Handle: 0x%p$%4s[*] Thread created$%8s[-] Handle: 0x%p$%8s[-] Local address: 0x%p$%8s[-] PID: %lu$%8s[-] Process: %ws$%8s[-] Remote address: 0x%p$%8s[-] TID: %lu$0
API String ID: 0-2414229728
Opcode ID: 572a3649a2d220702e2960c0249359f98fa7b43c7cb24d3299fbffc664405152
Instruction ID: 6c65b696aefb9de399207c932372d08e044957f01d6c126c85ed26f327a7d3aa
Opcode Fuzzy Hash: 572a3649a2d220702e2960c0249359f98fa7b43c7cb24d3299fbffc664405152
Instruction Fuzzy Hash: C483BD7A60DBC1CADB70DB05E4902EAB7A5F7C9B80F508126DA9D83B58EF38D550CB40

Function 00007FF7494F8670 Relevance: 19.7, Strings: 14, Instructions: 2248COMMON

Download Yara Rule

Strings

%4s[*] Payload executed, xrefs: 00007FF7494FACF7
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF7494F99E3
[+] Closing opened handles, xrefs: 00007FF7494FB078
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF7494F9234
%4s[*] Memory allocated, xrefs: 00007FF7494F8721
%4s[*] Thread context changed, xrefs: 00007FF7494F9E1D
%8s[-] Thread ID: %lu, xrefs: 00007FF7494FA1D0
%4s[*] Thread Handle: 0x%p, xrefs: 00007FF7494FB81A
%8s[-] RIP: 0x%p, xrefs: 00007FF7494FA58A
%8s[-] Size: %zu bytes, xrefs: 00007FF7494F8AD0
%8s[-] Address: 0x%p, xrefs: 00007FF7494F8E8A
%4s[*] Thread resumed, xrefs: 00007FF7494FA967
%4s[*] Memory protection changed, xrefs: 00007FF7494F9644
%4s[*] Process Handle: 0x%p, xrefs: 00007FF7494FB46B

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: [+] Closing opened handles$%4s[*] Memory allocated$%4s[*] Memory protection changed$%4s[*] Payload executed$%4s[*] Process Handle: 0x%p$%4s[*] Thread Handle: 0x%p$%4s[*] Thread context changed$%4s[*] Thread resumed$%8s[-] Address: 0x%p$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] RIP: 0x%p$%8s[-] Size: %zu bytes$%8s[-] Thread ID: %lu
API String ID: 0-1476257755
Opcode ID: 0d895623343bd3d8f742f601a954fde131aa08d6659a65a59def300db6d48974
Instruction ID: 808cc0ee283fe28173bbcbfbc0c1bcc1f2eb9e6898d781017578c2d6034dee95
Opcode Fuzzy Hash: 0d895623343bd3d8f742f601a954fde131aa08d6659a65a59def300db6d48974
Instruction Fuzzy Hash: 9153C07660DBC58ADB70DB09E4906AAB7A5F7C9B80F508126DACD83B58EF38D450CF50

Function 00007FF749515590 Relevance: 16.4, Strings: 11, Instructions: 2688COMMON

Download Yara Rule

Strings

%4s[*] User32.dll loaded, xrefs: 00007FF749515A66
%8s[-] Size: %zu bytes, xrefs: 00007FF74951783A
%4s[*] Payload executed, xrefs: 00007FF74951917D
%4s[*] Clipboard opened, xrefs: 00007FF7495161BF
%8s[-] Address: 0x%p, xrefs: 00007FF749517BE5
%4s[*] Clipboard closed, xrefs: 00007FF749518DED
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF7495186FB
%4s[*] Payload decrypted, xrefs: 00007FF7495165F0
%4s[*] Payload injected into clipboard, xrefs: 00007FF74951747F
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF749517F80
%4s[*] Clipboard memory protection changed, xrefs: 00007FF74951836B

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: %4s[*] Clipboard closed$%4s[*] Clipboard memory protection changed$%4s[*] Clipboard opened$%4s[*] Payload decrypted$%4s[*] Payload executed$%4s[*] Payload injected into clipboard$%4s[*] User32.dll loaded$%8s[-] Address: 0x%p$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes
API String ID: 0-1766638431
Opcode ID: 6e2b1a02b822ab0fa5b92efd4c8e4bfc746f90ab21d7d489da7bd466fc1cac34
Instruction ID: aebdee8c1cf8f1d35afd1842698549b03992c3b37391cd61c90ac4625e4dae9b
Opcode Fuzzy Hash: 6e2b1a02b822ab0fa5b92efd4c8e4bfc746f90ab21d7d489da7bd466fc1cac34
Instruction Fuzzy Hash: AE73BF7A60DBC5CADB70DB09E4902AAB7A5F7C9B90F508126DADD83B58DF38D450CB10

Function 00007FF749511C50 Relevance: 16.2, Strings: 11, Instructions: 2402COMMON

Download Yara Rule

Strings

%4s[*] User32.dll loaded, xrefs: 00007FF7495137F1
%8s[-] Size: %zu bytes, xrefs: 00007FF74951209C
%4s[*] Payload executed, xrefs: 00007FF749514E1F
%8s[-] Address: 0x%p, xrefs: 00007FF749512456
%4s[*] Message dispatched, xrefs: 00007FF749514A8F
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF749512FB0
%4s[*] Message retrieved, xrefs: 00007FF7495146FF
%4s[*] Timer created, xrefs: 00007FF749513F78
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF749512800
%4s[*] Memory allocated, xrefs: 00007FF749511CED
%4s[*] Memory protection changed, xrefs: 00007FF749512C11

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: %4s[*] Memory allocated$%4s[*] Memory protection changed$%4s[*] Message dispatched$%4s[*] Message retrieved$%4s[*] Payload executed$%4s[*] Timer created$%4s[*] User32.dll loaded$%8s[-] Address: 0x%p$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes
API String ID: 0-1289263311
Opcode ID: 90a1dde79060cd40cbf84ae0d522775219b46c12289c633cf5490a3c8645b942
Instruction ID: 4a57aad661debc715619b276f7e9d2be453028155e192de5d2c24bfe5f761a36
Opcode Fuzzy Hash: 90a1dde79060cd40cbf84ae0d522775219b46c12289c633cf5490a3c8645b942
Instruction Fuzzy Hash: E363BC7A60DBC5CADB70DB09E4902AAB7A5F7C9B90F508126DADD83B58DF38D450CB10

Function 00007FF74950EFD0 Relevance: 13.1, Strings: 9, Instructions: 1884COMMON

Download Yara Rule

Strings

%8s[-] Size: %zu bytes, xrefs: 00007FF74950F416
%4s[*] Payload executed, xrefs: 00007FF74951152F
%8s[-] Address: 0x%p, xrefs: 00007FF74950F7D0
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF749510315
%4s[*] Shellcode stored in FLS slot, xrefs: 00007FF74951119F
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF74950FB7A
%4s[*] FLS index allocated, xrefs: 00007FF749510A68
%4s[*] Memory allocated, xrefs: 00007FF74950F067
%4s[*] Memory protection changed, xrefs: 00007FF74950FF85

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: %4s[*] FLS index allocated$%4s[*] Memory allocated$%4s[*] Memory protection changed$%4s[*] Payload executed$%4s[*] Shellcode stored in FLS slot$%8s[-] Address: 0x%p$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes
API String ID: 0-280168778
Opcode ID: 3bade9590d96bfb7e03720b931682198270ee2bcc1a4ab098b582348648098e0
Instruction ID: d92b95e4a3ee73381d11d6cb3221e1c199c6912538512fa4d3d7569505230169
Opcode Fuzzy Hash: 3bade9590d96bfb7e03720b931682198270ee2bcc1a4ab098b582348648098e0
Instruction Fuzzy Hash: 1733BD7A60DBC4CADBB0DB15E4902AAB7A4F7C9B90F508126DA9D83B58DF38D550CF40

Function 00007FF74950AA70 Relevance: 11.6, Strings: 8, Instructions: 1639COMMON

Download Yara Rule

Strings

%8s[-] Size: %zu bytes, xrefs: 00007FF74950AEB6
%4s[*] Payload executed, xrefs: 00007FF74950C974
%8s[-] Address: 0x%p, xrefs: 00007FF74950B270
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF74950BDCA
%4s[*] Gdi32.dll loaded, xrefs: 00007FF74950C5E4
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF74950B61A
%4s[*] Memory allocated, xrefs: 00007FF74950AB07
%4s[*] Memory protection changed, xrefs: 00007FF74950BA2B

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: %4s[*] Gdi32.dll loaded$%4s[*] Memory allocated$%4s[*] Memory protection changed$%4s[*] Payload executed$%8s[-] Address: 0x%p$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes
API String ID: 0-3498503626
Opcode ID: 13b2b00723fbc1c2e7a3b7450de5691ba2eb5fd80a1f8d7ed5297f75b2f02a14
Instruction ID: be1f967ab962d445bdbe88b565fa3197f7f31758a16c1c80779bc86e4a95b5e3
Opcode Fuzzy Hash: 13b2b00723fbc1c2e7a3b7450de5691ba2eb5fd80a1f8d7ed5297f75b2f02a14
Instruction Fuzzy Hash: D023BC7A60DBC5CADAB0DB05E4903AAB7A5F7C9B80F508126DA9D83B58DF38D550CF40

Function 00007FF74950D1B0 Relevance: 10.0, Strings: 7, Instructions: 1277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%8s[-] Size: %zu bytes, xrefs: 00007FF74950D5F6
%4s[*] Payload executed, xrefs: 00007FF74950E852
%8s[-] Address: 0x%p, xrefs: 00007FF74950D9A1
%8s[-] Protection: PAGE_EXECUTE_READ, xrefs: 00007FF74950E4C2
%8s[-] Protection: PAGE_READWRITE, xrefs: 00007FF74950DD3C
%4s[*] Memory allocated, xrefs: 00007FF74950D247
%4s[*] Memory protection changed, xrefs: 00007FF74950E132

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID: %4s[*] Memory allocated$%4s[*] Memory protection changed$%4s[*] Payload executed$%8s[-] Address: 0x%p$%8s[-] Protection: PAGE_EXECUTE_READ$%8s[-] Protection: PAGE_READWRITE$%8s[-] Size: %zu bytes
API String ID: 0-3131770449
Opcode ID: 18f9cb85743786c61a39080b6ef7327d99e65372cdba8b5a428fd7e85d451cfd
Instruction ID: f7750777374e6295aebbb2972ac21387151ca19db60529901ce93e5042dcc71d
Opcode Fuzzy Hash: 18f9cb85743786c61a39080b6ef7327d99e65372cdba8b5a428fd7e85d451cfd
Instruction Fuzzy Hash: 2CF2BC7A60DBC4CADBB0CB15E4902AAB7A5F7C9B80F508126DA9D83B58DF38D554CF40

Function 00007FF7494F18B0 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0910feb2bd3accc9b12f1934a90acd675b801db0ed7c54d7b38a6d4e77391d58
Instruction ID: 369f3d5f331c784be5a3319fd14b11bb3a88d09d7f20968b9a6cfe9b2d46e5ed
Opcode Fuzzy Hash: 0910feb2bd3accc9b12f1934a90acd675b801db0ed7c54d7b38a6d4e77391d58
Instruction Fuzzy Hash: DD72243651C1E28BD364BF28D4657EBA7E1DB85391F509035E2C98BB4FDA2DE008CB94

Function 00007FF7494F3A90 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870a1ac81651bcf616d2ca802c6813c8bcd0282d20c1896726e554a2bfef10b0
Instruction ID: d671c911efd05003e60b29d132108e9321a9192541d4fd817a6659fc00101d8b
Opcode Fuzzy Hash: 870a1ac81651bcf616d2ca802c6813c8bcd0282d20c1896726e554a2bfef10b0
Instruction Fuzzy Hash: E0211D76618B848AC750CF59F48051ABBB4F799790F109519FBD943B28CB78D860CF41

Function 00007FF7494F8490 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8f4144c5147297be8b514fd852880c905b46946e5a1a914d165f7030dbde74
Instruction ID: 0571f8ba91cb4c5143925ccba606c362ed1e6517000641a3a6dde65f8cb03fee
Opcode Fuzzy Hash: bd8f4144c5147297be8b514fd852880c905b46946e5a1a914d165f7030dbde74
Instruction Fuzzy Hash: F2211076618B84CAD760CF5AF48165AFBB4F399794F204519FBD883B28CB78D4648F40

Function 00007FF7494F3340 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428942144d20e317912586e1895582977c83087f4c3f2f8570400dc8a6695d10
Instruction ID: de1afcfa71c95517a2c53291a0c8d7cae602f52d031a9ffc20cad27941bde515
Opcode Fuzzy Hash: 428942144d20e317912586e1895582977c83087f4c3f2f8570400dc8a6695d10
Instruction Fuzzy Hash: DF211E76518B84C6D760CB59F48065ABBB4F399790F20451AFBCD43B28CB38D4658F40

Function 00007FF7494F3B90 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c175d4684706b4923c56a342592a24e2af9eeb54bc12c52110be9d99ce899999
Instruction ID: a1b2e5aaaf8ff2357ad561f64c833df36648d0cb5f220074c86e64d2755db2f6
Opcode Fuzzy Hash: c175d4684706b4923c56a342592a24e2af9eeb54bc12c52110be9d99ce899999
Instruction Fuzzy Hash: 2F111B76518B848AC390CF4AF48050AFBB4F399790F50951AFBD983B28DB7DD5648F40

Function 00007FF7494F8580 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea0a778c47e77690bc83893cd6193b696fe2b6385a07ccd0e38434e80f9e500
Instruction ID: b2f76210029c775544297d21ed8ab994b44bab1ecf6e7951153123e2e3b88672
Opcode Fuzzy Hash: 4ea0a778c47e77690bc83893cd6193b696fe2b6385a07ccd0e38434e80f9e500
Instruction Fuzzy Hash: 8F010876618B84CA8750CF49F48041AFBB8F799790F608519FBD983B28DB79C5608F44

Function 00007FF7494F34A0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fb9820941b1dfea3d156d30f323bff62a4207294f672d97d38c313b6049c66
Instruction ID: 72350d3c9c630336b4d9860eb5388993cc4c722a03b974a56e3603d4e5b87f6d
Opcode Fuzzy Hash: c5fb9820941b1dfea3d156d30f323bff62a4207294f672d97d38c313b6049c66
Instruction Fuzzy Hash: CBF08C7750DBC0CA8211CB58B48000EBBB4F7AA780F249558FBC843B19CBB9C160CF11

Function 00007FF7494F8600 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1874222245.00007FF7494F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7494F0000, based on PE: true

Associated: 00000000.00000002.1874206613.00007FF7494F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874303894.00007FF74951D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874349952.00007FF74952F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874364407.00007FF749533000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7494f0000_mluxGOTw1e.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc2843e255115043e264305a9aa14329f6b28bdf2921512b4c44745ede48273
Instruction ID: 4770bda0e1c7fb628cfe2a3822b33ffacbbc92718066a12748439a1d5a741796
Opcode Fuzzy Hash: efc2843e255115043e264305a9aa14329f6b28bdf2921512b4c44745ede48273
Instruction Fuzzy Hash: 2EF03A36518B84CA8750DF49F88041ABBB8F399790F608519FBCD83B28DB79C5608F44

Analysis Process: notepad.exePID: 6544, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	48
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002DE2F9CB503 Relevance: 4.9, APIs: 3, Instructions: 406
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002DE2F9CB578
LoadLibraryA.KERNELBASE ref: 000002DE2F9CB67D
VirtualFree.KERNELBASE ref: 000002DE2F9CB90E

Memory Dump Source

Source File: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DE2F9C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2de2f9c0000_notepad.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreeLibraryLoad
String ID:
API String ID: 2147011437-0
Opcode ID: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
Instruction ID: 7c4b3e94d28f7f5fed41ce1913a52fed7bd1ead6914b12cae562f1fbe56b5d84
Opcode Fuzzy Hash: fe28ec89fccc7c30a97a41b99cb39f37780980cf65fc522e14c47b80859a8ba4
Instruction Fuzzy Hash: 18D17630614A484BEF68FE6AC49D7AA73D5FB5C304F15052ED88ECB1D6DB20ED468B42

Function 000002DE2F9CA7C3 Relevance: 7.6, APIs: 5, Instructions: 125
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002DE2F9CA7DD
VirtualProtect.KERNELBASE ref: 000002DE2F9CA835
VirtualProtect.KERNELBASE ref: 000002DE2F9CA85E
VirtualProtect.KERNELBASE ref: 000002DE2F9CA89B
VirtualProtect.KERNELBASE ref: 000002DE2F9CA8BF

Memory Dump Source

Source File: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DE2F9C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2de2f9c0000_notepad.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
Instruction ID: de27de525ed4714cd90345e73e9646cfca9ab076d134457dcdd06fb366d434cd
Opcode Fuzzy Hash: 1e619bdf4bf7d8a1f72fe11a15149652bafd81afc1c25810297ea3c6b5571fd2
Instruction Fuzzy Hash: 3031A13170CA094FEF48BA99A85D26A77D9EB98310F05016AEC4FC72C9DF64DD4287C2

Function 000002DE2F9CA6B8 Relevance: 7.6, APIs: 5, Instructions: 115
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002DE2F9CA6C5
VirtualProtect.KERNELBASE ref: 000002DE2F9CA71D
VirtualProtect.KERNELBASE ref: 000002DE2F9CA746
VirtualProtect.KERNELBASE ref: 000002DE2F9CA783
VirtualProtect.KERNELBASE ref: 000002DE2F9CA7A7

Memory Dump Source

Source File: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DE2F9C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2de2f9c0000_notepad.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
Instruction ID: 3cc1c5fc6fa5e061e8196f6acc9850bdc37ff38097379407abf6dbf0ab7f9504
Opcode Fuzzy Hash: cb0b48a04ba6d100bcb83f194f8859affeb3638fd54d705697e528f09cea4154
Instruction Fuzzy Hash: AD318131708A084BEF58BA59985D35A73D5FB98320F01125ADC4FC72C9EE64DD058782

Function 00007FFAAC610589 Relevance: 6.6, Strings: 5, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0DM, xrefs: 00007FFAAC610832
0DM, xrefs: 00007FFAAC6107DB
0DM, xrefs: 00007FFAAC61077C
/C, xrefs: 00007FFAAC610724
/C, xrefs: 00007FFAAC6106CF

Memory Dump Source

Source File: 00000003.00000002.1912863873.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffaac610000_notepad.jbxd

Similarity

API ID:
String ID: 0DM$0DM$0DM$/C$/C
API String ID: 0-4221975977
Opcode ID: 6941b766da309648852b16563b322bd136d25f240bafe98e7a50f1f0de9bae3a
Instruction ID: b56070f4a10b3f29e25bebc0b668096c94ee40aba000a23c07b03a2c99e4da6f
Opcode Fuzzy Hash: 6941b766da309648852b16563b322bd136d25f240bafe98e7a50f1f0de9bae3a
Instruction Fuzzy Hash: F8A13C61A0DA498FEB89EB3CC4156A87FE1FF5A344B0485FAD44ECB1D3DD28A8448781

Function 00007FFAAC610D62 Relevance: 4.0, Strings: 3, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6zA, xrefs: 00007FFAAC610E3A
x6zA, xrefs: 00007FFAAC610DF2
8eM, xrefs: 00007FFAAC610EED

Memory Dump Source

Source File: 00000003.00000002.1912863873.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffaac610000_notepad.jbxd

Similarity

API ID:
String ID: 8eM$x6zA$6zA
API String ID: 0-1008100713
Opcode ID: 41b5edf30d09a86aab23ddbdb1dfc8582cee3c09fdeb72735be00af70cc71394
Instruction ID: cc9692394ab3b6cd4e46a61cc4c6ba7c39bfbcf9bca80291e626bd0792667685
Opcode Fuzzy Hash: 41b5edf30d09a86aab23ddbdb1dfc8582cee3c09fdeb72735be00af70cc71394
Instruction Fuzzy Hash: 33613661A0DB8A4FF796E73CC4166B57BD1EF86210B0885FBE48DC71A3DD189C468391

Function 000002DE2F9CB2BB Relevance: 3.2, APIs: 2, Instructions: 236
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000002DE2F9CB30A
SysAllocString.OLEAUT32 ref: 000002DE2F9CB3FA

Memory Dump Source

Source File: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DE2F9C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2de2f9c0000_notepad.jbxd

Yara matches

Similarity

API ID: AllocCreateInstanceString
String ID:
API String ID: 218245030-0
Opcode ID: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
Instruction ID: 4d40b31a93db528e54dab9570c0709120a602ae202661cf84a317b09533e86b5
Opcode Fuzzy Hash: 5cd5b7eee56912e5f7479b10a49db03511dafd728bb5732e75b1c7ea787b1245
Instruction Fuzzy Hash: BE814231608A088FDB68EF25C88CBA6B7E5FF99301F01466ED89FC7195DB31E9458B41

Function 000002DE2F9CA6AB Relevance: 1.5, APIs: 1, Instructions: 35
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002DE2F9CA6C5
VirtualProtect.KERNELBASE ref: 000002DE2F9CA71D
VirtualProtect.KERNELBASE ref: 000002DE2F9CA746
VirtualProtect.KERNELBASE ref: 000002DE2F9CA783
VirtualProtect.KERNELBASE ref: 000002DE2F9CA7A7

Memory Dump Source

Source File: 00000003.00000002.1911703858.000002DE2F9C0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002DE2F9C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2de2f9c0000_notepad.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
Instruction ID: deba075d2c71cf6a28034e6364cd8385ec3922b467b6c8945bcb83e8568ee9e3
Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
Instruction Fuzzy Hash: 35E0D83160CA0D0FFB58AA9ED85E7B666DCE7993B1F00002FE949C2141E145DC920391

Function 00007FFAAC610A69 Relevance: 1.4, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HBM, xrefs: 00007FFAAC610AB0

Memory Dump Source

Source File: 00000003.00000002.1912863873.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffaac610000_notepad.jbxd

Similarity

API ID:
String ID: HBM
API String ID: 0-2851614262
Opcode ID: 3cd40a90b9adce568bbfdb7245c3048244fb29f09b1054cf977f73425d76698d
Instruction ID: d7c3e30180e751efe97b0d7454858a7f36c79499053d59271cd1c98f773bfae6
Opcode Fuzzy Hash: 3cd40a90b9adce568bbfdb7245c3048244fb29f09b1054cf977f73425d76698d
Instruction Fuzzy Hash: 9551A465A0CB4A9FEB45EB7CC4116A8BBB1FF8A344B0486F6D44DDB293CD286844C350

Function 00007FFAAC610965 Relevance: 1.4, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6C, xrefs: 00007FFAAC610972

Memory Dump Source

Source File: 00000003.00000002.1912863873.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffaac610000_notepad.jbxd

Similarity

API ID:
String ID: r6C
API String ID: 0-4212513777
Opcode ID: 614da1c2149b08e5b24c15752e179a64fd7e25528eb46f2cb0ca65cc3250f5dd
Instruction ID: f8c9bf9a83474427393cb20cc3e11f7b1bcb124e6596fa2746c2ba7f7f320852
Opcode Fuzzy Hash: 614da1c2149b08e5b24c15752e179a64fd7e25528eb46f2cb0ca65cc3250f5dd
Instruction Fuzzy Hash: 5C317E61B1CA494FE788EB7CD45A778B6C2EF9D311F0445BEA04EC32A3DE289C458341

Function 00007FFAAC610C48 Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1912863873.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffaac610000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed14128f18620f79b3a7546fb026a44c3a4bd6bd24b731cc6c5f6ba98fdb234f
Instruction ID: acd77c5f74b41c4b5e723f1fb9bd0f03483e96f6596c01bd6bb18757b6e692d5
Opcode Fuzzy Hash: ed14128f18620f79b3a7546fb026a44c3a4bd6bd24b731cc6c5f6ba98fdb234f
Instruction Fuzzy Hash: 77215152B1890A8BFB84B7BC945A7BC62D2EF99711F50817AE50EC3293DD2CAC418391

Function 00007FFAAC6108FA Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1912863873.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffaac610000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1f570f4c4ace13b69c4a9b7c01c7722c39ad1e5c41285221ffb678eedebc61
Instruction ID: 31190430fef5f222406da1f26ee37037c97e57c94a12d610df27e3864fe051db
Opcode Fuzzy Hash: 2e1f570f4c4ace13b69c4a9b7c01c7722c39ad1e5c41285221ffb678eedebc61
Instruction Fuzzy Hash: 0D01D14244E7C61FF39343B948695A32FE9CD8706030A41EBE0C9CB1A3D80D4C0BC3A2

Function 00007FFAAC6100D0 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1912863873.00007FFAAC610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffaac610000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528e002ce6fb7eeb2b390b404f29b6396df1b2c06b654fd9185798d47a298eba
Instruction ID: dab6bb73df562b3939fd0e7eb824451a818f1b46c1557f65ab6545f202b438e8
Opcode Fuzzy Hash: 528e002ce6fb7eeb2b390b404f29b6396df1b2c06b654fd9185798d47a298eba
Instruction Fuzzy Hash: D9E07D679098091EF5A8D11E08BD8B34F8DEBC9291720313AF05FC32A7DC081C0741D0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mluxGOTw1e.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Windows Analysis Report
mluxGOTw1e.exe

Function 00007FF7494F3D00 Relevance: 14.9, APIs: 4, Strings: 4, Instructions: 926
processthreadCOMMON

Function 00007FF7494F2710 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 520
COMMON

Function 00007FF749519C53 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 324
COMMON

Function 00007FF7494F3510 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 235
COMMON

Function 00007FF74950D1B0 Relevance: 10.0, Strings: 7, Instructions: 1277
COMMON

Function 000002DE2F9CB503 Relevance: 4.9, APIs: 3, Instructions: 406
memorylibraryCOMMON

Function 000002DE2F9CA7C3 Relevance: 7.6, APIs: 5, Instructions: 125
memorylibraryCOMMON

Function 000002DE2F9CA6B8 Relevance: 7.6, APIs: 5, Instructions: 115
memorylibraryCOMMON

Function 00007FFAAC610589 Relevance: 6.6, Strings: 5, Instructions: 321
COMMON

Function 00007FFAAC610D62 Relevance: 4.0, Strings: 3, Instructions: 227
COMMON

Function 000002DE2F9CB2BB Relevance: 3.2, APIs: 2, Instructions: 236
memoryCOMMON

Function 000002DE2F9CA6AB Relevance: 1.5, APIs: 1, Instructions: 35
memorylibraryCOMMON

Function 00007FFAAC610A69 Relevance: 1.4, Strings: 1, Instructions: 162
COMMON

Function 00007FFAAC610965 Relevance: 1.4, Strings: 1, Instructions: 111
COMMON