Edit tour

Windows Analysis Report
axltools.exe

Overview

General Information

Sample name:	axltools.exe
Analysis ID:	1560302
MD5:	f772bf8fb484871daef9d398619596e0
SHA1:	2bc0d339292693a0d3eca3904506f280d9219fd3
SHA256:	4fe92407730542c2e0520d0bd5fb7cef3accc761356af7a23703a5f7f78fb29e
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Drops PE files

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

axltools.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\axltools.exe" MD5: F772BF8FB484871DAEF9D398619596E0)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: axltools.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Net-SSLeay\blib\arch\auto\Net\SSLeay\SSLeay.pdb source: axltools.exe, 00000000.00000003.1731053745.0000000006F0B000.00000004.00000020.00020000.00000000.sdmp, SSLeay.dll.0.dr
Source:	Binary string: re\re.pdb source: axltools.exe, 00000000.00000003.1729821079.0000000006931000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\re\re.pdb source: re.dll.0.dr
Source:	Binary string: at.pdb source: axltools.exe, 00000000.00000003.1732692258.0000000006586000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734508182.0000000006587000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732299586.000000000657C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735649813.0000000006589000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732589093.000000000657C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731722116.000000000657B000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727023778.0000000006579000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\PerlIO\encoding\encoding.pdb source: encoding.dll.0.dr
Source:	Binary string: ntl.pdb source: axltools.exe, 00000000.00000003.1735540252.0000000006064000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728057106.000000000604A000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1739024122.000000000606D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cpanfly-5.16\var\cpan\build\Crypt-DES-2.05-YXMLJC\blib\arch\auto\Crypt\DES\DES.pdb source: DES.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Data-Dumper\blib\arch\auto\Data\Dumper\Dumper.pdb source: Dumper.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\MIME\Base64\Base64.pdb source: Base64.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Time\HiRes\HiRes.pdb source: HiRes.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Socket\Socket.pdb source: Socket.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\IO\IO.pdb source: IO.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Fcntl\Fcntl.pdb source: Fcntl.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\HTML-Parser\blib\arch\auto\HTML\Parser\Parser.pdb source: Parser.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Scalar-List-Utils\blib\arch\auto\List\Util\Util.pdb source: Util.dll.0.dr
Source:	Binary string: C:\cpanfly-5.16\var\cpan\build\XML-LibXML-2.0018-Sq01l4\blib\arch\auto\XML\LibXML\LibXML.pdb source: axltools.exe, 00000000.00000003.1706732597.0000000006C96000.00000004.00000020.00020000.00000000.sdmp, LibXML.dll.0.dr
Source:	Binary string: C:\data\buildbot-pdk-slave\pdk-perl-win2003\build\src\PerlApp\src\paperl516.pdb source: axltools.exe
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\perl516.pdb source: axltools.exe, 00000000.00000003.1701840898.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\XML-Parser\blib\arch\auto\XML\Parser\Expat\Expat.pdb source: Expat.dll.0.dr
Source:	Binary string: ntl.pdbnbits=' source: axltools.exe, 00000000.00000003.1735540252.0000000006064000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728057106.000000000604A000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1739024122.000000000606D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Encode\blib\arch\auto\Encode\Encode.pdb source: Encode.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Digest-MD5\blib\arch\auto\Digest\MD5\MD5.pdb source: MD5.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\POSIX\POSIX.pdb source: POSIX.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Storable\Storable.pdb source: Storable.dll.0.dr

Source: axltools.exe, 00000000.00000003.1735501227.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733423746.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735248154.0000000006198000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727761175.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1736150564.00000000061E8000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734430604.0000000006197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://github.com/madsen/HTML-Tree
Source: axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nils.toedtmann.net/pub/subjectAltName.txt
Source: axltools.exe, 00000000.00000003.1706732597.0000000006B94000.00000004.00000020.00020000.00000000.sdmp, LibXML.dll.0.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rt.cpan.org/Ticket/Display.html?id=39550
Source: axltools.exe, 00000000.00000003.1752312875.0000000005E12000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733984978.000000000660B000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733592471.00000000066A4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000002.1756897489.000000000660B000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.cisco.com/ast/soap/
Source: axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733018593.000000000610E000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727578770.00000000060ED000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731540697.000000000610D000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732191963.000000000610D000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730854023.0000000006109000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733167452.000000000611D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.cisco.com/ast/soap/action/#RisPort#SelectCmDevice
Source: axltools.exe, 00000000.00000003.1735008504.0000000006616000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732229593.0000000006611000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726924257.00000000065F3000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.cisco.com/ast/soap/encodedTypes
Source: axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: axltools.exe, 00000000.00000003.1701840898.0000000003BFC000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr	String found in binary or memory: http://www.ActiveState.com
Source: axltools.exe, 00000000.00000003.1701840898.0000000003BFC000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr	String found in binary or memory: http://www.ActiveState.com(
Source: axltools.exe, 00000000.00000003.1737388478.0000000006366000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000002.1756564485.000000000636A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com
Source: axltools.exe, 00000000.00000003.1731496712.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cisco.com/AXL/API/
Source: axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cisco.com/AXL/API/$axl_version
Source: axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1745542145.0000000001A35000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000002.1755761016.0000000005D90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/devguide/8_6_1/axlmatrix.html
Source: axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24
Source: axltools.exe, 00000000.00000003.1737224012.0000000006373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msftncsi.com/ncsi.txt
Source: axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
Source: axltools.exe, 00000000.00000003.1731053745.0000000006DB8000.00000004.00000020.00020000.00000000.sdmp, SSLeay.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: axltools.exe, 00000000.00000003.1731053745.0000000006DB8000.00000004.00000020.00020000.00000000.sdmp, SSLeay.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: axltools.exe, 00000000.00000003.1735501227.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733423746.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735248154.0000000006198000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727761175.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1736150564.00000000061E8000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734430604.0000000006197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.perl.com/
Source: axltools.exe, 00000000.00000003.1701840898.0000000003BFC000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr	String found in binary or memory: http://www.perl.org/
Source: axltools.exe, 00000000.00000003.1735501227.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733423746.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735248154.0000000006198000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727761175.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1736150564.00000000061E8000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734430604.0000000006197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suck.com/
Source: axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/
Source: axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1724946676.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727578770.00000000060ED000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731219292.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730854023.0000000006109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x.x.x.x:8080/ccmpd/login.do
Source: axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.cisco.com/site/axl/documents/axl-developer-guide-v11-5/#115changes
Source: axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.cisco.com/web/sxml/forums/-//message_boards/view_message/1173717
Source: axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discdungeon.cdw.com/apps/dbtables/cucm_14.0.1/type_data/typeproduct.txt
Source: axltools.exe, 00000000.00000003.1734508182.0000000006522000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727023778.0000000006521000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rt.cpan.org/Ticket/Display.html?id=58024

Source: axltools.exe, 00000000.00000003.1701840898.0000000003BFC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameperl514.dll6 vs axltools.exe

Source: axltools.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean2.winEXE@2/20@0/0

Source: C:\Users\user\Desktop\axltools.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03

Source: C:\Users\user\Desktop\axltools.exe

File created: C:\Users\user\AppData\Local\Temp\pdk-user\

Jump to behavior

Source: axltools.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\axltools.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\axltools.exe "C:\Users\user\Desktop\axltools.exe"
Source: C:\Users\user\Desktop\axltools.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\axltools.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Section loaded: msasn1.dll	Jump to behavior

Source: axltools.exe

Static file information: File size 5468256 > 1048576

Source: axltools.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x527000

Source: axltools.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Net-SSLeay\blib\arch\auto\Net\SSLeay\SSLeay.pdb source: axltools.exe, 00000000.00000003.1731053745.0000000006F0B000.00000004.00000020.00020000.00000000.sdmp, SSLeay.dll.0.dr
Source:	Binary string: re\re.pdb source: axltools.exe, 00000000.00000003.1729821079.0000000006931000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\re\re.pdb source: re.dll.0.dr
Source:	Binary string: at.pdb source: axltools.exe, 00000000.00000003.1732692258.0000000006586000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734508182.0000000006587000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732299586.000000000657C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735649813.0000000006589000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732589093.000000000657C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731722116.000000000657B000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727023778.0000000006579000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\PerlIO\encoding\encoding.pdb source: encoding.dll.0.dr
Source:	Binary string: ntl.pdb source: axltools.exe, 00000000.00000003.1735540252.0000000006064000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728057106.000000000604A000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1739024122.000000000606D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cpanfly-5.16\var\cpan\build\Crypt-DES-2.05-YXMLJC\blib\arch\auto\Crypt\DES\DES.pdb source: DES.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Data-Dumper\blib\arch\auto\Data\Dumper\Dumper.pdb source: Dumper.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\MIME\Base64\Base64.pdb source: Base64.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Time\HiRes\HiRes.pdb source: HiRes.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Socket\Socket.pdb source: Socket.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\IO\IO.pdb source: IO.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Fcntl\Fcntl.pdb source: Fcntl.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\HTML-Parser\blib\arch\auto\HTML\Parser\Parser.pdb source: Parser.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Scalar-List-Utils\blib\arch\auto\List\Util\Util.pdb source: Util.dll.0.dr
Source:	Binary string: C:\cpanfly-5.16\var\cpan\build\XML-LibXML-2.0018-Sq01l4\blib\arch\auto\XML\LibXML\LibXML.pdb source: axltools.exe, 00000000.00000003.1706732597.0000000006C96000.00000004.00000020.00020000.00000000.sdmp, LibXML.dll.0.dr
Source:	Binary string: C:\data\buildbot-pdk-slave\pdk-perl-win2003\build\src\PerlApp\src\paperl516.pdb source: axltools.exe
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\perl516.pdb source: axltools.exe, 00000000.00000003.1701840898.0000000003D43000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\XML-Parser\blib\arch\auto\XML\Parser\Expat\Expat.pdb source: Expat.dll.0.dr
Source:	Binary string: ntl.pdbnbits=' source: axltools.exe, 00000000.00000003.1735540252.0000000006064000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728057106.000000000604A000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1739024122.000000000606D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Encode\blib\arch\auto\Encode\Encode.pdb source: Encode.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\Digest-MD5\blib\arch\auto\Digest\MD5\MD5.pdb source: MD5.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\POSIX\POSIX.pdb source: POSIX.dll.0.dr
Source:	Binary string: C:\cygwin\home\gecko\build-20130313T112414-ysnczhlqvy\perl\lib\auto\Storable\Storable.pdb source: Storable.dll.0.dr

Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\500883b23a63199dc2829fdbc8348f21\POSIX.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\06d5b1ac5da862cdbb0b3ac695f3453c\LibXML.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\53072790dde17440c4012890afb43815\Storable.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\f16e1f679da123c81245279f1a139748\Parser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\596571347931e8153c5521d6812d9e81\HiRes.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\1abd50a1c2ab4a3ff0345cde2d55afba\Socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\d2bcc46d29a882b1323ba2455a4cf8f1\perl516.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\f522a0e96a8361deca2c563f29dc9a24\Base64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\c81ac6c36772666ca1e702e01dde5e9b\SSLeay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\ba85e8995e0035a5652e7d02ad624f50\re.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\acbada12c63ba66ffc285eb2359b75e8\encoding.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\d39c15784bafcd23e55c5a0271f988ac\MD5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\de07dcca160c9bd3b1faa05ac3c78ea8\Dumper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\72c787717c09ab77d76b10d4ff014126\Encode.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\79e6d4a9f909690faec53f6e463896e8\IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\5ffaccc40de6d509ec33dff1fea9026c\Expat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\27ea229280968204d59354ee0a6341a7\DES.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\a9f68920f6ea43580143946a0633ee0a\Util.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	File created: C:\Users\user\AppData\Local\Temp\pdk-user\b3ae4e9cf03fb0d5a98dfc18ef69a34b\Fcntl.dll	Jump to dropped file

Source: C:\Users\user\Desktop\axltools.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\500883b23a63199dc2829fdbc8348f21\POSIX.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\53072790dde17440c4012890afb43815\Storable.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\06d5b1ac5da862cdbb0b3ac695f3453c\LibXML.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\f16e1f679da123c81245279f1a139748\Parser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\596571347931e8153c5521d6812d9e81\HiRes.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\d2bcc46d29a882b1323ba2455a4cf8f1\perl516.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\1abd50a1c2ab4a3ff0345cde2d55afba\Socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\f522a0e96a8361deca2c563f29dc9a24\Base64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\c81ac6c36772666ca1e702e01dde5e9b\SSLeay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\ba85e8995e0035a5652e7d02ad624f50\re.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\acbada12c63ba66ffc285eb2359b75e8\encoding.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\d39c15784bafcd23e55c5a0271f988ac\MD5.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\de07dcca160c9bd3b1faa05ac3c78ea8\Dumper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\72c787717c09ab77d76b10d4ff014126\Encode.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\5ffaccc40de6d509ec33dff1fea9026c\Expat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\79e6d4a9f909690faec53f6e463896e8\IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\27ea229280968204d59354ee0a6341a7\DES.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\a9f68920f6ea43580143946a0633ee0a\Util.dll	Jump to dropped file
Source: C:\Users\user\Desktop\axltools.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pdk-user\b3ae4e9cf03fb0d5a98dfc18ef69a34b\Fcntl.dll	Jump to dropped file

Source: axltools.exe, 00000000.00000002.1755522734.0000000001AFE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\axltools.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\b3ae4e9cf03fb0d5a98dfc18ef69a34b\Fcntl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\b3ae4e9cf03fb0d5a98dfc18ef69a34b\Fcntl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\53072790dde17440c4012890afb43815\Storable.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\53072790dde17440c4012890afb43815\Storable.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\f522a0e96a8361deca2c563f29dc9a24\Base64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\f522a0e96a8361deca2c563f29dc9a24\Base64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\f16e1f679da123c81245279f1a139748\Parser.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\f16e1f679da123c81245279f1a139748\Parser.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\a9f68920f6ea43580143946a0633ee0a\Util.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\a9f68920f6ea43580143946a0633ee0a\Util.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\5ffaccc40de6d509ec33dff1fea9026c\Expat.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\5ffaccc40de6d509ec33dff1fea9026c\Expat.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\d39c15784bafcd23e55c5a0271f988ac\MD5.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\d39c15784bafcd23e55c5a0271f988ac\MD5.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\27ea229280968204d59354ee0a6341a7\DES.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\72c787717c09ab77d76b10d4ff014126\Encode.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\72c787717c09ab77d76b10d4ff014126\Encode.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\de07dcca160c9bd3b1faa05ac3c78ea8\Dumper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\de07dcca160c9bd3b1faa05ac3c78ea8\Dumper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\79e6d4a9f909690faec53f6e463896e8\IO.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\79e6d4a9f909690faec53f6e463896e8\IO.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\06d5b1ac5da862cdbb0b3ac695f3453c\LibXML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\06d5b1ac5da862cdbb0b3ac695f3453c\LibXML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\500883b23a63199dc2829fdbc8348f21\POSIX.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\500883b23a63199dc2829fdbc8348f21\POSIX.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\ba85e8995e0035a5652e7d02ad624f50\re.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\ba85e8995e0035a5652e7d02ad624f50\re.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\acbada12c63ba66ffc285eb2359b75e8\encoding.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\acbada12c63ba66ffc285eb2359b75e8\encoding.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\596571347931e8153c5521d6812d9e81\HiRes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\596571347931e8153c5521d6812d9e81\HiRes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\1abd50a1c2ab4a3ff0345cde2d55afba\Socket.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\1abd50a1c2ab4a3ff0345cde2d55afba\Socket.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\c81ac6c36772666ca1e702e01dde5e9b\SSLeay.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\axltools.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pdk-user\c81ac6c36772666ca1e702e01dde5e9b\SSLeay.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\axltools.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\pdk-user\06d5b1ac5da862cdbb0b3ac695f3453c\LibXML.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\1abd50a1c2ab4a3ff0345cde2d55afba\Socket.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\27ea229280968204d59354ee0a6341a7\DES.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\500883b23a63199dc2829fdbc8348f21\POSIX.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\53072790dde17440c4012890afb43815\Storable.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\596571347931e8153c5521d6812d9e81\HiRes.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\5ffaccc40de6d509ec33dff1fea9026c\Expat.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\72c787717c09ab77d76b10d4ff014126\Encode.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\79e6d4a9f909690faec53f6e463896e8\IO.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\a9f68920f6ea43580143946a0633ee0a\Util.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\acbada12c63ba66ffc285eb2359b75e8\encoding.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\b3ae4e9cf03fb0d5a98dfc18ef69a34b\Fcntl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\ba85e8995e0035a5652e7d02ad624f50\re.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\c81ac6c36772666ca1e702e01dde5e9b\SSLeay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\d2bcc46d29a882b1323ba2455a4cf8f1\perl516.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\d39c15784bafcd23e55c5a0271f988ac\MD5.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\de07dcca160c9bd3b1faa05ac3c78ea8\Dumper.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\f16e1f679da123c81245279f1a139748\Parser.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\pdk-user\f522a0e96a8361deca2c563f29dc9a24\Base64.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://x.x.x.x:8080/ccmpd/login.do	0%	Avira URL Cloud	safe
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24	0%	Avira URL Cloud	safe
https://discdungeon.cdw.com/apps/dbtables/cucm_14.0.1/type_data/typeproduct.txt	0%	Avira URL Cloud	safe
http://www.suck.com/	0%	Avira URL Cloud	safe
http://www.ActiveState.com(	0%	Avira URL Cloud	safe
http://schemas.cisco.com/ast/soap/encodedTypes	0%	Avira URL Cloud	safe
http://nils.toedtmann.net/pub/subjectAltName.txt	0%	Avira URL Cloud	safe
http://schemas.cisco.com/ast/soap/	0%	Avira URL Cloud	safe
https://rt.cpan.org/Ticket/Display.html?id=58024	0%	Avira URL Cloud	safe
http://rt.cpan.org/Ticket/Display.html?id=39550	0%	Avira URL Cloud	safe
http://schemas.cisco.com/ast/soap/action/#RisPort#SelectCmDevice	0%	Avira URL Cloud	safe
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/	0%	Avira URL Cloud	safe
http://www.perl.com/	0%	Avira URL Cloud	safe
http://www.ActiveState.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://x.x.x.x:8080/ccmpd/login.do	axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1724946676.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727578770.00000000060ED000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731219292.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730854023.0000000006109000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nils.toedtmann.net/pub/subjectAltName.txt	axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.cisco.com/ast/soap/	axltools.exe, 00000000.00000003.1752312875.0000000005E12000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733984978.000000000660B000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733592471.00000000066A4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000002.1756897489.000000000660B000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.cisco.com/web/sxml/forums/-//message_boards/view_message/1173717	axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cisco.com/AXL/API/$axl_version	axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS	axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msftncsi.com/ncsi.txt	axltools.exe, 00000000.00000003.1737224012.0000000006373000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	axltools.exe, 00000000.00000003.1731053745.0000000006DB8000.00000004.00000020.00020000.00000000.sdmp, SSLeay.dll.0.dr	false		high
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24	axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.cisco.com/site/axl/documents/axl-developer-guide-v11-5/#115changes	axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.cisco.com/ast/soap/encodedTypes	axltools.exe, 00000000.00000003.1735008504.0000000006616000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732229593.0000000006611000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726924257.00000000065F3000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html....................	axltools.exe, 00000000.00000003.1731053745.0000000006DB8000.00000004.00000020.00020000.00000000.sdmp, SSLeay.dll.0.dr	false		high
http://rt.cpan.org/Ticket/Display.html?id=39550	axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.suck.com/	axltools.exe, 00000000.00000003.1735501227.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733423746.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735248154.0000000006198000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727761175.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1736150564.00000000061E8000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734430604.0000000006197000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discdungeon.cdw.com/apps/dbtables/cucm_14.0.1/type_data/typeproduct.txt	axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ActiveState.com(	axltools.exe, 00000000.00000003.1701840898.0000000003BFC000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://rt.cpan.org/Ticket/Display.html?id=58024	axltools.exe, 00000000.00000003.1734508182.0000000006522000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727023778.0000000006521000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/	axltools.exe, 00000000.00000003.1729821079.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731974437.00000000069B6000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730575731.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1729033614.00000000069B5000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1726693116.00000000069B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://github.com/madsen/HTML-Tree	axltools.exe, 00000000.00000003.1735501227.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733423746.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735248154.0000000006198000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727761175.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1736150564.00000000061E8000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734430604.0000000006197000.00000004.00000020.00020000.00000000.sdmp	false		high
http://relaxng.org/ns/structure/1.0	axltools.exe, 00000000.00000003.1706732597.0000000006B94000.00000004.00000020.00020000.00000000.sdmp, LibXML.dll.0.dr	false		high
http://schemas.cisco.com/ast/soap/action/#RisPort#SelectCmDevice	axltools.exe, 00000000.00000003.1724946676.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733018593.000000000610E000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727578770.00000000060ED000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1742353998.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1731540697.000000000610D000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1725070726.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1732191963.000000000610D000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1730854023.0000000006109000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733167452.000000000611D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/devguide/8_6_1/axlmatrix.html	axltools.exe, 00000000.00000003.1725572559.00000000019FA000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728536452.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1745542145.0000000001A35000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728440924.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1728596851.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000002.1755761016.0000000005D90000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ActiveState.com	axltools.exe, 00000000.00000003.1701840898.0000000003BFC000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.cisco.com/AXL/API/	axltools.exe, 00000000.00000003.1731496712.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.perl.com/	axltools.exe, 00000000.00000003.1735501227.00000000061E4000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1733423746.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1735248154.0000000006198000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1727761175.0000000006195000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1736150564.00000000061E8000.00000004.00000020.00020000.00000000.sdmp, axltools.exe, 00000000.00000003.1734430604.0000000006197000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.perl.org/	axltools.exe, 00000000.00000003.1701840898.0000000003BFC000.00000004.00000020.00020000.00000000.sdmp, perl516.dll.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560302
Start date and time:	2024-11-21 16:39:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	axltools.exe
Detection:	CLEAN
Classification:	clean2.winEXE@2/20@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: axltools.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\pdk-user\06d5b1ac5da862cdbb0b3ac695f3453c\LibXML.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1056877
Entropy (8bit):	6.766320910327209
Encrypted:	false
SSDEEP:	24576:gTmse+6ImfeO4P6NI5+zHolS+96Ds/rBVTwr:oI4P6m5gIM+ZVTC
MD5:	06D5B1AC5DA862CDBB0B3AC695F3453C
SHA1:	1B3A5AFEBC5804B369D75207B78B70A1E0B35434
SHA-256:	20A5B8D2A63D839DF7785E88DCEFE7C20DA5BDB395EF8D782C31BED16238E723
SHA-512:	59C0A1B371BB17797B40355DEA34E25320B0CD7A820541D760EA1E8FD8E1F01631F97641630F1ABB12A18951D70B1BE896AEE7F99B0DE4E37793F8A697AE4B58
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.e./.../.../.......-...@......@...-....V.+...T...'.../.......)..........+...Rich/...........................PE..L...~.Q...........!.....P...........-.......`...............................0......................................p...j.......d....................................b...............................................`...............................text....B.......P.................. ..`.rdata...i...`...p...`..............@..@.data...$...........................@....reloc...............p..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\1abd50a1c2ab4a3ff0345cde2d55afba\Socket.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28774
Entropy (8bit):	3.4936360116401497
Encrypted:	false
SSDEEP:	384:O7iAYpaGBbL4mE0DH7n4lgvpYGCT2cfdw7:LAY8GBn4dKlRYH2gw7
MD5:	1ABD50A1C2AB4A3FF0345CDE2D55AFBA
SHA1:	84E2DF0A37B9AC205D6170070C82E964D6A3545C
SHA-256:	3F319A65B89CAB85A3C0DE2823E72241EBD0BE09BB3ED65AB95F4E48BF1AAD5B
SHA-512:	DF4FA57E2CEF4B76B0393090A13DC99922EA212C9E98FC59AEC710ABCA97951412D22FF83E441F08508C5F94BA6C07748BC2D1EFBE25317FFE28B400ED5108CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=..S...S...S.n.....S...R...S.R.Y...S.R.W...S.Rich..S.........PE..L.....@Q...........!..... ...@.......!.......0...............................p.......................................M..`....H..P............................`..P....0...............................................0...............................text...Z........ .................. ..`.rdata..`....0... ...0..............@..@.data...$....P.......P..............@....reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\27ea229280968204d59354ee0a6341a7\DES.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24678
Entropy (8bit):	2.4316353316806962
Encrypted:	false
SSDEEP:	192:V+JFGFNwelVPrE3aGIr5Zz26ZNeUTcwUbOj:0ClVTGUH26ZUUTcLy
MD5:	27EA229280968204D59354EE0A6341A7
SHA1:	3E07D92E78A1F32B2201431AE5913CB19667206C
SHA-256:	58DEF9EC5C73219930667011BE804ACA4F30F8B602BB61526589FA1F8045A822
SHA-512:	FFB3074BD0F293BA270DB9F6F25D9A0CFB42A93D71ACCDF8ED2533BBDA2B49DF494B23D04FBE078F44A38C2B2C1426BD9635753FE3981AFF7A90EF0B5E79EF04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U....{...{...{..~d...{..~d...{...t..{...{...{...X...{...[...{..Rich.{..................PE..L...~..O...........!.........@......7........ ...............................`......................................p#..e... !..P............................P......` ............................................... ..\............................text............................... ..`.rdata....... ....... ..............@..@.data...<....0... ...0..............@....reloc..(....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\500883b23a63199dc2829fdbc8348f21\POSIX.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53348
Entropy (8bit):	5.372676663259465
Encrypted:	false
SSDEEP:	768:wt6As7VfN9zxYB0fe1UcjQq607tBw0kNNB7ULOlZVKX4zCEc9x:O6AQ9dfejQH8wVNNBXDCt/
MD5:	500883B23A63199DC2829FDBC8348F21
SHA1:	14B053220F089AF4A135423464B6EDF318EB081A
SHA-256:	8310A771224C247FF493A480886F639BE4D9874D37FFBB70E961CE984B248678
SHA-512:	ADF0B73D6B81FCDA31B54174BAFBE6F8731F5EE39B2AE0C66311D81C2503A5E9745603D7ABC0EB4D57D768331B3C45FA0DAB2909F4F77148F3B13FE4BFE869CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r................H..................t3....t3....Rich...................PE..L.....@Q...........!.....`...`.......g.......p.........................................................................].......P....................................q...............................................p...............................text....X.......`.................. ..`.rdata..-8...p...@...p..............@..@.data...(...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\53072790dde17440c4012890afb43815\Storable.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61546
Entropy (8bit):	5.608881954808601
Encrypted:	false
SSDEEP:	1536:uN7kKgAfG4W9V386dlYkrFL+DXno647r1OXiB3oVKt/Bueko0:lYiL+DXGBYVKTueko0
MD5:	53072790DDE17440C4012890AFB43815
SHA1:	EF7C14A7966897775EFE665C4F35FFAE147C164F
SHA-256:	0824432D6A9D559E8BC9F7594FCF7F5E5EEB90D14C125A21526C88F9B831D2DD
SHA-512:	DCC6BB17626C4EFE3B07B7569BF306579C0A364B54CC79E5A009645131D226F054209062C3F20BC74B14372D6FEC871DAFB3877813AA3E58653D03C98E25DFAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J..+...+...+..07...+..p$..+...+...+..L....+..L....+..Rich.+..................PE..L.....@Q...........!.........@......}...................................................................................f.......P...............................P....................................................................................text...@........................... ..`.rdata..6........ ..................@..@.data...$...........................@....reloc..4...........................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\596571347931e8153c5521d6812d9e81\HiRes.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24681
Entropy (8bit):	3.4456616313408204
Encrypted:	false
SSDEEP:	192:fhaVqRDp0qhHzz/OPsSVTYkxMJNVgMM92/2B+8bgnYyuDur+E/Xj3m:Z6q4qhTzGP/YkxMjUnEnLuDur+ELm
MD5:	596571347931E8153C5521D6812D9E81
SHA1:	45B6E9C8C69A12BBD561ADAF6CE7CC2970D463AC
SHA-256:	A8B2B765E6E3F3C59B2235B2F0FB5038C244D3223D76F93A032E1088A7A0BD4A
SHA-512:	76FC06707A7D782601C6E3D24AE54693D698F9ECCC633F176646BB0A04DA99B735E18DE44397234ECFD9E5798EEB72BBEB34C6C08DFBA09CCF54685EE641D790
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5..5..5.^.;..5...h..5..4...5.".?..5.".1..5.Rich.5.................PE..L.....@Q...........!..... ...0.......&.......0...............................`.......................................;..i....7..P............................P.......0...............................................0...............................text............ .................. ..`.rdata.......0.......0..............@..@.data...4....@.......@..............@....reloc..j....P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\5ffaccc40de6d509ec33dff1fea9026c\Expat.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131195
Entropy (8bit):	6.230094454728875
Encrypted:	false
SSDEEP:	3072:HNltlG+DS3ns6b0F9zkg2GpVoSX8InM4jiPW++0VGavy3ys27CEI73zg+zU2t6XA:PLB318CEI1vUQ
MD5:	5FFACCC40DE6D509EC33DFF1FEA9026C
SHA1:	B58C2E6F939A587A4C563730D235911A33A2A0E8
SHA-256:	D6BD9004D24F665858FF96356EF534B44A695834F62D7E15145BF520C91DF466
SHA-512:	DD60F2E0538E72530D305CEC6DE141C8F4B1436A82374E3FF3B672025760414DF7B72C24ECEB4B400E478E6755AC067DA0E4D2D2AE3A86743C4F96B973B2719B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........G...)...)...).p.'...).0.t...)...(...)...#...)...-...).Rich..).................PE..L.....@Q...........!.........p......................................................................................0...w.......P...............................L...0...................................................0............................text....{.......................... ..`.rdata...9.......@..................@..@.data...T...........................@....reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\72c787717c09ab77d76b10d4ff014126\Encode.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32878
Entropy (8bit):	4.094112897396544
Encrypted:	false
SSDEEP:	384:2kp0TgWAueZ4H3xVgp4mbXshqKvZX6IHSp55P0w:2GWAueqBVgp4mbXEqSZXQ5PL
MD5:	72C787717C09AB77D76B10D4FF014126
SHA1:	84CD7D425A34C3ED8AB87B05E0DF858DE8DF5498
SHA-256:	E4DB7E987C670FEE47894CEB5EEA7CDFDB925512763BC9439ACB78913D3DE6AE
SHA-512:	09B2376CF0AA66AB40DE89F818C72878AE02B3BFC1B2BDB20DD195EAFDC0551EAA0032572017E4F44391A7E88FF2A79C67FC729FDFA41D7C28594FE300210E62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........d.............p.......0.W.............................Rich....................PE..L.....@Q...........!.....0...@......g:.......@.......................................................................P..`....I..P............................p.......A...............................................@...............................text...*+.......0.................. ..`.rdata..`....@... ...@..............@..@.data...$....`.......`..............@....reloc..2....p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\79e6d4a9f909690faec53f6e463896e8\IO.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24670
Entropy (8bit):	2.7795278677990036
Encrypted:	false
SSDEEP:	192:fyXK+mw4MFYsYTqtOG5dVle2MkVkpIOoT06Qox:aXKetCtTqtOEjkproT06Qox
MD5:	79E6D4A9F909690FAEC53F6E463896E8
SHA1:	D656321D82F6D7530FDA91CB0EEEBEBDE0396F6C
SHA-256:	D388EE876FE6A6BA425AC9725B0FDA32DE300D038DE65DF784C04C6E5E7F3916
SHA-512:	8BA849CA68A99F522CC5419F823A20A80B4507410C121F5995C02838FCB16DA767AC354F33DC36E3799E1AFCF4C9EF67C61087A1380062305731D401E6EFF7DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*S..n2.n2.n2..=..l2.n2.^2....i2....h2.Richn2.................PE..L.....@Q...........!..... ...0......u".......0...............................`.......................................8..T....4..P............................P.......0...............................................0...............................text...8........ .................. ..`.rdata.......0.......0..............@..@.data...$....@.......@..............@....reloc..,....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\a9f68920f6ea43580143946a0633ee0a\Util.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24698
Entropy (8bit):	3.8276484830829167
Encrypted:	false
SSDEEP:	384:ZMFqAX3NQEjfTCWZpI1QF0Kjv5onEkj3P0tXEFA7:GqAX3NQEjfTCCvF0Kjv5onEU3PiXr
MD5:	A9F68920F6EA43580143946A0633EE0A
SHA1:	92E58C7F52F17F26E39C7C09B502C54ADFE58DB7
SHA-256:	CCC7C00B6DD16C95B515F7F8552B8E94B8AC44EF6DC134770080AD5005401864
SHA-512:	2532543AB2D3147DBAF9EB4E97590F6F0384450905F42E1A51DE950C090B0840EF327F6F4E871DFC5EE6779E21033DB03BDCB6EF9FD0B13F6414AF8CA17D3136
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*..Kp..Kp..Kp.0W~..Kp.pD-..Kp..Kq..Kp.Lkz..Kp.Lkt..Kp.Rich.Kp.................PE..L.....@Q...........!..... ...0......./.......0...............................`.......................................9..f....4..P............................P.......1...............................................0...............................text............ .................. ..`.rdata.......0.......0..............@..@.data...$....@.......@..............@....reloc.......P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\acbada12c63ba66ffc285eb2359b75e8\encoding.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24689
Entropy (8bit):	3.6066724051321697
Encrypted:	false
SSDEEP:	768:BVF83PHPjn2KTzL9M/agNdV4DgQ5BOQU8:BVCPT22qDVJI
MD5:	ACBADA12C63BA66FFC285EB2359B75E8
SHA1:	C0C66EE75626DD22A16556E628EC5878BF18DD3E
SHA-256:	376BED871F1B0EB83EB5A1AB2869EEAB96377B5FD76E8B1A5F90B3E45DE0FBBB
SHA-512:	31BD461C9DA7B8FBF211243437151F49EDEF9CC3737B2C8F74A1CF527ED865D650EC0E302DAC52C6E90666BF43498BD94701B36EA90E2A8A36F9F657F1C45A09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.^.+p..+p..+p.07~..+p.p$-..+p..+q..+p.L.z..+p.L.t..+p.Rich.+p.........................PE..L.....@Q...........!..... ...0......k+.......0...............................`.......................................:..v....3..P............................P......@1...............................................0..@............................text............ .................. ..`.rdata..f....0.......0..............@..@.data........@.......@..............@....reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\b3ae4e9cf03fb0d5a98dfc18ef69a34b\Fcntl.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24676
Entropy (8bit):	2.2560213579003925
Encrypted:	false
SSDEEP:	96:oORHad2677iAqzVGbgHVFk3XJvc5NGY8xvM/hzJ7rMG/1Ji1smnnndnnnb4/t:lW26v3qzVGM14Rm8dxs/rMe1k1/ndngt
MD5:	B3AE4E9CF03FB0D5A98DFC18EF69A34B
SHA1:	290DCA8A6764EA0C99198B5D0F9CD2210E367256
SHA-256:	4C8EBF90BB94E318C92827DC3DD30B087463439B22336410C787C056BD783099
SHA-512:	73CE74DDB9C61245923D606CECA5930C6EB30B2BD98BBA3200DA18E59AC175CF9B1DBEC2F2C78E697EE8BB702526777CA1441E426EAFC1DAD955B2DCB070D539
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;..U...U...U.n.....U...T...U.R._...U.R.Q...U.Rich..U.........................PE..L.....@Q...........!.........@......g........ ...............................`......................................./..]...l,..P............................P....... ............................................... ...............................text...*........................... ..`.rdata....... ... ... ..............@..@.data...$....@.......@..............@....reloc.......P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\ba85e8995e0035a5652e7d02ad624f50\re.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	184414
Entropy (8bit):	6.444951517436326
Encrypted:	false
SSDEEP:	3072:iBQtYsSORAjhFSdEob4Y6rbqH/+fHZEfrVGyCZmPGutua0Mrzn:CQt7KA47rKWfHmTyu5rzn
MD5:	BA85E8995E0035A5652E7D02AD624F50
SHA1:	AF558D763B1E91AB8D9B751CBF13E718BF089922
SHA-256:	C64DBBB35EE3E4B52FA2F5929B923966A0C90B066C4F1ECD055388F72262B489
SHA-512:	F93D8D9365149D0BE03C85188B091A14E6FE2D0CED857AF1685D7A29180205A3D3638E43FF67127E00A352936C174C820EB47445BC505FA514FE54343B4414BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........g..j...j...j..pv...j..0eT..j...j..Lj...J...j...J...j..Rich.j..................PE..L.....@Q...........!.....@..........S@.......P..........................................................................T.......P....................................S...............................................P...............................text....1.......@.................. ..`.rdata..TM...P...P...P..............@..@.data...$...........................@....reloc..4........ ..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\c81ac6c36772666ca1e702e01dde5e9b\SSLeay.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1388662
Entropy (8bit):	6.7521465184614735
Encrypted:	false
SSDEEP:	24576:PY8YId55I6ORMFoTr7a9YB/5SalIind9umoYpqXe2ux+YsWLN:gkHJFGr7T3SoIU9aYpqXe2uwYsWLN
MD5:	C81AC6C36772666CA1E702E01DDE5E9B
SHA1:	8682E9730955CD47D0384C0F5298E2B8206F4EE2
SHA-256:	ECD62EF24D889F7E628C9633C59ED2CCE6C71C766CF49597250056EF9B5D27BE
SHA-512:	F866742BD42FBDC3BC9225E710B5DD4B376B989607BBBDADE19EC72A8D5166FFE44149993E29ACF908BAA43DB9BCD1DE3D9CD973E2F8F4770205614BBE4FF142
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sZ.57;pf7;pf7;pf.'~f?;pf.4-f;;pf7;qf.;pf..zf.9pf..tf1;pfRich7;pf................PE..L.....@Q...........!.........p...............................................`......................................0...j...Lx...............................`...... ................................................................................text...`........................... ..`.rdata..............................@..@.data...0...........................@....reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\d2bcc46d29a882b1323ba2455a4cf8f1\perl516.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1339479
Entropy (8bit):	6.695857872292821
Encrypted:	false
SSDEEP:	24576:s/XqZ0F/Vj+oOgoA3FP7u6eRrq3Dpp2dUMXyTXZhgYtc56MDSwaeH8wpZ1FGgmfa:s/6Z0FNOA397O0dEUMCTp1waeH8+Z1pt
MD5:	D2BCC46D29A882B1323BA2455A4CF8F1
SHA1:	E8426304E6F6E6538F7A7188780A0A94286ADF40
SHA-256:	12F680CB9B7436CF70FF81505C86305C86C22D48CB57F1EE46B0EF3FE1F6A1B4
SHA-512:	BB5E3E68D4B1C6FB30D322E7806D7EA97CDC82783E9F774F98DBCC3980C0378FF03A36554A41594589F26313233EE9E4D53F6E6A2A9E73EBFCAE3C0FB79A4A01
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E...$...$...$..k8...$..++...$...$...%..8...$...;...$.......$.......$../"...$.......$..Rich.$..........................PE..L.....@Q...........!...............................(.........................p.......................................z..i....g..x....@..........................[.. ................................................... ....f..@....................text............................... ..`.rdata..............................@..@.data...0:.......@..................@....rsrc.......@.......@..............@..@.reloc..\c.......p..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\d39c15784bafcd23e55c5a0271f988ac\MD5.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	3.089675155556787
Encrypted:	false
SSDEEP:	192:NRnpRQ33RTyC4lhUeVOuWq1UbilffU4woSFUZafsHo:NREHh54lhUeVOuWqUUfPwoUUZa0Ho
MD5:	D39C15784BAFCD23E55C5A0271F988AC
SHA1:	A4242E2376581EA4D6D30A2150A2025FB1556B6B
SHA-256:	E01A2009D156209CB714AB2A8633B2247E261F38EB06E2F6B5070F29BB94A3BF
SHA-512:	B9ECA783ED1C40727256F2C9D93A95130C9F6DAF644F52C9C2B35769993C57D25920F0322528F59759BC689E1C773582C6206AFC8C81F50BFAB595BE7A54C511
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J..+t..+t..+t.07z..+t.p$)..+t..+u..+t.L.~..+t.L.p..+t.Rich.+t.........................PE..L...C.@Q...........!..... ...0.......&.......0...............................`...................................... 7..g....3..P............................P.......0...............................................0...............................text...Z........ .................. ..`.rdata.......0.......0..............@..@.data...D....@.......@..............@....reloc..R....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\de07dcca160c9bd3b1faa05ac3c78ea8\Dumper.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28792
Entropy (8bit):	4.338349884877305
Encrypted:	false
SSDEEP:	768:Yfx7tZ8s6OVYqAasMi+aUVTmv3ckeQ2birK/zeldq:I3Zt6OV3LTmv3Q2Dzq
MD5:	DE07DCCA160C9BD3B1FAA05AC3C78EA8
SHA1:	875B8774E2265B881ED7A8C2EA8FA79651EA706A
SHA-256:	E5E7E81A3FE894DF574B708D098788C236CCFB67FACD2B31D2F3BC0807A67F08
SHA-512:	AB3F28C37B540C128278CE5DDE7C79F154F05BBC506D687035CCF6DF263970C1DAE49BA8C23D23E9714B608D9711EFDB00C916A9AF364226E816C87D80993092
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J..+p..+p..+p.07~..+p.p$-..+p..+q..+p.L.z..+p.L.t..+p.Rich.+p.................PE..L...T.@Q...........!.....0...0.......=.......@...............................p......................................PK..l....D..P............................`..D...0A...............................................@..(............................text............0.................. ..`.rdata.......@.......@..............@..@.data...$....P.......P..............@....reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\f16e1f679da123c81245279f1a139748\Parser.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41080
Entropy (8bit):	4.801170974003849
Encrypted:	false
SSDEEP:	768:2+ghEEFDAJSozOufLjgU2HmHXaKU/s/s2RjeJeu5fsHVD:tEFDpozPjgU28CqZR6Jnx4D
MD5:	F16E1F679DA123C81245279F1A139748
SHA1:	CBBCDA576257A11E5A5A436141BEF9936367C7EA
SHA-256:	D74C9BCADA895C8BB06A52CC7B5E7D9C4DC5D64257B491A933C004F38107761F
SHA-512:	D92C58233220B6D0362CC783C8E2091B132AC7851E3A6B5267B09359F13EA3566081C0DECB2978B7E3312D5B9F4CFD4817740010FFDB26115AE75C243D4F4420
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+p..+p..+p.P7~..+p..$-..+p..+q..+p.,.z..+p.,.t..+p.Rich.+p.................PE..L.....@Q...........!.....P...@.......W.......`.......................................................................r..l....j..P...............................t...`a...............................................`..X............................text...ZH.......P.................. ..`.rdata.......`... ...`..............@..@.data...$...........................@....reloc..,...........................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pdk-user\f522a0e96a8361deca2c563f29dc9a24\Base64.dll

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20587
Entropy (8bit):	2.577460607141574
Encrypted:	false
SSDEEP:	96:pOP1sMYGygTxxEo2BQJAtZ9YIVRWaB3IqHXf1aflNQzfm/l:s2MYGtTcQMYIAqHX9wNQrWl
MD5:	F522A0E96A8361DECA2C563F29DC9A24
SHA1:	71CE4EFE400F01853BE6F6B14684881C6EE9CCA8
SHA-256:	5097D988DB5D6604772146831F3408CD7A4711671CB269F7512FF8A3057048AE
SHA-512:	601F470C2C95F89F6857A3DFF40F1C1B99278DD193AF5A61D4DCBF8094797DBC2C26EED9BAAB169AEC1B6D24B9CFA3FA2920297B90D47EDAA98911D2AE9BE53A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z..;p..;p..;p.0'~..;p.p4-..;p..;q..;p.L.z..;p.L.t..;p.Rich.;p.........................PE..L.....@Q...........!.........0............... ...............................P.......................................%..l...."..P............................@....... ............................................... ..t............................text............................... ..`.rdata..L.... ....... ..............@..@.data...$....0.......0..............@....reloc..,....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\axltools.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1444
Entropy (8bit):	4.603876447931008
Encrypted:	false
SSDEEP:	24:k5/nZcaqciFxZXlIOWlUGXELfOocNSoMF9Wpphy0Bifhy5KwP2rpa2ivBmfSzbLa:k5/e/FPbUUGXuk8FophIZygvr9iZHzbe
MD5:	0006CDF7775409EB5D32F81CAFCFDF57
SHA1:	AAA927DEF503BF07789ED91E0FCF5AAF5CC336B7
SHA-256:	F39B31C94F56DA8A21AB0BA78F0AD291F1EBB2BE426C805EB63277CFFC3D70F5
SHA-512:	9F6C972463CCE55DC2C7257516DB1D69F8D52294250435AFE65E6781833E13FFA5D0C840025C27F013F4B6A6CAA6FE4BEEED6EEFCAA693792C7E803B4D97582D
Malicious:	false
Preview:	2024/11/21 10:40:17 axltools $Revision:$ ..2024/11/21 10:40:17 usage: C:\Users\user\Desktop\axltools.exe <toolname> args .. where toolname is one of the AXL tools.. and args are the arguments for that axltool..Supported AXL tools:..ImportDestroyer..addaar..addacg..addadvpattern..addann..addappdialrule..addappuser..addblf..addcfb..addcmgroup..addcommondeviceconfig..addcommonphoneprofile..addconfnow..addcss..adddatetimegroup..adddevicemobilitygroup..adddevicemobilityinfo..adddevicepool..adddirectedpark..adddn..addelin..addfac..addgeolocation..addhuntlist..addhuntpilot..addivr..addldap..addldapfilter..addlinegroup..addlinetodevice..addlocation..addmoh..addmrg..addmrgl..addmtp..addnode..addownerid..addpark..addpartition..addphonebuttontemplate..addphysicallocation..addpickupgroup..addpresencegroup..addregion..addroutefilter..addroutegroup..addroutelist..addroutepattern..addroutepoint..addserviceprofile..addsipprofile..addsiproutepattern..addsipsecprofile..addsiptrunk..addspeeddial

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.986469904036448
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	axltools.exe
File size:	5'468'256 bytes
MD5:	f772bf8fb484871daef9d398619596e0
SHA1:	2bc0d339292693a0d3eca3904506f280d9219fd3
SHA256:	4fe92407730542c2e0520d0bd5fb7cef3accc761356af7a23703a5f7f78fb29e
SHA512:	d78bdb01b36c3c60eed8ada3acf5bdbe992d470c207141aef83e0188f26c80650525ddf08f194b23fd8803b3e3740b222bd49ea1e2eb6d9ed9b2a6ddb0513e64
SSDEEP:	98304:8IpDv1IM0z3mUJqL8gZylTP5F6x3fyeCMcBI9F6t2had11:Fv70yEBFACMxF6U2L
TLSH:	A146021298A942F6D59DE3B3E0F13E7CE33073F46AC291DB6468127329D21964F897C9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.^.4.^.4.^.4...:.Z.4...0.\.4.%.8.R.4.^.5.1.4...i.W.4...>.D.4...2._.4.Rich^.4.........................PE..L......P...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x408cca
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50A0C8EB [Mon Nov 12 10:01:15 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8933a60a4995b88fd8d4706bd72b1a59

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040D1D0h
push 00408E02h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 20h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
and dword ptr [ebp-04h], 00000000h
push 00000001h
call dword ptr [0040C1B8h]
pop ecx
or dword ptr [0040F858h], FFFFFFFFh
or dword ptr [0040F85Ch], FFFFFFFFh
call dword ptr [0040C1B4h]
mov ecx, dword ptr [0040F7B4h]
mov dword ptr [eax], ecx
call dword ptr [0040C1B0h]
mov ecx, dword ptr [0040F7B0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040C1ACh]
mov eax, dword ptr [eax]
mov dword ptr [0040F854h], eax
call 00007F877C8B5FAEh
cmp dword ptr [0040E290h], 00000000h
jne 00007F877C8B5EEEh
push 00408DFEh
call dword ptr [0040C1A8h]
pop ecx
call 00007F877C8B5F7Fh
push 0040E00Ch
push 0040E008h
call 00007F877C8B5F6Ah
mov eax, dword ptr [0040F7ACh]
mov dword ptr [ebp-28h], eax
lea eax, dword ptr [ebp-28h]
push eax
push dword ptr [0040F7A8h]
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-2Ch]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [0040C1A0h]
push 0040E004h
push 0040E000h
call 00007F877C8B5F37h

Rich Headers

Programming Language:

[LNK] VC++ 6.0 SP5 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd444	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x526b88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa8d0	0xb000	7dc2658e26a62a3b851c08b4a2b65e1a	False	0.5611683238636364	data	6.464182778420549	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x1c90	0x2000	b70a7caf63d961a53b2eafcb6017b6cf	False	0.4273681640625	data	4.934379739467498	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1860	0x2000	3a32787423bc430feec39ba8c5955c97	False	0.2110595703125	data	2.6005699579665693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x526b88	0x527000	0df348d16941b48d41b820c6f473c54d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BFS	0x100f0	0x5264d4	data			0.9212160110473633
RT_VERSION	0x536910	0x272	data			0.44568690095846647
RT_MANIFEST	0x5365c8	0x345	XML 1.0 document, ASCII text	English	United States	0.46953405017921146

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	LoadLibraryA, GetVersionExA, GetShortPathNameW, WideCharToMultiByte, FindClose, FindFirstFileA, GetComputerNameA, CloseHandle, GetFileInformationByHandle, CreateFileA, SystemTimeToFileTime, SetFileTime, GetLastError, FindNextFileA, GetModuleHandleA, GetModuleFileNameA, OutputDebugStringA, GetProcAddress, EnterCriticalSection, GetTempPathA, InitializeCriticalSection, SetEnvironmentVariableA, DeleteCriticalSection, LoadLibraryExA, LockResource, LoadResource, FindResourceA, SetLastError, VirtualProtect, VirtualFree, VirtualAlloc, MultiByteToWideChar, ExitThread, FreeLibrary, LeaveCriticalSection
USER32.dll	MessageBoxA
ADVAPI32.dll	GetUserNameA
MSVCRT.dll	_controlfp, free, malloc, strcmp, fprintf, _iob, fclose, strlen, fgets, fopen, sprintf, strcat, strcpy, getenv, wcslen, memcpy, memcmp, strchr, strstr, time, _ftol, localtime, atol, _pctype, _isctype, __mb_cur_max, atoi, fwrite, rand, srand, fread, _errno, strncpy, fflush, fputc, fputs, vsprintf, __p__environ, memset, perror, abort, _setjmp3, toupper, memmove, strrchr, wcscmp, _stat, _strdup, _mkdir, _getpid, _chmod, _strnicmp, _dup2, _fileno, _putenv, _rmdir, _unlink, _stricmp, __dllonexit, _onexit, _exit, _XcptFilter, exit, __p___initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, calloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: axltools.exePID: 7260, Parent PID: 2580

General

Target ID:	0
Start time:	10:40:15
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\axltools.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\axltools.exe"
Imagebase:	0x400000
File size:	5'468'256 bytes
MD5 hash:	F772BF8FB484871DAEF9D398619596E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7268, Parent PID: 7260

General

Target ID:	1
Start time:	10:40:15
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: axltools.exePID: 7260, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	70.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408CCA Relevance: 10.6, APIs: 7, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00408CF6
__p__fmode.MSVCRT ref: 00408D0B
__p__commode.MSVCRT ref: 00408D19
_initterm.MSVCRT ref: 00408D5C
__getmainargs.MSVCRT ref: 00408D7F
_initterm.MSVCRT ref: 00408D8F
__p___initenv.MSVCRT ref: 00408D94

Memory Dump Source

Source File: 00000000.00000002.1754682763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754643758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754713076.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754737702.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754763056.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754786953.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_axltools.jbxd

Similarity

API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
String ID:
API String ID: 4012487245-0
Opcode ID: c5551856ec9ae8727056590178bb98d2b15d41627281114a3a314327c3a73866
Instruction ID: 7a26e5eb9c39c8a785c559e4d27c82f15c99997eb47929ff4fcadba222367b7b
Opcode Fuzzy Hash: c5551856ec9ae8727056590178bb98d2b15d41627281114a3a314327c3a73866
Instruction Fuzzy Hash: CC213B71900204EFCB11AFA5DE8AB997BB8FB09724F10463AF511B66E1CB785444CF69

Non-executed Functions

Function 004071E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00401026,?,?,00000104), ref: 004071EF
memcmp.MSVCRT(?,\\?\,00000004,?,00401026,?,?,00000104), ref: 004071FD
strlen.MSVCRT ref: 0040720E
memmove.MSVCRT(?,00000000,00000001,00000000), ref: 00407217

Strings

\\?\, xrefs: 004071F7

Memory Dump Source

Source File: 00000000.00000002.1754682763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1754643758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754713076.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754737702.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754763056.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754786953.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_axltools.jbxd

Similarity

API ID: FileModuleNamememcmpmemmovestrlen
String ID: \\?\
API String ID: 4240796413-4282027825
Opcode ID: 9910aaaeff88d54432022ac5f39c3a677c6d3a5f927986d0926621b153f4fb30
Instruction ID: a3c9994c89982ac05071b3bc70ff9db6a608bbf5c3c3dd0f09c3fb07b470a9f4
Opcode Fuzzy Hash: 9910aaaeff88d54432022ac5f39c3a677c6d3a5f927986d0926621b153f4fb30
Instruction Fuzzy Hash: D5E02672601210BBD61027996D05FAF776CEFC6B14F00082EFA55F2082C678A52287EE

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report axltools.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\pdk-user\06d5b1ac5da862cdbb0b3ac695f3453c\LibXML.dll

C:\Users\user\AppData\Local\Temp\pdk-user\1abd50a1c2ab4a3ff0345cde2d55afba\Socket.dll

C:\Users\user\AppData\Local\Temp\pdk-user\27ea229280968204d59354ee0a6341a7\DES.dll

C:\Users\user\AppData\Local\Temp\pdk-user\500883b23a63199dc2829fdbc8348f21\POSIX.dll

C:\Users\user\AppData\Local\Temp\pdk-user\53072790dde17440c4012890afb43815\Storable.dll

C:\Users\user\AppData\Local\Temp\pdk-user\596571347931e8153c5521d6812d9e81\HiRes.dll

C:\Users\user\AppData\Local\Temp\pdk-user\5ffaccc40de6d509ec33dff1fea9026c\Expat.dll

C:\Users\user\AppData\Local\Temp\pdk-user\72c787717c09ab77d76b10d4ff014126\Encode.dll

C:\Users\user\AppData\Local\Temp\pdk-user\79e6d4a9f909690faec53f6e463896e8\IO.dll

C:\Users\user\AppData\Local\Temp\pdk-user\a9f68920f6ea43580143946a0633ee0a\Util.dll

C:\Users\user\AppData\Local\Temp\pdk-user\acbada12c63ba66ffc285eb2359b75e8\encoding.dll

C:\Users\user\AppData\Local\Temp\pdk-user\b3ae4e9cf03fb0d5a98dfc18ef69a34b\Fcntl.dll

C:\Users\user\AppData\Local\Temp\pdk-user\ba85e8995e0035a5652e7d02ad624f50\re.dll

C:\Users\user\AppData\Local\Temp\pdk-user\c81ac6c36772666ca1e702e01dde5e9b\SSLeay.dll

C:\Users\user\AppData\Local\Temp\pdk-user\d2bcc46d29a882b1323ba2455a4cf8f1\perl516.dll

C:\Users\user\AppData\Local\Temp\pdk-user\d39c15784bafcd23e55c5a0271f988ac\MD5.dll

C:\Users\user\AppData\Local\Temp\pdk-user\de07dcca160c9bd3b1faa05ac3c78ea8\Dumper.dll

C:\Users\user\AppData\Local\Temp\pdk-user\f16e1f679da123c81245279f1a139748\Parser.dll

C:\Users\user\AppData\Local\Temp\pdk-user\f522a0e96a8361deca2c563f29dc9a24\Base64.dll

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
axltools.exe

Function 00408CCA Relevance: 10.6, APIs: 7, Instructions: 57
COMMON

Function 004071E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
stringCOMMON