Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Axion.exe

Overview

General Information

Sample name:Axion.exe
Analysis ID:1589481
MD5:f028b560af9df754fc1814fc63a6d3a0
SHA1:3b349685e2189aa4373ed477884c2b19ef3c438f
SHA256:089ef8b915b0ecad53779bb0ee8040856134d5f0ce63cc6a8947cd6c4ff104de
Tags:exeuser-aachum
Infos:

Detection

SheetRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected SheetRat
AI detected suspicious sample
Drops PE files to the user root directory
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Suspicious Schtasks From Env Var Folder
Too many similar processes found

Classification

Process Tree

  • System is w10x64
  • Axion.exe (PID: 4080 cmdline: "C:\Users\user\Desktop\Axion.exe" MD5: F028B560AF9DF754FC1814FC63A6D3A0)
    • SIHClient.exe (PID: 3620 cmdline: C:\Windows\System32\sihclient.exe /cv sTITtz1dt06w9i2AI61sbg.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
    • cmd.exe (PID: 4404 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6752 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 4160 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6148 cmdline: SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 5900 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5860 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 3440 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6688 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 6380 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3452 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 3380 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6640 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 5660 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4028 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 6972 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2520 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 3500 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2924 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 3620 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5544 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 6360 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6672 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 4408 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3384 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 2652 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6752 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 2220 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5596 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 1196 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4288 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 5364 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6484 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 1052 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5404 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 3440 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1900 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • xdwdUnreal Engine.exe (PID: 2616 cmdline: "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" MD5: 3DDF6F0F81599FDDCD2CD05DB946A93F)
    • cmd.exe (PID: 2792 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2076 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • xdwdUnreal Engine.exe (PID: 5052 cmdline: "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" MD5: 3DDF6F0F81599FDDCD2CD05DB946A93F)
    • cmd.exe (PID: 2924 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6696 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • OpenWith.exe (PID: 5416 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • xdwdUnreal Engine.exe (PID: 2952 cmdline: "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" MD5: 3DDF6F0F81599FDDCD2CD05DB946A93F)
    • cmd.exe (PID: 5500 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3936 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • OpenWith.exe (PID: 3560 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4513412827.0000000012A18000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SheetRatYara detected SheetRatJoe Security
    Process Memory Space: Axion.exe PID: 4080JoeSecurity_SheetRatYara detected SheetRatJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Axion.exe.12aa2528.0.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security
        0.2.Axion.exe.12aa2528.0.raw.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security
          0.2.Axion.exe.12a196f0.1.raw.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit, CommandLine: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Axion.exe", ParentImage: C:\Users\user\Desktop\Axion.exe, ParentProcessId: 4080, ParentProcessName: Axion.exe, ProcessCommandLine: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit, ProcessId: 4404, ProcessName: cmd.exe
            Sigma detected: Invoke-Obfuscation VAR+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit, CommandLine: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Axion.exe", ParentImage: C:\Users\user\Desktop\Axion.exe, ParentProcessId: 4080, ParentProcessName: Axion.exe, ProcessCommandLine: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit, ProcessId: 4404, ProcessName: cmd.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST , CommandLine: SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST , CommandLine|base64offset|contains: ISi", Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4160, ParentProcessName: cmd.exe, ProcessCommandLine: SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST , ProcessId: 6148, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T15:58:03.469519+010020589981A Network Trojan was detected192.168.2.549704147.185.221.236381TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\UpdateAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
            Multi AV Scanner detection for submitted file
            Source: Axion.exeVirustotal: Detection: 59%Perma Link
            Source: Axion.exeReversingLabs: Detection: 57%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Axion.exeJoe Sandbox ML: detected
            Source: Axion.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\SheetRat\SheetRat\bin\Release\Stub\UserMode.pdb source: Axion.exe, 00000000.00000002.4513412827.0000000012A18000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeDirectory queried: number of queries: 2665
            Source: C:\Users\user\Desktop\Axion.exeDirectory queried: number of queries: 1001
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\AcrobatJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\CacheJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\NULLJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2058998 - Severity 1 - ET MALWARE Sheet RAT CnC Checkin : 192.168.2.5:49704 -> 147.185.221.23:6381
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 147.185.221.23:6381
            Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: methods-significant.gl.at.ply.gg
            Source: SIHClient.exe, 00000004.00000003.2622412674.000001ED66E53000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2621486198.000001ED66E54000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2622045754.000001ED66E53000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2644375884.000001ED66E54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.X
            Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
            Source: SIHClient.exe, 00000004.00000003.2240379051.000001ED665E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9af680a
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 0000000B.00000002.2599314995.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 00000010.00000002.2674872158.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 00000018.00000002.2740656572.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002A57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_96ee1301-f
            Source: schtasks.exeProcess created: 41
            Source: C:\Users\user\Desktop\Axion.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3F627 NtProtectVirtualMemory,0_2_00007FF848F3F627
            Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP70F9.tmpJump to behavior
            Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP7A1D.tmpJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3172E0_2_00007FF848F3172E
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F332F00_2_00007FF848F332F0
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F36ED60_2_00007FF848F36ED6
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F384000_2_00007FF848F38400
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F37C820_2_00007FF848F37C82
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3C70F0_2_00007FF848F3C70F
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3CB1D0_2_00007FF848F3CB1D
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3F7490_2_00007FF848F3F749
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3DB950_2_00007FF848F3DB95
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3C6780_2_00007FF848F3C678
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3CD100_2_00007FF848F3CD10
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F395280_2_00007FF848F39528
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3CD4D0_2_00007FF848F3CD4D
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3E1940_2_00007FF848F3E194
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3D3280_2_00007FF848F3D328
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3C7BD0_2_00007FF848F3C7BD
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F383E00_2_00007FF848F383E0
            Source: C:\Users\user\Desktop\Axion.exeCode function: 0_2_00007FF848F3C7ED0_2_00007FF848F3C7ED
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F0C25811_2_00007FF848F0C258
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F032F011_2_00007FF848F032F0
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F06ED611_2_00007FF848F06ED6
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F01E4811_2_00007FF848F01E48
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F0840011_2_00007FF848F08400
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F0172E11_2_00007FF848F0172E
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F0C30D11_2_00007FF848F0C30D
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F07C8211_2_00007FF848F07C82
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F0D85011_2_00007FF848F0D850
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 11_2_00007FF848F083E011_2_00007FF848F083E0
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F032F016_2_00007FF848F032F0
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F0172E16_2_00007FF848F0172E
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F0DBFC16_2_00007FF848F0DBFC
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F0840016_2_00007FF848F08400
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F0C25816_2_00007FF848F0C258
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F0D88016_2_00007FF848F0D880
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F0C30D16_2_00007FF848F0C30D
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F06ED616_2_00007FF848F06ED6
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F07C8216_2_00007FF848F07C82
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F0D85016_2_00007FF848F0D850
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 16_2_00007FF848F083E016_2_00007FF848F083E0
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F31E4824_2_00007FF848F31E48
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F3C25824_2_00007FF848F3C258
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F36ED624_2_00007FF848F36ED6
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F332F024_2_00007FF848F332F0
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F3DBFC24_2_00007FF848F3DBFC
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F3840024_2_00007FF848F38400
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F37C8224_2_00007FF848F37C82
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F3C30D24_2_00007FF848F3C30D
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F3172E24_2_00007FF848F3172E
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F3D85024_2_00007FF848F3D850
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeCode function: 24_2_00007FF848F383E024_2_00007FF848F383E0
            Source: Axion.exe, 00000000.00000002.4513412827.0000000012A18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCorelDRAW.exe8 vs Axion.exe
            Source: Axion.exe, 00000000.00000002.4513412827.0000000012811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCorelDRAW.exe8 vs Axion.exe
            Source: Axion.exe, 00000000.00000000.2058937121.000000000040C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCorelDRAW.exe8 vs Axion.exe
            Source: Axion.exeBinary or memory string: OriginalFilenameCorelDRAW.exe8 vs Axion.exe
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@90/9@1/1
            Source: C:\Users\user\Desktop\Axion.exeFile created: C:\Users\user\UpdateJump to behavior
            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_03
            Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:892:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5044:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3724:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
            Source: C:\Users\user\Desktop\Axion.exeMutant created: \Sessions\1\BaseNamedObjects\Sheet_yqdwqhqquwnotn
            Source: Axion.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Axion.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile read: C:\Users\desktop.ini
            Source: C:\Users\user\Desktop\Axion.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Axion.exeVirustotal: Detection: 59%
            Source: Axion.exeReversingLabs: Detection: 57%
            Source: C:\Users\user\Desktop\Axion.exeFile read: C:\Users\user\Desktop\Axion.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Axion.exe "C:\Users\user\Desktop\Axion.exe"
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv sTITtz1dt06w9i2AI61sbg.0.2
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe"
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe"
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe"
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: devenum.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: msdmo.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: netfxperf.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: pdh.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: bitsperf.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: bitsproxy.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: esentprf.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: perfts.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: utildll.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: tdh.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: msdtcuiu.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: atl.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: msdtcprx.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: mtxclu.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: clusapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: resutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: msscntrs.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: perfdisk.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: wmiclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: perfnet.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: browcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: perfos.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: perfproc.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: sysmain.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: rasctrs.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: tapiperf.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: perfctrs.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: usbperf.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: tquery.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: sxs.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: devenum.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: devobj.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: msdmo.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: twext.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: cscui.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: appresolver.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: bcp47langs.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: slc.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: sppc.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: workfoldersshell.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ntshrui.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: windows.fileexplorer.common.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: cscapi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: twinapi.appcore.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wtsapi32.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: shacct.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: idstore.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: samlib.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wlidprov.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: samcli.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: provsvc.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: sxs.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: devenum.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: devobj.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: msdmo.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: edputil.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: sxs.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: devenum.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: devobj.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: msdmo.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: edputil.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
            Source: C:\Users\user\Desktop\Axion.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Axion.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Axion.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\SheetRat\SheetRat\bin\Release\Stub\UserMode.pdb source: Axion.exe, 00000000.00000002.4513412827.0000000012A18000.00000004.00000800.00020000.00000000.sdmp
            Source: Axion.exeStatic PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
            Source: C:\Users\user\Desktop\Axion.exeFile created: C:\Users\user\UpdateJump to dropped file
            Source: C:\Users\user\Desktop\Axion.exeFile created: C:\Users\user\UpdateJump to dropped file
            Source: C:\Users\user\Desktop\Axion.exeFile created: C:\Users\user\UpdateJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the user root directory
            Source: C:\Users\user\Desktop\Axion.exeFile created: C:\Users\user\UpdateJump to dropped file
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\Desktop\Axion.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\LinkageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\LinkageJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Axion.exeMemory allocated: 870000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeMemory allocated: 1A810000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeMemory allocated: 740000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeMemory allocated: 1A3E0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeMemory allocated: 930000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeMemory allocated: 1A6D0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeMemory allocated: C10000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeMemory allocated: 1A890000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\Axion.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Axion.exeWindow / User API: threadDelayed 764Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeWindow / User API: threadDelayed 9005Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeDropped PE file which has not been started: C:\Users\user\UpdateJump to dropped file
            Source: C:\Users\user\Desktop\Axion.exe TID: 7056Thread sleep time: -39660499758475511s >= -30000sJump to behavior
            Source: C:\Windows\System32\SIHClient.exe TID: 2412Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe TID: 576Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe TID: 4140Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe TID: 6120Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Axion.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\AcrobatJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\CacheJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\NULLJump to behavior
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Hypervisor Logical Processor
            Source: Axion.exe, 00000000.00000002.4519715285.000000001C686000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V bhrkptkcjqucjet Bus Pipes
            Source: Axion.exe, 00000000.00000002.4505747612.0000000000939000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V bhrkptkcjqucjet Bus Pipes*
            Source: Axion.exe, 00000000.00000002.4519715285.000000001C6BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
            Source: Axion.exe, 00000000.00000002.4516847627.000000001B400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V bhrkptkcjqucjet Busy+
            Source: Axion.exe, 00000000.00000002.4519715285.000000001C6BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical ProcessorKY
            Source: Axion.exe, 00000000.00000002.4519715285.000000001C6BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V Virtual Machine Bus Pipes
            Source: xdwdUnreal Engine.exe, 00000010.00000002.2680933115.000000001B2A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_
            Source: Axion.exe, 00000000.00000002.4519715285.000000001C6BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *Hyper-V Dynamic Memory Integration Service
            Source: SIHClient.exe, 00000004.00000003.2627803521.000001ED66576000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2627135162.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2241382325.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2240379051.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2242618433.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2632557182.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2632557182.000001ED66576000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Axion.exe, 00000000.00000002.4521153192.000000001CF46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V HypervisorM
            Source: Axion.exe, 00000000.00000002.4517285176.000000001B418000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll <faultPropagationQuery faultSourceActivityName="*" faultHandlerActivityName="*"/>
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V Hypervisor Root Partition
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )Hyper-V Hypervisor Root Virtual Processor
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
            Source: Axion.exe, 00000000.00000002.4517285176.000000001B418000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Serviced50a9
            Source: SIHClient.exe, 00000004.00000003.2627135162.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2241382325.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2240379051.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2242618433.000001ED665C5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2632557182.000001ED665C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_
            Source: Axion.exe, 00000000.00000002.4519715285.000000001C6BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
            Source: Axion.exe, 00000000.00000002.4519715285.000000001C696000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid PartitionSingle Address Emulation Intercepts/>
            Source: C:\Users\user\Desktop\Axion.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Axion.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Axion.exe, 00000000.00000002.4506937310.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, Axion.exe, 00000000.00000002.4519715285.000000001C6BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002A57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002ABC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RefreshStatus<@>Program Manager<@>/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCazkmm27fIQ+coAlGDkAgdDnHrWc6VqQxKwU/2eZcyKBgkA8H5fqev4GqRX2r7PDdX6f1uz8+xTs0ltd/1sjPkSqcqVrOuarSQg9K7Erk06ljElSqbitme2bnis6WEjPFVyM9KjUTKeKKdtopcp1XPQkc+Q26WZZBJ8q7jgjn5s/561ERV+YSiFkaWBlLIxCcnJUkc+2cEetU2WuSgko6HzeIk+ZJv+rlZxUDVadarunrXVEUGWEtIsKWZjmqOuQQQ2qNGoDFsE1oBodqDzFyB6+1ZevlRbRbSfvH+VOM3zXud1GN5KxzZ60U3vRVcx6lj0iRdsbH7IY+V+bcePl6fj1/Cq7GpHaIo22aVjlcB888c/keKgY1w0b8v9fqfN1l7/wDw3fyIpDVSVgKsSGqUxrdMulEqzzEZxxWXcSM3BYkemauzGs6Y1Vz1aEUV80UlFO53Hufw5JHw90nB/hl/9GNXS+IQP+EV1Xgf8eU3/oBoor4R7n0i+E+TbMkkg8jf/jWXdHF1MP8AbP8AOiitFuY9CAk+tXrTlFB5GDx+BooqykU2J3H60UUUFH//2Q==<@>28 %<@>99 %
            Source: Axion.exe, 00000000.00000002.4506937310.0000000002ABC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RefreshStatus<@>Program Manager<@>/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCazkmm27fIQ+coAlGDkAgdDnHrWc6VqQxKwU/2eZcyKBgkA8H5fqev4GqRX2r7PDdX6f1uz8+xTs0ltd/1sjPkSqcqVrOuarSQg9K7Erk06ljElSqbitme2bnis6WEjPFVyM9KjUTKeKKdtopcp1XPQkc+Q26WZZBJ8q7jgjn5s/561ERV+YSiFkaWBlLIxCcnJUkc+2cEetU2WuSgko6HzeIk+ZJv+rlZxUDVadarunrXVEUGWEtIsKWZjmqOuQQQ2qNGoDFsE1oBodqDzFyB6+1ZevlRbRbSfvH+VOM3zXud1GN5KxzZ60U3vRVcx6lj0iRdsbH7IY+V+bcePl6fj1/Cq7GpHaIo22aVjlcB888c/keKgY1w0b8v9fqfN1l7/wDw3fyIpDVSVgKsSGqUxrdMulEqzzEZxxWXcSM3BYkemauzGs6Y1Vz1aEUV80UlFO53Hufw5JHw90nB/hl/9GNXS+IQP+EV1Xgf8eU3/oBoor4R7n0i+E+TbMkkg8jf/jWXdHF1MP8AbP8AOiitFuY9CAk+tXrTlFB5GDx+BooqykU2J3H60UUUFH//2Q==<@>28 %<@>99 %@
            Source: C:\Users\user\Desktop\Axion.exeQueries volume information: C:\Users\user\Desktop\Axion.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeQueries volume information: C:\Users\user\Update VolumeInformation
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeQueries volume information: C:\Users\user\Update VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeQueries volume information: C:\Users\user\Update VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Axion.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation BiasJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: xdwdUnreal Engine.exe, 00000010.00000002.2680933115.000000001B2A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
            Source: xdwdUnreal Engine.exe, 0000000B.00000002.2598063722.0000000000852000.00000004.00000020.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 00000010.00000002.2669044366.00000000009AC000.00000004.00000020.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 00000018.00000002.2738097505.0000000000C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\Axion.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected SheetRat
            Source: Yara matchFile source: 0.2.Axion.exe.12aa2528.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Axion.exe.12aa2528.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Axion.exe.12a196f0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.4513412827.0000000012A18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Axion.exe PID: 4080, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\IconsJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\search.json.mozlz4
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOGJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-wal
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\indexJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\3c7034d6-bc52-43bb-9a23-5da34ee205e0
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\IconsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\FaviconsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOCKJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\global-entities_names_filterJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\a83301c6-790b-49f3-adc7-55a855f7fe79
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsStateJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibagJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295\model.tfliteJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\containers.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\ShortcutsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.dbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons MaskableJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\43bb9a55-74a2-452e-8233-6899a7f737b0
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\InterestGroupsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840748.a8c1f564-c2e2-4ef8-a85f-52a56488f193.main.jsonlz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Visited LinksJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\global-entities_namesJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\times.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835643.9a3c31ca-35e4-421e-91e1-5f7b9bd27492.event.jsonlz4
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\LOCKJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\ae04dde8-69a1-49f8-95f1-d533ed587ff6
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\IconsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\IconsJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\xulstore.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferredAppsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_3Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_2Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\shield-preference-experiments.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\data_0Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Reporting and NEL-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295\model-info.pbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPS-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\SiteSecurityServiceState.txt
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOGJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835635.a669692a-f9c9-42c0-a803-7b87d3ff5834.new-profile.jsonlz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Trust TokensJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SharedStorageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOGJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.01c0ecdb-8e59-4210-95f1-0fd0406e84ad.event.jsonlz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManagerJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\AlternateServices.txt
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840708.3c7034d6-bc52-43bb-9a23-5da34ee205e0.health.jsonlz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.icoJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\previous.jsonlz4
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\CURRENTJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835647.a83301c6-790b-49f3-adc7-55a855f7fe79.main.jsonlz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOCKJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MonochromeJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCacheJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\VERSION.txtJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\.metadata-v2
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NELJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\global-entities_prefixes_filterJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\indexJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\NetworkDataMigratedJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Trust Tokens-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MaskableJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extension-preferences.json
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\7755ad51-2370-4623-9d21-15c89f2143db
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\state.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\IconsJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOCKJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\model_metadata.pbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.dbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_0Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_2Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_3Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943\model-info.pbJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons MaskableJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-indexJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\LOCKJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\global-entities_metadataJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\IconsJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore.jsonlz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCKJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\events
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PrivateAggregationJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir\the-real-indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\word_embeddingsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation DatabaseJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteDataJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\override_list.pb.gzJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\handlers.json
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\InterestGroups-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PrivateAggregation-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Trust Tokens-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Network Persistent StateJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons MonochromeJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pbJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\model.tfliteJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\model.tfliteJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOGJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3\model-info.pbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\model-info.pbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons MaskableJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\NULLJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\Reporting and NELJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action PredictorJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\indexJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\model-info.pbJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\b8f053a5-de16-4a2c-8120-1ab4aadd63e8
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_2Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journalJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_0Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_3Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.pngJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOCKJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\NetworkDataMigratedJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOGJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MonochromeJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-wal
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPSJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\data.safe.bin
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldoomlJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOGJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\NULLJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons MaskableJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.logJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons MaskableJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOCKJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\NULL
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOGJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\NULL
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.pngJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
            Source: C:\Users\user\Desktop\Axion.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exeDirectory queried: number of queries: 2665
            Source: C:\Users\user\Desktop\Axion.exeDirectory queried: number of queries: 1001

            Remote Access Functionality

            barindex
            Yara detected SheetRat
            Source: Yara matchFile source: 0.2.Axion.exe.12aa2528.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Axion.exe.12aa2528.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Axion.exe.12a196f0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.4513412827.0000000012A18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Axion.exe PID: 4080, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
            Windows Management Instrumentation            		2
            Windows Service            		2
            Windows Service            		131
            Masquerading            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services11
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		12
            Process Injection            		1
            Disable or Modify Tools            		11
            Input Capture            		1
            Query Registry            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		1
            Scheduled Task/Job            		251
            Virtualization/Sandbox Evasion            		Security Account Manager241
            Security Software Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		12
            Process Injection            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets251
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
            File and Directory Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow133
            System Information Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589481 Sample: Axion.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 54 methods-significant.gl.at.ply.gg 2->54 56 bg.microsoft.map.fastly.net 2->56 60 Suricata IDS alerts for network traffic 2->60 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 6 other signatures 2->66 8 Axion.exe 11 3 2->8         started        13 xdwdUnreal Engine.exe 2->13         started        15 xdwdUnreal Engine.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 58 methods-significant.gl.at.ply.gg 147.185.221.23, 49704, 49761, 49892 SALSGIVERUS United States 8->58 52 C:\Users\user\Update, PE32 8->52 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->70 72 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->72 74 Drops PE files to the user root directory 8->74 19 cmd.exe 1 8->19         started        22 cmd.exe 8->22         started        24 cmd.exe 8->24         started        32 16 other processes 8->32 76 Tries to harvest and steal browser information (history, passwords, etc) 13->76 26 cmd.exe 13->26         started        28 cmd.exe 15->28         started        30 cmd.exe 17->30         started        file6 signatures7 process8 signatures9 68 Uses schtasks.exe or at.exe to add and modify task schedules 19->68 34 conhost.exe 19->34         started        36 schtasks.exe 19->36         started        38 conhost.exe 22->38         started        40 schtasks.exe 22->40         started        42 2 other processes 24->42 44 2 other processes 26->44 46 2 other processes 28->46 48 2 other processes 30->48 50 30 other processes 32->50 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Axion.exe60%VirustotalBrowse
            Axion.exe58%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
            Axion.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\Update100%AviraTR/Crypt.OPACK.Gen

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.microsoft.X0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            methods-significant.gl.at.ply.gg
            		147.185.221.23
            		truetrue
              		unknown
              bg.microsoft.map.fastly.net
              		199.232.210.172
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.microsoft.XSIHClient.exe, 00000004.00000003.2622412674.000001ED66E53000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2621486198.000001ED66E54000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000003.2622045754.000001ED66E53000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000004.00000002.2644375884.000001ED66E54000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAxion.exe, 00000000.00000002.4506937310.0000000002811000.00000004.00000800.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 0000000B.00000002.2599314995.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 00000010.00000002.2674872158.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, xdwdUnreal Engine.exe, 00000018.00000002.2740656572.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  147.185.221.23
                  		methods-significant.gl.at.ply.ggUnited States
                  		12087SALSGIVERUStrue

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1589481
                  Start date and time:2025-01-12 15:57:13 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 11m 8s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:74
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Axion.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@90/9@1/1
                  EGA Information:
                  • Successful, ratio: 25%
                  HCA Information:
                  • Successful, ratio: 92%
                  • Number of executed functions: 167
                  • Number of non-executed functions: 6
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240s for sample files taking high CPU consumption

                  Warnings

                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiApSrv.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 199.232.210.172, 20.242.39.171, 13.85.23.206, 13.107.246.45, 184.28.90.27
                  • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target xdwdUnreal Engine.exe, PID 2616 because it is empty
                  • Execution Graph export aborted for target xdwdUnreal Engine.exe, PID 2952 because it is empty
                  • Execution Graph export aborted for target xdwdUnreal Engine.exe, PID 5052 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryDirectoryFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:58:06API Interceptor5675752x Sleep call for process: Axion.exe modified
                  09:58:24API Interceptor2x Sleep call for process: SIHClient.exe modified
                  09:58:49API Interceptor3x Sleep call for process: xdwdUnreal Engine.exe modified
                  09:59:04API Interceptor2x Sleep call for process: OpenWith.exe modified
                  15:58:45Task SchedulerRun new task: Dropbox path: C:\Users\user\AppData\Roaming\xdwdUnreal s>Engine.exe
                  15:58:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe
                  15:58:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  147.185.221.23_____.exeGet hashmaliciousDarkCometBrowse
                    WO.exeGet hashmaliciousMetasploitBrowse
                      reddit.exeGet hashmaliciousMetasploitBrowse
                        dr2YKJiGH9.exeGet hashmaliciousXWormBrowse
                          jSm8N1jXbk.exeGet hashmaliciousS400 RATBrowse
                            enigma_loader.exeGet hashmaliciousXWormBrowse
                              exe006.exeGet hashmaliciousSheetRatBrowse
                                yF21ypxRB7.exeGet hashmaliciousXWormBrowse
                                  9GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                                    fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      bg.microsoft.map.fastly.neteufS6WOuOx.exeGet hashmaliciousDCRatBrowse
                                      • 199.232.214.172
                                      hgTNnG8vjD.exeGet hashmaliciousDarkCometBrowse
                                      • 199.232.210.172
                                      https://pub-ce1f93897bdf44e9b1cd99ad0325c570.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 199.232.210.172
                                      281388015101323984.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 199.232.210.172
                                      305861283730376077.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 199.232.214.172
                                      14444181562539231561.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 199.232.210.172
                                      733422181158883785.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 199.232.210.172
                                      2836992752554325080.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 199.232.210.172
                                      1274320496157183071.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 199.232.214.172
                                      10323218772870612560.jsGet hashmaliciousStrela DownloaderBrowse
                                      • 199.232.210.172

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      SALSGIVERUSXClient.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.25
                                      DkvES47bkt.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.24
                                      startup_str_466.batGet hashmaliciousXWormBrowse
                                      • 147.185.221.24
                                      Fixer.exeGet hashmaliciousRedLine, SheetRatBrowse
                                      • 147.185.221.24
                                      Fixer.exeGet hashmaliciousRedLineBrowse
                                      • 147.185.221.24
                                      spreadmalware.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.24
                                      7fqul5Zr8Y.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.24
                                      miori.arm.elfGet hashmaliciousUnknownBrowse
                                      • 147.168.252.34
                                      miori.m68k.elfGet hashmaliciousUnknownBrowse
                                      • 147.184.86.253
                                      loader.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.24

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                      Download File
                                      Process:C:\Windows\System32\SIHClient.exe
                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                      Category:dropped
                                      Size (bytes):4761
                                      Entropy (8bit):7.945585251880973
                                      Encrypted:false
                                      SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                      MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                      SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                      SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                      SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                      Malicious:false
                                      Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                      Download File
                                      Process:C:\Windows\System32\SIHClient.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):340
                                      Entropy (8bit):3.2304219303540798
                                      Encrypted:false
                                      SSDEEP:6:kKYsC5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:pVLkPlE99SCQl2DUeXJlOA
                                      MD5:EA7F28BBBE5F2B55331C65E903A4A7AB
                                      SHA1:6E5324E6628390B4754436AA55FCE7881A402DC2
                                      SHA-256:AB78CD6E139BC0CC564D50C1B586495C07A3435CB9FC8C5DF1F0BEC3EF83A0A8
                                      SHA-512:EEBD8F26A1BE0F508223DC3D293169DCA83F8D63A32E0D5638546952FD2287F901B0E18525A6D57BF2EE41699C80BDD3C34D2A65F7EFA8DF8C550DB2CF0288D1
                                      Malicious:false
                                      Preview:p...... .........m.e..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdUnreal Engine.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):871
                                      Entropy (8bit):5.364966852602839
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclKsXE4Npv:MxHKQwYHKGSI6o6+vxp3/elZHNpv
                                      MD5:4497F313431E058A576389711F1DF381
                                      SHA1:0473CA364EC81B5B9B8C57300CFCA519E9A2C0F1
                                      SHA-256:1303B2AD8DA0AC95B854E06BD1B9B27A0B6D8D36688CDB47BB52EE0685AC6665
                                      SHA-512:19BF64890AFB2587D1CE919DC0F04BC9EC24FD65B464E7D90E9CD0AC7147D0898B5D7E91B3BE73A2A3349DF95362593C8291ACFDA8B0ECCD9D580936679F8454
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..

                                      C:\Users\user\Update

                                      Download File
                                      Process:C:\Users\user\Desktop\Axion.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:modified
                                      Size (bytes):767069696
                                      Entropy (8bit):0.009436520185433655
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:74B2EF3F8C955F9D28ADEED921FBD4AF
                                      SHA1:9D3FFBDB144A52E0582D251FBE28C49276E5764C
                                      SHA-256:AA0215D8D1A733A345DDFB7035E0A29BADE54C1E656DF8E18E358F5C7CBC68F1
                                      SHA-512:1290AA5CAB7BBDE550B9DC68026984682529C8A99684316DC63FBAA0A57F13EB3BCB516B9C8F8EFE8C1F7E4DE213ACCBCDCABE8F63021F50E473AD8065E8D3A6
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0.................. ........@.. ....................................@.................................H...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4...................i............................................W......H3.......W......3.........(....*b.{.....oN...(O....oP...*.(....(q...sR........(....(q...sR........( ...(q...sR........*J.s....}.....(....*...$...*.s.....%...*.(|...*..o....*.(....*.s.... .:.. 0u..o....(....~=...(....&*.s.....*...*..*j(1...(q...~/...(i....-...*V(i....Y...(j....Z...*".(.....*..(....!.?......F.... .... .,. ai.G...!.A.......H...*.r.).p...........r.).p......#I.....A#......A(....X(..

                                      C:\Windows\Logs\SIH\SIH.20250112.095822.154.1.etl

                                      Download File
                                      Process:C:\Windows\System32\SIHClient.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):12288
                                      Entropy (8bit):3.1713035659167206
                                      Encrypted:false
                                      SSDEEP:192:FAwgM8bz2PIJmAPwKEPaDzC7b5HWEZCDNwx:Fabz2PIJmAPwKEPYzC7VHWEZCDNwx
                                      MD5:1F5DDD76E9A8F364250CE83666288F5B
                                      SHA1:BDF3C7CA11C7167FD5ADA26B97A3F302170F217C
                                      SHA-256:28E6E6251C99C405B60EC27999B1B21C6FB8F532D1346BC99F7378EBDA569BD6
                                      SHA-512:E897617BD443B673185986238C1F72AC7ECFA6B8541BF961B5D013A7982608AEFE151BADB107C3D581B2522498596FBCED2136F424E18DDC14E53D5778B2AE2B
                                      Malicious:false
                                      Preview:....P...P.......................................P...!...........................D...$.....F.....................eJ......h...e..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W...............ixl.e..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.1.2...0.9.5.8.2.2...1.5.4...1...e.t.l.......P.P.D...$.....F.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP70F9.tmp

                                      Download File
                                      Process:C:\Windows\System32\SIHClient.exe
                                      File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                      Category:dropped
                                      Size (bytes):17126
                                      Entropy (8bit):7.3117215578334935
                                      Encrypted:false
                                      SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                      MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                      SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                      SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                      SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                      Malicious:false
                                      Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                                      C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

                                      Download File
                                      Process:C:\Windows\System32\SIHClient.exe
                                      File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                      Category:dropped
                                      Size (bytes):24490
                                      Entropy (8bit):7.629144636744632
                                      Encrypted:false
                                      SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                                      MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                                      SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                                      SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                                      SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                                      Malicious:false
                                      Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

                                      C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP7A1D.tmp

                                      Download File
                                      Process:C:\Windows\System32\SIHClient.exe
                                      File Type:Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                      Category:modified
                                      Size (bytes):19826
                                      Entropy (8bit):7.454351722487538
                                      Encrypted:false
                                      SSDEEP:384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
                                      MD5:455385A0D5098033A4C17F7B85593E6A
                                      SHA1:E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
                                      SHA-256:2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
                                      SHA-512:104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
                                      Malicious:false
                                      Preview:MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f|..g.7..6..].7B..O..#d..]Ls.k..Le...2.*..&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...*G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,.....*.1.:-....K.......M..;....(,.W.V(^_.....9.,`|...9...>..R...2|.|5.r....n.y>wwU..5...0.J...*.H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

                                      C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

                                      Download File
                                      Process:C:\Windows\System32\SIHClient.exe
                                      File Type:Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                      Category:dropped
                                      Size (bytes):30005
                                      Entropy (8bit):7.7369400192915085
                                      Encrypted:false
                                      SSDEEP:768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
                                      MD5:4D7FE667BCB647FE9F2DA6FC8B95BDAE
                                      SHA1:B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
                                      SHA-256:BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
                                      SHA-512:DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
                                      Malicious:false
                                      Preview:MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..*%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N.*...5.R...,+...u.~VO...R-......H7..9........].K....]....tS~*.LSi....T....3+........k......i.J.y...,.Y|.N.t.LX.....zu..8......S*7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):5.6996508482876465
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:Axion.exe
                                      File size:560'640 bytes
                                      MD5:f028b560af9df754fc1814fc63a6d3a0
                                      SHA1:3b349685e2189aa4373ed477884c2b19ef3c438f
                                      SHA256:089ef8b915b0ecad53779bb0ee8040856134d5f0ce63cc6a8947cd6c4ff104de
                                      SHA512:0123cda7d0b876064e0849360d1238168233d0f257c82c0c473f3b451d057e7ef14deec4c5ad1d8956e877308467120d85e346ea8dddeb103c30f59b59bcdfe0
                                      SSDEEP:6144:m3WXE8vut4+dPOrmwMccuAC1pxFe6VlWT8b9/9bgr4u30OuzYo0ZbqvAdktGJOKu:ZXBuneYuAKFPVle871u30OuYAvYnJO
                                      TLSH:54C4E50CFE91F805DD1A3CB7CFE921104B7165C1AE1596423109AFFE8BA63B259E267C
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0.................. ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x48a39e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x8a3480x53.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x600.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x883a40x8840039408c3e74e2898f648bedffac2e906eFalse0.46422018348623856data5.706170430033822IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x8c0000x6000x60059e310b342560f2a253e647ca270a3a0False0.470703125data4.392402852887116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x8e0000xc0x2000aa56414984739e04007f4d813b8596dFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x8c0a00x374data0.47058823529411764
                                      RT_MANIFEST0x8c4140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-01-12T15:58:03.469519+01002058998ET MALWARE Sheet RAT CnC Checkin1192.168.2.549704147.185.221.236381TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 12, 2025 15:58:08.987509966 CET497046381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:08.992393970 CET638149704147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:08.992527962 CET497046381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:17.669100046 CET497046381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:17.674011946 CET638149704147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:17.674098969 CET497046381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:17.678972960 CET638149704147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:30.352036953 CET638149704147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:30.352152109 CET497046381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:30.368681908 CET497046381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:30.373606920 CET638149704147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:31.111711979 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:31.116559029 CET638149761147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:31.116657019 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:31.188534021 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:31.193471909 CET638149761147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:31.193536997 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:31.198384047 CET638149761147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:47.095956087 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:47.100930929 CET638149761147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:47.101011992 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:47.105870008 CET638149761147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:52.477442980 CET638149761147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:52.477499962 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:52.477869034 CET497616381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:52.482634068 CET638149761147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:52.898576975 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:52.903599977 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:52.903691053 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:52.952718973 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:52.952764988 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:58:52.957818031 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:52.957860947 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:58:52.957941055 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:08.276406050 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:08.281177998 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:08.281239033 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:08.285969973 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:14.295739889 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:14.295841932 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:14.296027899 CET498926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:14.300858974 CET638149892147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:14.450634956 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:14.455502033 CET638149984147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:14.455586910 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:14.504764080 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:14.509582996 CET638149984147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:14.509675026 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:14.514533043 CET638149984147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:28.907349110 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:28.912224054 CET638149984147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:28.914088011 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:28.918931961 CET638149984147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:35.825958014 CET638149984147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:35.828053951 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:35.828722954 CET499846381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:35.830029011 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:35.833518028 CET638149984147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:35.834955931 CET638149985147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:35.835156918 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:36.010442019 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:36.015238047 CET638149985147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:36.018692017 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:36.023545027 CET638149985147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:50.630919933 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:50.635735989 CET638149985147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:50.641379118 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:50.646199942 CET638149985147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:57.216686010 CET638149985147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:57.216945887 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:57.219048023 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:57.223906040 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:57.223980904 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:57.247998953 CET499856381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:57.459352970 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:57.464282036 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 15:59:57.464766026 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 15:59:57.469578981 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:05.376131058 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:05.381011963 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:05.381072044 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:05.385919094 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:05.621426105 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:05.626348972 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:05.626420975 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:05.631247044 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:18.454128027 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.458904028 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:18.459074974 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.463879108 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:18.573506117 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:18.573751926 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.573930025 CET499866381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.578665018 CET638149986147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:18.592255116 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.597126961 CET638149987147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:18.597213984 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.815995932 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.820943117 CET638149987147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:18.820998907 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:18.825860023 CET638149987147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:33.266669035 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:33.271480083 CET638149987147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:33.271696091 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:33.276503086 CET638149987147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:39.950124025 CET638149987147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:39.950263023 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:39.950963020 CET499876381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:39.954665899 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:39.955724955 CET638149987147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:39.959497929 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:39.959568024 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:40.253726006 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:40.258634090 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:40.262134075 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:40.267062902 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:47.188597918 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:47.193523884 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:47.193591118 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:47.198482037 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:47.402462006 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:47.407418966 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:47.407489061 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:47.412291050 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:55.407114029 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:55.411971092 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:55.412039995 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:55.416791916 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:55.704857111 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:55.709625959 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:00:55.710247040 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:00:55.715027094 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:01.329200983 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:01.329298973 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:01.331007004 CET499886381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:01.334176064 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:01.335845947 CET638149988147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:01.339169025 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:01.339255095 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:01.628760099 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:01.633734941 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:01.634591103 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:01.639458895 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:16.000783920 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:16.005625010 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:16.008096933 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:16.012972116 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:19.797853947 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:19.802627087 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:19.802701950 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:19.807480097 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:19.974344969 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:19.979207039 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:19.979262114 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:19.984029055 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:22.745758057 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:22.745893955 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:22.747004032 CET499896381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:22.747010946 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:22.751884937 CET638149989147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:22.751916885 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:22.752011061 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:22.892574072 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:22.897486925 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:22.897685051 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:22.902539968 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:32.220221996 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:32.225208044 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:32.225313902 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:32.230155945 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:32.385128975 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:32.390033960 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:32.390116930 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:32.395015955 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:33.672894955 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:33.677742004 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:33.677809954 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:33.682588100 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:33.857418060 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:33.862572908 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:33.862667084 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:33.867554903 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:44.152385950 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:44.153625011 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:44.153888941 CET499906381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:44.154911041 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:44.158668995 CET638149990147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:44.159792900 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:44.159873009 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:44.326910973 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:44.331945896 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:44.332160950 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:44.337095022 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:45.610234022 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:45.615310907 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:45.615425110 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:45.620316029 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:45.846796036 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:45.851702929 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:45.851754904 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:45.856627941 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:58.765019894 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:58.769870043 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:01:58.769922018 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:01:58.774779081 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.125751019 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.130690098 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.130884886 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.135709047 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.327779055 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.332622051 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.332685947 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.337495089 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.545458078 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.545533895 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.545766115 CET499916381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.546618938 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.550534964 CET638149991147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.551422119 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.551496983 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.671397924 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.676563025 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.680139065 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.685102940 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.860064983 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.865098953 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:05.865150928 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:05.870052099 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:06.038244963 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:06.043064117 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:06.043550968 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:06.048394918 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:09.955929995 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:09.960818052 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:09.960879087 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:09.965800047 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:11.166985035 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:11.172008038 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:11.172167063 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:11.176987886 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:11.266442060 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:11.272197008 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:11.274157047 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:11.279078960 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:11.411922932 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:11.416764975 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:11.420198917 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:11.425017118 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:13.996939898 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:14.002238035 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:14.002315044 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:14.007117987 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:14.085867882 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:14.090873957 CET638149992147.185.221.23192.168.2.5
                                      Jan 12, 2025 16:02:14.091068029 CET499926381192.168.2.5147.185.221.23
                                      Jan 12, 2025 16:02:14.095977068 CET638149992147.185.221.23192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 12, 2025 15:58:08.963326931 CET5364453192.168.2.51.1.1.1
                                      Jan 12, 2025 15:58:08.977029085 CET53536441.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jan 12, 2025 15:58:08.963326931 CET192.168.2.51.1.1.10xbb7Standard query (0)methods-significant.gl.at.ply.ggA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jan 12, 2025 15:58:08.977029085 CET1.1.1.1192.168.2.50xbb7No error (0)methods-significant.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false
                                      Jan 12, 2025 15:58:24.710835934 CET1.1.1.1192.168.2.50x6574No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                      Jan 12, 2025 15:58:24.710835934 CET1.1.1.1192.168.2.50x6574No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:09:58:06
                                      Start date:12/01/2025
                                      Path:C:\Users\user\Desktop\Axion.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\Axion.exe"
                                      Imagebase:0x380000
                                      File size:560'640 bytes
                                      MD5 hash:F028B560AF9DF754FC1814FC63A6D3A0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: 00000000.00000002.4513412827.0000000012A18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:09:58:22
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\SIHClient.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\sihclient.exe /cv sTITtz1dt06w9i2AI61sbg.0.2
                                      Imagebase:0x7ff6e99a0000
                                      File size:380'720 bytes
                                      MD5 hash:8BE47315BF30475EEECE8E39599E9273
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:09:58:43
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:09:58:43
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:09:58:43
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:09:58:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:09:58:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:09:58:44
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo 5 /tn "Dropbox" /tr "C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:09:58:48
                                      Start date:12/01/2025
                                      Path:C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe"
                                      Imagebase:0x190000
                                      File size:783'846'912 bytes
                                      MD5 hash:3DDF6F0F81599FDDCD2CD05DB946A93F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:09:58:50
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:09:58:51
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:09:58:51
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:09:58:57
                                      Start date:12/01/2025
                                      Path:C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe"
                                      Imagebase:0x380000
                                      File size:783'846'912 bytes
                                      MD5 hash:3DDF6F0F81599FDDCD2CD05DB946A93F
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:09:58:58
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:09:58:58
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:09:58:58
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:09:58:58
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:09:58:58
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:09:58:59
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:09:59:04
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\OpenWith.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                      Imagebase:0x7ff652900000
                                      File size:123'984 bytes
                                      MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:09:59:06
                                      Start date:12/01/2025
                                      Path:C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\xdwdUnreal Engine.exe"
                                      Imagebase:0x660000
                                      File size:783'846'912 bytes
                                      MD5 hash:3DDF6F0F81599FDDCD2CD05DB946A93F
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:09:59:08
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:09:59:08
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:09:59:08
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update"
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:09:59:13
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\OpenWith.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                      Imagebase:0x7ff652900000
                                      File size:123'984 bytes
                                      MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:09:59:15
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:09:59:15
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:09:59:15
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:09:59:29
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:09:59:29
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:09:59:29
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:09:59:42
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:09:59:42
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:37
                                      Start time:09:59:42
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:38
                                      Start time:09:59:55
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:09:59:55
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:09:59:55
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:10:00:08
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:10:00:08
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:10:00:08
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:10:00:19
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:10:00:19
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:10:00:19
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:47
                                      Start time:10:00:31
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:48
                                      Start time:10:00:31
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:49
                                      Start time:10:00:31
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:50
                                      Start time:10:00:43
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:51
                                      Start time:10:00:43
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:52
                                      Start time:10:00:43
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:53
                                      Start time:10:00:54
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:54
                                      Start time:10:00:55
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:55
                                      Start time:10:00:55
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:56
                                      Start time:10:01:06
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:57
                                      Start time:10:01:06
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:58
                                      Start time:10:01:06
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:59
                                      Start time:10:01:18
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:60
                                      Start time:10:01:18
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:61
                                      Start time:10:01:18
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:62
                                      Start time:10:01:30
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:63
                                      Start time:10:01:30
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:64
                                      Start time:10:01:30
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:65
                                      Start time:10:01:41
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:66
                                      Start time:10:01:41
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:67
                                      Start time:10:01:41
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:68
                                      Start time:10:01:52
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:69
                                      Start time:10:01:52
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:70
                                      Start time:10:01:52
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:71
                                      Start time:10:02:03
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST & exit
                                      Imagebase:0x7ff7eab00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:72
                                      Start time:10:02:03
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:73
                                      Start time:10:02:03
                                      Start date:12/01/2025
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "Greenshot" /tr "C:\Users\user\Update" /RL HIGHEST
                                      Imagebase:0x7ff74c460000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:15.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:100%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 14319 7ff848f3f627 14320 7ff848f3f63f NtProtectVirtualMemory 14319->14320 14322 7ff848f3f715 14320->14322

                                        Executed Functions

                                        Function 00007FF848F3C70F Relevance: 4.8, Strings: 3, Instructions: 1018COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: a]A;$a]Hc$|L_^
                                        • API String ID: 0-3381870284
                                        • Opcode ID: 42d28e66939a4ab0ef9771bd8d476cf7f76adb47e73c9db67109c69d3c0c7bc2
                                        • Instruction ID: 8ea374fd16b9cfcc909b56aeac738c5d6f24cd82ecdb9314c2d27229af84856f
                                        • Opcode Fuzzy Hash: 42d28e66939a4ab0ef9771bd8d476cf7f76adb47e73c9db67109c69d3c0c7bc2
                                        • Instruction Fuzzy Hash: 05621272D0E6864FE71AA7689C161F57BA0DF52390F1901BBD089C75D3EE1C680B83A6
                                        Function 00007FF848F3DB95 Relevance: 4.1, Strings: 3, Instructions: 389COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 206 7ff848f3db95-7ff848f3db98 207 7ff848f3db9a-7ff848f3dbb0 206->207 208 7ff848f3dc17-7ff848f3dc2e 206->208 207->208 212 7ff848f3dc8d-7ff848f3dca0 208->212 213 7ff848f3dc30-7ff848f3dc7b 208->213 216 7ff848f3dca2 212->216 217 7ff848f3dc66-7ff848f3dc6a 212->217 219 7ff848f3dd1c-7ff848f3dd1f 216->219 220 7ff848f3dca4-7ff848f3dcd5 216->220 217->212 222 7ff848f3dd31 219->222 223 7ff848f3dd21 219->223 224 7ff848f3dce7 220->224 225 7ff848f3dcd7 220->225 229 7ff848f3dd3c-7ff848f3dd3e 222->229 230 7ff848f3dd33-7ff848f3dd35 222->230 228 7ff848f3dd26-7ff848f3dd28 223->228 226 7ff848f3dce9-7ff848f3dcfd 224->226 227 7ff848f3dd04-7ff848f3dd06 224->227 231 7ff848f3dcdc-7ff848f3dcde 225->231 246 7ff848f3dd0f 226->246 247 7ff848f3dcff 226->247 239 7ff848f3dd08-7ff848f3dd0d 227->239 240 7ff848f3dd36-7ff848f3dd37 227->240 241 7ff848f3dd2a-7ff848f3dd2f 228->241 242 7ff848f3dd58-7ff848f3dd65 228->242 236 7ff848f3dd6e-7ff848f3dd6f 229->236 237 7ff848f3dd40-7ff848f3dd45 229->237 232 7ff848f3dd47 230->232 233 7ff848f3dd37 230->233 234 7ff848f3dd0e 231->234 235 7ff848f3dce0-7ff848f3dce5 231->235 232->231 245 7ff848f3dd49-7ff848f3dd57 232->245 233->229 234->246 235->224 235->227 243 7ff848f3ddcd-7ff848f3dddd 236->243 244 7ff848f3dd71-7ff848f3dd76 call 7ff848f394b0 236->244 237->231 237->232 239->228 239->246 240->229 241->222 241->229 242->244 253 7ff848f3ddde-7ff848f3ddf1 call 7ff848f3c7b8 243->253 254 7ff848f3dd7b-7ff848f3dd8f 244->254 245->242 246->228 250 7ff848f3dd11-7ff848f3dd1f 246->250 247->227 250->222 250->223 259 7ff848f3ddf6-7ff848f3de0f 253->259 254->253 260 7ff848f3dd91-7ff848f3ddb3 254->260 262 7ff848f3de21-7ff848f3de25 259->262 263 7ff848f3de11-7ff848f3de1d 259->263 264 7ff848f3de9a-7ff848f3dea8 262->264 265 7ff848f3de26 262->265 272 7ff848f3de2f-7ff848f3de4a call 7ff848f39520 263->272 273 7ff848f3de1f 263->273 268 7ff848f3deaa 264->268 269 7ff848f3ded2-7ff848f3defe 264->269 270 7ff848f3de27-7ff848f3de2c 265->270 271 7ff848f3de84-7ff848f3de89 265->271 275 7ff848f3deac-7ff848f3debb 268->275 276 7ff848f3ded0 268->276 277 7ff848f3df03-7ff848f3df43 269->277 270->272 271->277 279 7ff848f3de8b 271->279 285 7ff848f3de4f-7ff848f3de63 272->285 273->262 275->276 276->269 281 7ff848f3df4c-7ff848f3df98 277->281 282 7ff848f3df45 277->282 283 7ff848f3de8d-7ff848f3de99 279->283 292 7ff848f3df99 281->292 282->281 283->264 285->283 288 7ff848f3de65 285->288 288->279 290 7ff848f3de67-7ff848f3de82 288->290 290->271 292->292
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@$@
                                        • API String ID: 0-1177533131
                                        • Opcode ID: 89ab38306e060098382489312092ab9cb1480599e3f97d6ad20d5a5ae08f1a3e
                                        • Instruction ID: e9632194056ec2aa3a43234316039bd374a023db8845dd8e8261eefc41e22082
                                        • Opcode Fuzzy Hash: 89ab38306e060098382489312092ab9cb1480599e3f97d6ad20d5a5ae08f1a3e
                                        • Instruction Fuzzy Hash: A1C10772D1D6C64FF76AB33898151B97FA0EF52790F0801BBD489C71D3EE18680A8396
                                        Function 00007FF848F3CB1D Relevance: 3.5, Strings: 2, Instructions: 974COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 53f97a10ab9c0e5b0c690b1b3a6f095ce315ebfed043212abd1c0f4bf3d3432b
                                        • Instruction ID: 8390e1cde2604d46158bb653c8a83af36fe3f7f81e829b17c1805cd8e5af91dd
                                        • Opcode Fuzzy Hash: 53f97a10ab9c0e5b0c690b1b3a6f095ce315ebfed043212abd1c0f4bf3d3432b
                                        • Instruction Fuzzy Hash: 63620F31E0DA5A4FEB95F76888516B977E1EF45780F0400BAD44DD32D3EF2CA8168399
                                        Function 00007FF848F3CD4D Relevance: 3.0, Strings: 2, Instructions: 455COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 4b60b813a5ceb38789d2ef3c87d18d4bfd52e60f480986f3ff9359f116904a53
                                        • Instruction ID: c6fbdbd2a1511c8a38136d1b798b3f37d74dc72acbdc3c733c9158ae18b40188
                                        • Opcode Fuzzy Hash: 4b60b813a5ceb38789d2ef3c87d18d4bfd52e60f480986f3ff9359f116904a53
                                        • Instruction Fuzzy Hash: 01E1AF31E1DA5A4FEBA5FB6894506BD77A1FF99780F04017AD40ED31C2EF2CA8518398
                                        Function 00007FF848F3F749 Relevance: 2.8, Strings: 1, Instructions: 1547COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 818 7ff848f3f749-7ff848f3f755 819 7ff848f3f760-7ff848f3f778 818->819 820 7ff848f3f757-7ff848f3f75f 818->820 822 7ff848f3f77a 819->822 823 7ff848f3f73e-7ff848f3f746 819->823 820->819 824 7ff848f3f77c-7ff848f3f785 822->824 825 7ff848f3f7f4 822->825 826 7ff848f3f797 824->826 827 7ff848f3f787-7ff848f3f78c 824->827 828 7ff848f3f81e-7ff848f3f825 825->828 829 7ff848f3f7f6 825->829 830 7ff848f3f7cf-7ff848f3f7d1 826->830 832 7ff848f3f799 826->832 827->830 831 7ff848f3f7e6-7ff848f3f7e7 828->831 833 7ff848f3f7f8-7ff848f3f7ff 829->833 834 7ff848f3f81c-7ff848f3f81d 829->834 838 7ff848f3f7d3-7ff848f3f7d8 830->838 839 7ff848f3f801-7ff848f3f815 830->839 842 7ff848f3f7e8-7ff848f3f7ee 831->842 843 7ff848f3f817-7ff848f3f81b 831->843 832->830 836 7ff848f3f79b-7ff848f3f7bf 832->836 834->828 850 7ff848f3f7c0-7ff848f3f7c1 call 7ff848f3dc90 836->850 840 7ff848f3f7da 838->840 841 7ff848f3f7e5 838->841 839->843 840->841 844 7ff848f3f7dc-7ff848f3f7de 840->844 841->831 845 7ff848f3f78e-7ff848f3f790 842->845 846 7ff848f3f7f0 842->846 843->834 844->846 848 7ff848f3f7e0 844->848 849 7ff848f3f792 845->849 845->850 846->845 851 7ff848f3f7f2 846->851 848->841 849->826 854 7ff848f3f7c6-7ff848f3f7c8 850->854 851->825 854->840 855 7ff848f3f7ca 854->855 855->830
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H
                                        • API String ID: 0-2852464175
                                        • Opcode ID: 8391c509a0c754e64bab5598c138824bea914f80f2012b102601b2f551c508c8
                                        • Instruction ID: 821c72a779a7b1a2ddfc2eee6979db418ae599a793b95afdbd6b674508862b8c
                                        • Opcode Fuzzy Hash: 8391c509a0c754e64bab5598c138824bea914f80f2012b102601b2f551c508c8
                                        • Instruction Fuzzy Hash: 55B22531E1D9464FEB59F72898162B937D1EFA5790F1401BAE80DC72C3EF1CA8068396
                                        Function 00007FF848F3F627 Relevance: 1.6, APIs: 1, Instructions: 135nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1378 7ff848f3f627-7ff848f3f713 NtProtectVirtualMemory 1383 7ff848f3f71b-7ff848f3f746 1378->1383 1384 7ff848f3f715 1378->1384 1384->1383
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: 3a5049158d29290e727f6cdbc0f4195f1f25a12928ee4d08d12009c685fc83d6
                                        • Instruction ID: 6c6bf16e083b7b47d52e27786bc3b2d093903b797e00418b2cf7cdbbb9d58840
                                        • Opcode Fuzzy Hash: 3a5049158d29290e727f6cdbc0f4195f1f25a12928ee4d08d12009c685fc83d6
                                        • Instruction Fuzzy Hash: 4041C83191CB484FDB18DB5C98066ED7BF1FB99320F00426FE449D3292DB7468498BD6
                                        Function 00007FF848F3C7ED Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1628 7ff848f3c7ed-7ff848f3c810 1630 7ff848f3e210-7ff848f3e222 1628->1630 1631 7ff848f3e1e8-7ff848f3e20e 1630->1631 1632 7ff848f3e224 1630->1632 1631->1630 1633 7ff848f3e29e 1632->1633 1634 7ff848f3e226-7ff848f3e242 1632->1634 1635 7ff848f3e318-7ff848f3e321 1633->1635 1636 7ff848f3e2a0 1633->1636 1637 7ff848f3e247-7ff848f3e24e 1634->1637 1638 7ff848f3e333-7ff848f3e350 1635->1638 1639 7ff848f3e323-7ff848f3e331 1635->1639 1644 7ff848f3e2a3-7ff848f3e2b0 1636->1644 1640 7ff848f3e535-7ff848f3e53c 1637->1640 1641 7ff848f3e254-7ff848f3e256 1637->1641 1668 7ff848f3e362-7ff848f3e36c 1638->1668 1669 7ff848f3e352-7ff848f3e359 1638->1669 1639->1638 1642 7ff848f3e53e-7ff848f3e541 1640->1642 1643 7ff848f3e546-7ff848f3e54d 1640->1643 1645 7ff848f3e268-7ff848f3e291 1641->1645 1646 7ff848f3e258-7ff848f3e266 1641->1646 1642->1643 1648 7ff848f3e54f-7ff848f3e556 1643->1648 1649 7ff848f3e586-7ff848f3e596 1643->1649 1650 7ff848f3e2b7-7ff848f3e2cb 1644->1650 1645->1644 1690 7ff848f3e293-7ff848f3e29a 1645->1690 1646->1645 1656 7ff848f3e558-7ff848f3e559 1648->1656 1657 7ff848f3e55e-7ff848f3e565 1648->1657 1659 7ff848f3e598-7ff848f3e599 1649->1659 1666 7ff848f3e2dd-7ff848f3e2e4 1650->1666 1667 7ff848f3e2cd-7ff848f3e2d4 1650->1667 1656->1657 1657->1637 1660 7ff848f3e56b-7ff848f3e570 1657->1660 1664 7ff848f3e59a-7ff848f3e5ac 1659->1664 1660->1664 1665 7ff848f3e572 1660->1665 1692 7ff848f3e5b5-7ff848f3e5ef 1664->1692 1665->1659 1671 7ff848f3e574-7ff848f3e585 1665->1671 1675 7ff848f3e2ec-7ff848f3e2ee 1666->1675 1676 7ff848f3e2e6-7ff848f3e2ea 1666->1676 1673 7ff848f3e332 1667->1673 1674 7ff848f3e2d6-7ff848f3e2e4 1667->1674 1672 7ff848f3e373-7ff848f3e378 1668->1672 1677 7ff848f3e35b-7ff848f3e36c 1669->1677 1678 7ff848f3e3b7-7ff848f3e3c9 1669->1678 1684 7ff848f3e38a-7ff848f3e399 1672->1684 1685 7ff848f3e37a-7ff848f3e388 1672->1685 1673->1638 1674->1675 1674->1676 1680 7ff848f3e300-7ff848f3e30c 1675->1680 1681 7ff848f3e2f0 1675->1681 1682 7ff848f3e30e-7ff848f3e316 1676->1682 1677->1672 1695 7ff848f3e3db-7ff848f3e3e8 1678->1695 1696 7ff848f3e3cb-7ff848f3e3e8 1678->1696 1680->1682 1693 7ff848f3e2f8-7ff848f3e2fe 1681->1693 1682->1635 1700 7ff848f3e3ab-7ff848f3e3b6 1684->1700 1701 7ff848f3e39b-7ff848f3e3a7 1684->1701 1685->1684 1690->1693 1697 7ff848f3e29c-7ff848f3e2b0 1690->1697 1708 7ff848f3e5f1 1692->1708 1693->1680 1709 7ff848f3e3fa-7ff848f3e400 1695->1709 1710 7ff848f3e3ea-7ff848f3e3f1 1695->1710 1696->1709 1696->1710 1697->1650 1700->1678 1714 7ff848f3e3a9-7ff848f3e3b6 1701->1714 1715 7ff848f3e401-7ff848f3e403 1701->1715 1716 7ff848f3e66b-7ff848f3e696 1708->1716 1717 7ff848f3e5f3-7ff848f3e656 1708->1717 1709->1715 1718 7ff848f3e412-7ff848f3e42a 1709->1718 1712 7ff848f3e3f3-7ff848f3e400 1710->1712 1713 7ff848f3e404-7ff848f3e408 1710->1713 1712->1718 1728 7ff848f3e402-7ff848f3e403 1712->1728 1713->1718 1714->1678 1715->1713 1721 7ff848f3e698-7ff848f3e6e7 1716->1721 1717->1721 1741 7ff848f3e658-7ff848f3e669 1717->1741 1732 7ff848f3e52a-7ff848f3e52d 1718->1732 1733 7ff848f3e430-7ff848f3e44d 1718->1733 1725 7ff848f3e6e9-7ff848f3e6f1 1721->1725 1726 7ff848f3e6f2-7ff848f3e707 1721->1726 1725->1726 1730 7ff848f3e709-7ff848f3e711 1726->1730 1731 7ff848f3e712-7ff848f3e730 1726->1731 1728->1713 1730->1731 1738 7ff848f3e732-7ff848f3e752 1731->1738 1739 7ff848f3e765-7ff848f3e76d 1731->1739 1732->1660 1734 7ff848f3e52f-7ff848f3e530 1732->1734 1745 7ff848f3e45f-7ff848f3e476 1733->1745 1746 7ff848f3e44f-7ff848f3e456 1733->1746 1734->1640 1740 7ff848f3e76e-7ff848f3e775 1738->1740 1739->1740 1743 7ff848f3e7ee-7ff848f3e7f5 1740->1743 1744 7ff848f3e777-7ff848f3e7a0 1740->1744 1741->1716 1748 7ff848f3e802-7ff848f3e809 1743->1748 1749 7ff848f3e7f7-7ff848f3e7fd 1743->1749 1781 7ff848f3e7a2 1744->1781 1755 7ff848f3e488-7ff848f3e497 1745->1755 1764 7ff848f3e478-7ff848f3e47f 1745->1764 1750 7ff848f3e458-7ff848f3e45d 1746->1750 1751 7ff848f3e480-7ff848f3e485 1746->1751 1753 7ff848f3e80f-7ff848f3e811 1748->1753 1754 7ff848f3e93e-7ff848f3e945 1748->1754 1749->1748 1750->1745 1751->1755 1759 7ff848f3e823-7ff848f3e879 1753->1759 1760 7ff848f3e813-7ff848f3e820 1753->1760 1757 7ff848f3e94d-7ff848f3e954 1754->1757 1758 7ff848f3e947-7ff848f3e948 1754->1758 1761 7ff848f3e49e-7ff848f3e4a2 1755->1761 1765 7ff848f3e95a-7ff848f3e961 1757->1765 1766 7ff848f3e754-7ff848f3e75b 1757->1766 1758->1757 1801 7ff848f3e88b-7ff848f3e892 1759->1801 1802 7ff848f3e87b-7ff848f3e882 1759->1802 1760->1759 1776 7ff848f3e4a9-7ff848f3e4af 1761->1776 1769 7ff848f3e4dd-7ff848f3e504 1764->1769 1770 7ff848f3e481-7ff848f3e497 1764->1770 1771 7ff848f3e973-7ff848f3e987 1765->1771 1772 7ff848f3e963 1765->1772 1766->1740 1768 7ff848f3e75d-7ff848f3e764 1766->1768 1768->1739 1786 7ff848f3e516-7ff848f3e527 1769->1786 1787 7ff848f3e506-7ff848f3e513 1769->1787 1770->1761 1778 7ff848f3e99b-7ff848f3e9b4 1771->1778 1779 7ff848f3e989-7ff848f3e997 1771->1779 1785 7ff848f3e96c-7ff848f3e970 1772->1785 1783 7ff848f3e4d9 1776->1783 1784 7ff848f3e4af 1776->1784 1779->1778 1781->1781 1783->1732 1784->1783 1789 7ff848f3e4cf-7ff848f3e4d7 1784->1789 1790 7ff848f3e972 1785->1790 1791 7ff848f3e9b5-7ff848f3e9fd 1785->1791 1786->1732 1787->1786 1789->1783 1795 7ff848f3e45e 1789->1795 1790->1771 1798 7ff848f3e9ff-7ff848f3ea03 1791->1798 1799 7ff848f3ea05-7ff848f3ea16 1791->1799 1795->1745 1798->1799 1803 7ff848f3e895-7ff848f3e8a5 1801->1803 1802->1803 1804 7ff848f3e884-7ff848f3e888 1802->1804 1808 7ff848f3e8b7-7ff848f3e904 1803->1808 1809 7ff848f3e8a7-7ff848f3e8ac 1803->1809 1804->1801 1811 7ff848f3e906-7ff848f3e912 1808->1811 1816 7ff848f3e916-7ff848f3e939 1808->1816 1810 7ff848f3e8ae 1809->1810 1809->1811 1810->1808 1811->1785 1815 7ff848f3e914 1811->1815 1815->1816 1816->1754
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: |L_^
                                        • API String ID: 0-3369961972
                                        • Opcode ID: 724eb2d3c018b36f16b216933d30ce3674fcc18142dafa095eb0a6cfa855b4e0
                                        • Instruction ID: 61d355d2d0d1450a36b4b89aa034dace79c46cb886cd46f09627cfd13ac1b8e8
                                        • Opcode Fuzzy Hash: 724eb2d3c018b36f16b216933d30ce3674fcc18142dafa095eb0a6cfa855b4e0
                                        • Instruction Fuzzy Hash: 5881E075C1E50B5AFB1CB264CC062F97680DF60795F68123EE449C29CAFE6CB41B81E6
                                        Function 00007FF848F36ED6 Relevance: .5, Instructions: 471COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2667 7ff848f36ed6-7ff848f36ee3 2668 7ff848f36eee-7ff848f36fb7 2667->2668 2669 7ff848f36ee5-7ff848f36eed 2667->2669 2673 7ff848f36fb9-7ff848f36fc2 2668->2673 2674 7ff848f37023 2668->2674 2669->2668 2673->2674 2675 7ff848f36fc4-7ff848f36fd0 2673->2675 2676 7ff848f37025-7ff848f3704a 2674->2676 2677 7ff848f37009-7ff848f37021 2675->2677 2678 7ff848f36fd2-7ff848f36fe4 2675->2678 2683 7ff848f3704c-7ff848f37055 2676->2683 2684 7ff848f370b6 2676->2684 2677->2676 2679 7ff848f36fe8-7ff848f36ffb 2678->2679 2680 7ff848f36fe6 2678->2680 2679->2679 2682 7ff848f36ffd-7ff848f37005 2679->2682 2680->2679 2682->2677 2683->2684 2686 7ff848f37057-7ff848f37063 2683->2686 2685 7ff848f370b8-7ff848f37160 2684->2685 2697 7ff848f371ce 2685->2697 2698 7ff848f37162-7ff848f3716c 2685->2698 2687 7ff848f3709c-7ff848f370b4 2686->2687 2688 7ff848f37065-7ff848f37077 2686->2688 2687->2685 2689 7ff848f3707b-7ff848f3708e 2688->2689 2690 7ff848f37079 2688->2690 2689->2689 2692 7ff848f37090-7ff848f37098 2689->2692 2690->2689 2692->2687 2699 7ff848f371d0-7ff848f371f9 2697->2699 2698->2697 2700 7ff848f3716e-7ff848f3717b 2698->2700 2707 7ff848f371fb-7ff848f37206 2699->2707 2708 7ff848f37263 2699->2708 2701 7ff848f3717d-7ff848f3718f 2700->2701 2702 7ff848f371b4-7ff848f371cc 2700->2702 2703 7ff848f37193-7ff848f371a6 2701->2703 2704 7ff848f37191 2701->2704 2702->2699 2703->2703 2706 7ff848f371a8-7ff848f371b0 2703->2706 2704->2703 2706->2702 2707->2708 2710 7ff848f37208-7ff848f37216 2707->2710 2709 7ff848f37265-7ff848f372f6 2708->2709 2718 7ff848f372fc-7ff848f3730b 2709->2718 2711 7ff848f37218-7ff848f3722a 2710->2711 2712 7ff848f3724f-7ff848f37261 2710->2712 2714 7ff848f3722e-7ff848f37241 2711->2714 2715 7ff848f3722c 2711->2715 2712->2709 2714->2714 2716 7ff848f37243-7ff848f3724b 2714->2716 2715->2714 2716->2712 2719 7ff848f3730d 2718->2719 2720 7ff848f37313-7ff848f37378 call 7ff848f37394 2718->2720 2719->2720 2727 7ff848f3737a 2720->2727 2728 7ff848f3737f-7ff848f37392 2720->2728 2727->2728
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e2eb286ffd9c6e7f12c575defd48ce2726bd151183ff6508cec8492ce56afecf
                                        • Instruction ID: 81930d08db230e6548c5abddb826c582c10c134df93ed78eb6f2f1db5449aec5
                                        • Opcode Fuzzy Hash: e2eb286ffd9c6e7f12c575defd48ce2726bd151183ff6508cec8492ce56afecf
                                        • Instruction Fuzzy Hash: 16F1923090CA8E8FEBA8EF28C8557E937E1FF54350F14427AE84DC7295DB3499458B82
                                        Function 00007FF848F3CD10 Relevance: .5, Instructions: 459COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e7b58ce324015386b2314970fb4397d6479b37a47c78d7d996d7f0199ad733a
                                        • Instruction ID: 0bddf62affebee7399eba77910f54180b6ffc5d136bccc81036c5f4ff3daa27c
                                        • Opcode Fuzzy Hash: 7e7b58ce324015386b2314970fb4397d6479b37a47c78d7d996d7f0199ad733a
                                        • Instruction Fuzzy Hash: F0E17D31E1D91A4FEBA5FB6894516BD77A1FF98780F44017AE40ED31C2EF2CA8518398
                                        Function 00007FF848F37C82 Relevance: .5, Instructions: 457COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 3153 7ff848f37c82-7ff848f37c8f 3154 7ff848f37c9a-7ff848f37d67 3153->3154 3155 7ff848f37c91-7ff848f37c99 3153->3155 3159 7ff848f37d69-7ff848f37d72 3154->3159 3160 7ff848f37dd3 3154->3160 3155->3154 3159->3160 3162 7ff848f37d74-7ff848f37d80 3159->3162 3161 7ff848f37dd5-7ff848f37dfa 3160->3161 3168 7ff848f37dfc-7ff848f37e05 3161->3168 3169 7ff848f37e66 3161->3169 3163 7ff848f37db9-7ff848f37dd1 3162->3163 3164 7ff848f37d82-7ff848f37d94 3162->3164 3163->3161 3166 7ff848f37d98-7ff848f37dab 3164->3166 3167 7ff848f37d96 3164->3167 3166->3166 3170 7ff848f37dad-7ff848f37db5 3166->3170 3167->3166 3168->3169 3171 7ff848f37e07-7ff848f37e13 3168->3171 3172 7ff848f37e68-7ff848f37e8d 3169->3172 3170->3163 3173 7ff848f37e4c-7ff848f37e64 3171->3173 3174 7ff848f37e15-7ff848f37e27 3171->3174 3178 7ff848f37efb 3172->3178 3179 7ff848f37e8f-7ff848f37e99 3172->3179 3173->3172 3175 7ff848f37e2b-7ff848f37e3e 3174->3175 3176 7ff848f37e29 3174->3176 3175->3175 3180 7ff848f37e40-7ff848f37e48 3175->3180 3176->3175 3182 7ff848f37efd-7ff848f37f2b 3178->3182 3179->3178 3181 7ff848f37e9b-7ff848f37ea8 3179->3181 3180->3173 3183 7ff848f37eaa-7ff848f37ebc 3181->3183 3184 7ff848f37ee1-7ff848f37ef9 3181->3184 3189 7ff848f37f9b 3182->3189 3190 7ff848f37f2d-7ff848f37f38 3182->3190 3185 7ff848f37ebe 3183->3185 3186 7ff848f37ec0-7ff848f37ed3 3183->3186 3184->3182 3185->3186 3186->3186 3188 7ff848f37ed5-7ff848f37edd 3186->3188 3188->3184 3191 7ff848f37f9d-7ff848f38075 3189->3191 3190->3189 3192 7ff848f37f3a-7ff848f37f48 3190->3192 3202 7ff848f3807b-7ff848f3808a 3191->3202 3193 7ff848f37f4a-7ff848f37f5c 3192->3193 3194 7ff848f37f81-7ff848f37f99 3192->3194 3196 7ff848f37f5e 3193->3196 3197 7ff848f37f60-7ff848f37f73 3193->3197 3194->3191 3196->3197 3197->3197 3198 7ff848f37f75-7ff848f37f7d 3197->3198 3198->3194 3203 7ff848f3808c 3202->3203 3204 7ff848f38092-7ff848f380f4 call 7ff848f38110 3202->3204 3203->3204 3211 7ff848f380fb-7ff848f3810e 3204->3211 3212 7ff848f380f6 3204->3212 3212->3211
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d09abfd8d03d20169085573602aefa223ebba68d8ea0d31bbbb2e9117fdcab53
                                        • Instruction ID: c6acefd33c949fda30057716e84e3b3af654f8b47eea9706122dba8bac1bca4c
                                        • Opcode Fuzzy Hash: d09abfd8d03d20169085573602aefa223ebba68d8ea0d31bbbb2e9117fdcab53
                                        • Instruction Fuzzy Hash: 9AE1803090CA4E8FEBA8EF28C8557E977D1FB54350F14827AD84DC7295DF7899808B82
                                        Function 00007FF848F3C7BD Relevance: .4, Instructions: 375COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7744d2e1cfcfe07a51dd3e02835b784df8206d52ddf6250be86c5cde9b54b494
                                        • Instruction ID: f9f1077a9f6b0a30bd9f5318e69e6c5f301cad359b63429559d9448e246405e0
                                        • Opcode Fuzzy Hash: 7744d2e1cfcfe07a51dd3e02835b784df8206d52ddf6250be86c5cde9b54b494
                                        • Instruction Fuzzy Hash: C6B10675C1E5474EFB1AB3648C062F83A90DF21795F18417BD488C79C7FE1CB41A82AA
                                        Function 00007FF848F332F0 Relevance: .3, Instructions: 340COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b255623ab405bc5eadbdcdfaf4575e3d279fad53ff0f3ad6f71bcad007974c5
                                        • Instruction ID: e0b00d5313cac2901db937f4444980b015dd64295705a71329876f48f9f9f022
                                        • Opcode Fuzzy Hash: 4b255623ab405bc5eadbdcdfaf4575e3d279fad53ff0f3ad6f71bcad007974c5
                                        • Instruction Fuzzy Hash: 93A1C230D1C5165FF7A8E72CE4862B972D1FB49750F10907ED89EC32C2EE2CAC568295
                                        Function 00007FF848F3172E Relevance: .3, Instructions: 337COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 508e86ca206ee93d34fc552834feaccb8269a158eb3b96c2c5a6bb61778446ab
                                        • Instruction ID: 48497382c44e791337a018c9fe2f928284f367b79010fa5bba657cce43bd1ef4
                                        • Opcode Fuzzy Hash: 508e86ca206ee93d34fc552834feaccb8269a158eb3b96c2c5a6bb61778446ab
                                        • Instruction Fuzzy Hash: B1B1B631E1E2871FF756737454112BA2EA19F82280F9845F7E48CCB2D7DE1CA94A437A
                                        Function 00007FF848F3E194 Relevance: .3, Instructions: 325COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da745ef4488330191e3e084d1bcb27dca123dede144f96bd15901ac86f9ece27
                                        • Instruction ID: 8b4b02c8caa9b1dbcaf31c078d041f8ef1117a79aaf87fbf1b8f44d11b435338
                                        • Opcode Fuzzy Hash: da745ef4488330191e3e084d1bcb27dca123dede144f96bd15901ac86f9ece27
                                        • Instruction Fuzzy Hash: 25A1E175C0E54B4AFB1EB3648C062F87A90DF21795F18127AE449C35C7FE6C641B82A6
                                        Function 00007FF848F383E0 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7bda5a14841ef76d1eda3ff09690f10c542ea3d5333aaed438cbc1f8572375f0
                                        • Instruction ID: 169ec2d698e8479b258609cb1eacb4ed4518267f49ce6280bced0f61a171f58d
                                        • Opcode Fuzzy Hash: 7bda5a14841ef76d1eda3ff09690f10c542ea3d5333aaed438cbc1f8572375f0
                                        • Instruction Fuzzy Hash: 8D813631D2D6424FFBA9B338C8461B93B90EF54390F94057BD889C32D2EF1D681A539A
                                        Function 00007FF848F38400 Relevance: .2, Instructions: 216COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: deb7b3bc9f7d17990b472a12b7c861d2bdfd391aec68322be253f0a422ffaa69
                                        • Instruction ID: 4b5b4d481f9fea569e4c5af0e9ce0e50f037f8ebbfc4e773421a4bd58f694b67
                                        • Opcode Fuzzy Hash: deb7b3bc9f7d17990b472a12b7c861d2bdfd391aec68322be253f0a422ffaa69
                                        • Instruction Fuzzy Hash: AB61E331D2D6434FEBAAB334C8061B53B90EF51390F9405BBC849C76D2EF1D681A939A
                                        Function 00007FF848F3D328 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd13f5e8ec7785669e776cd77db8afbf246e3fbf4dfc8a1be01f86ecdefecc2c
                                        • Instruction ID: 0e234e2b011304ba634a5becd8d7518854e969b2224b12cc9389bb190ad335d4
                                        • Opcode Fuzzy Hash: cd13f5e8ec7785669e776cd77db8afbf246e3fbf4dfc8a1be01f86ecdefecc2c
                                        • Instruction Fuzzy Hash: AB41A031E1D90A4FFBE9F73884562B836D1EF95385F44107AD44DC32D2EF29AC16825A
                                        Function 00007FF848F32565 Relevance: 2.3, Strings: 1, Instructions: 1061COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: S$M_^
                                        • API String ID: 0-3605690831
                                        • Opcode ID: 7b33cba0c5fcd122e2a361fdd4264257b3c118f15bb6442f7c51551fb71e4bc2
                                        • Instruction ID: e13020b89f902bd7ab1749013c5ec6dadd6dc207abf99e99ad3afec5e506870d
                                        • Opcode Fuzzy Hash: 7b33cba0c5fcd122e2a361fdd4264257b3c118f15bb6442f7c51551fb71e4bc2
                                        • Instruction Fuzzy Hash: C0726032F1D90A5FF798B77894952B926D2EF98391F940836E10EC72C6DF3CA8428354
                                        Function 00007FF848F331F7 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 390dc6662a02a925ec534a7e67046c7fa2a66e3188a3b977d643316413598e43
                                        • Instruction ID: 1ee4f5b5a11efc9ea08cb7a0557ff21f88c0561c496412715888c925c1c804ec
                                        • Opcode Fuzzy Hash: 390dc6662a02a925ec534a7e67046c7fa2a66e3188a3b977d643316413598e43
                                        • Instruction Fuzzy Hash: 60717021C1D3D60FE3269728A8521B47FA0AF47750F1980FBD8D9CB5D3EA1C585A83A6
                                        Function 00007FF848F322DA Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 531357f0b49766582af430b448f1bf861a4c1b4f32d59266d43d5f918ef29444
                                        • Instruction ID: 32f1fd58024adc38aae0b259604ed5bea6d0357351fa1194c9bc8fd8bb4d3ea8
                                        • Opcode Fuzzy Hash: 531357f0b49766582af430b448f1bf861a4c1b4f32d59266d43d5f918ef29444
                                        • Instruction Fuzzy Hash: 5A61AE32F0D5065EFBA4B3A8D45677D2282EFA4395F25023AD40D872C7EF3CA842425A
                                        Function 00007FF848F347CC Relevance: .2, Instructions: 191COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e530746703552ad713f4693bf5893fb936f8d887a5450e447cb810417fd08200
                                        • Instruction ID: 55303c8ea5e79f5bd36e1710b1d3600a973766f72728ad6ed2daa61c51e0605c
                                        • Opcode Fuzzy Hash: e530746703552ad713f4693bf5893fb936f8d887a5450e447cb810417fd08200
                                        • Instruction Fuzzy Hash: 5F516130919A1C8FDB54EB58D845BE9BBF1FB59310F0082ABD44DE3292DF34A9858F81
                                        Function 00007FF848F31315 Relevance: .2, Instructions: 166COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f1b1c3720ad671270af3bb9ab34e85fee73c9c580ab61488743718e9f2af0fc
                                        • Instruction ID: 95467d67938e37b2e25ccf6bb4ea4a87d199438c6f6f884d5959ca993bf933b7
                                        • Opcode Fuzzy Hash: 5f1b1c3720ad671270af3bb9ab34e85fee73c9c580ab61488743718e9f2af0fc
                                        • Instruction Fuzzy Hash: 6A41A131E2D91A5FEB98EB2C98496B973D1FF58751F50007EE40DD32D2DE29AC418744
                                        Function 00007FF848F31318 Relevance: .1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df28f4f97bfbefa1bf4d2308ab09a760024dd1f2773efe2e58f9af992959a705
                                        • Instruction ID: ec18439749d850e2ad4dd317ce4ea7e6d05ef8ef5225e6eebd82a058a5620e78
                                        • Opcode Fuzzy Hash: df28f4f97bfbefa1bf4d2308ab09a760024dd1f2773efe2e58f9af992959a705
                                        • Instruction Fuzzy Hash: 0C31A030E2D91A9FEB98FB6C94496B972E1FF58751F50007EE40DD32D2DE29AC018744

                                        Non-executed Functions

                                        Function 00007FF848F39528 Relevance: .3, Instructions: 317COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7cdc0d32e31af88a8bf70f094b243ef86ca1e4aaa05eed0d693ed0969758369
                                        • Instruction ID: dc4b73ec72bc30385a3ef436c2615693deeaa16b3118469a35b6c11ed31432db
                                        • Opcode Fuzzy Hash: d7cdc0d32e31af88a8bf70f094b243ef86ca1e4aaa05eed0d693ed0969758369
                                        • Instruction Fuzzy Hash: 5EA12331D0D6960FE369B72898456B57BD1EF65B90F1801BBC00DD71D3EF1C688A8356
                                        Function 00007FF848F3C678 Relevance: .3, Instructions: 281COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F36000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F36000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f36000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 77b94735054a43df18f2d11c408073d7cad1eeb493f8d92f655a10638f0c459b
                                        • Instruction ID: 9551f580bc2944745e8599246024c7fbeb7958faf846f91360cb5b4a89a8fc2d
                                        • Opcode Fuzzy Hash: 77b94735054a43df18f2d11c408073d7cad1eeb493f8d92f655a10638f0c459b
                                        • Instruction Fuzzy Hash: B281D371D0D2D20FE75BA32858156B13FA09F66B95F0901FBD48CE71D3EA0D1C1A8396
                                        Function 00007FF848F30958 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4523085572.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_Axion.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C;$!K;$"S;$#[;
                                        • API String ID: 0-1287115497
                                        • Opcode ID: d915c6f8cdd41e9cf741c9db2f97f162e269d0b55e7824dd008986166296417c
                                        • Instruction ID: f9780dce10f04acd9d8fc664b1ec615e7b42d168bc44e042e9c9c47419121d3e
                                        • Opcode Fuzzy Hash: d915c6f8cdd41e9cf741c9db2f97f162e269d0b55e7824dd008986166296417c
                                        • Instruction Fuzzy Hash: B6D05E17777C2F015E54730DB8000E8F385E6C71B374887F3EA44C72825951685B82F4

                                        Executed Functions

                                        Function 00007FF848F01E48 Relevance: 1.8, Strings: 1, Instructions: 576COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: P3&
                                        • API String ID: 0-3107531288
                                        • Opcode ID: 76c6d68b9f315c6e82a6f1c9d4e3a87067abfb532686fc82fc4ccf23eafa0f0f
                                        • Instruction ID: 4c009fe11d725417903c47d82149d156c536dbfbcf264c991c40648bd15d2bf2
                                        • Opcode Fuzzy Hash: 76c6d68b9f315c6e82a6f1c9d4e3a87067abfb532686fc82fc4ccf23eafa0f0f
                                        • Instruction Fuzzy Hash: CA129761D1E6924FF76AB37848162753BA09F53384F5901FAD489C71D3FF1C680A83AA
                                        Function 00007FF848F0C30D Relevance: .7, Instructions: 680COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1abfb0405eabccebacece6321488307ac4444fd00c1aba4834bdf83d84df7a4
                                        • Instruction ID: 7f2cee2f157e85ddb63477be77fda6bdc96650ac1a4f6e0b36a1a7a987b1167a
                                        • Opcode Fuzzy Hash: f1abfb0405eabccebacece6321488307ac4444fd00c1aba4834bdf83d84df7a4
                                        • Instruction Fuzzy Hash: 3322E231E0E92A4FEBA9B76884606BD67D1EF9A780F540079E40DD32C3FF1C68468359
                                        Function 00007FF848F06ED6 Relevance: .5, Instructions: 471COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 187a721c91c44955ce4dc93cf4b3f70bc8932885191695e54fd5c54b2c2977fd
                                        • Instruction ID: 97a0a05ded45cb1f14f9d68e59b99cb11e1d10dfb0d941f9a6fd52160e535c41
                                        • Opcode Fuzzy Hash: 187a721c91c44955ce4dc93cf4b3f70bc8932885191695e54fd5c54b2c2977fd
                                        • Instruction Fuzzy Hash: 71F1B03090CA8D8FEBA8EF28C8557E937E1FF55340F14426AE84DC72D1DB3999458B82
                                        Function 00007FF848F07C82 Relevance: .5, Instructions: 457COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27aee6a7f7495518c295423449941954a8814e1e5e7c975c087ee47649f3c7db
                                        • Instruction ID: 6b978be06218111c55497913305fa2f0b13b595ffc3b628f7937d6ecea5170bf
                                        • Opcode Fuzzy Hash: 27aee6a7f7495518c295423449941954a8814e1e5e7c975c087ee47649f3c7db
                                        • Instruction Fuzzy Hash: A5E1B03090DA8E8FEBA8EF28C8557E977D1EF55350F14826EE84DC7295DF7898408B81
                                        Function 00007FF848F032F0 Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eec06880851f31bea797607e8060bf508bf93ba95b29b97bd6c711352a937e15
                                        • Instruction ID: 7ed4a51f22545f7698e3a9562fa4ab6b74a6481449f9ca5aeb8c693281513d8e
                                        • Opcode Fuzzy Hash: eec06880851f31bea797607e8060bf508bf93ba95b29b97bd6c711352a937e15
                                        • Instruction Fuzzy Hash: 32A1E330D1C5164FE768A72CE4862B9B2D1FB4A750F10507DD89EC72C2FE2C6C568395
                                        Function 00007FF848F0172E Relevance: .3, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 571ea422b1553189c972a5ecb030cd0f277c405d980036d657de81a73c48a0b0
                                        • Instruction ID: bfe91180b40586cab4f790addf9565e28c3626d5465fef4bfd2ba1e7303c047d
                                        • Opcode Fuzzy Hash: 571ea422b1553189c972a5ecb030cd0f277c405d980036d657de81a73c48a0b0
                                        • Instruction Fuzzy Hash: 29B1E931E0E2871FF75677B404222BE2EA19F83284F9404B6D48DC72D7FE1C694A436A
                                        Function 00007FF848F083E0 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c9f31def99e59ae6759af77b24f48b931273fa7b1bf6b6ad1b4100bdfdfe9f3
                                        • Instruction ID: d8cc9f563aed0751a6e2ec00a7dcd251ead0a1e7ab6af1b3251249c658f04f1d
                                        • Opcode Fuzzy Hash: 3c9f31def99e59ae6759af77b24f48b931273fa7b1bf6b6ad1b4100bdfdfe9f3
                                        • Instruction Fuzzy Hash: B8814831D2D6424EFB69B3288C461B57B90EF56390F94057AC889CB2D3FF1C681A539B
                                        Function 00007FF848F0C258 Relevance: .2, Instructions: 226COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24f06628fa438fb69d2f6250f7e10e6e20fe5208993a5be89112a83904fd8593
                                        • Instruction ID: 625988d5b1d7143e30801413e8e1b3f590ed279f42d30426e2fe802552ea3373
                                        • Opcode Fuzzy Hash: 24f06628fa438fb69d2f6250f7e10e6e20fe5208993a5be89112a83904fd8593
                                        • Instruction Fuzzy Hash: 5E719D7190F2C64FE767A32458252617FA08F57385F1A41FBD588CB0D3FA1D680A83AA
                                        Function 00007FF848F08400 Relevance: .2, Instructions: 216COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab0c8b4530abbd4382b47b9e171cbecbdf75912372488417847b7406282dd475
                                        • Instruction ID: 28f8a331e94cc456aaa2bb519b2e3144ee5275c418c9732d91f3f0797d14ae87
                                        • Opcode Fuzzy Hash: ab0c8b4530abbd4382b47b9e171cbecbdf75912372488417847b7406282dd475
                                        • Instruction Fuzzy Hash: 34612735D2D6534EEB69B3348C451B53B90EF52390F94057AC889CB2D2FF1C681A939B
                                        Function 00007FF848F02565 Relevance: 2.3, Strings: 1, Instructions: 1055COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: S$P_^
                                        • API String ID: 0-3256109548
                                        • Opcode ID: 9012b914041d9d942a7f16757087574c6a4e8c600299aef131a81bfe68263373
                                        • Instruction ID: 25db0b3fa87373d4cd23a72b10ece72fed2261c435301b31e435624c7ddc3d21
                                        • Opcode Fuzzy Hash: 9012b914041d9d942a7f16757087574c6a4e8c600299aef131a81bfe68263373
                                        • Instruction Fuzzy Hash: DD729F72F1D91A5FE759B77884952B926E2EFC9390F940834E10EC72C6EE3CAC464354
                                        Function 00007FF848F0F624 Relevance: 1.6, Strings: 1, Instructions: 364COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 0cd441db22e4334bece61e434f0ae093389a893528ae329a66f768e7709b589b
                                        • Instruction ID: 2c721f386365f93e80bdd4beea00531a1f2271ccdeb1a0efa11b51d91ba993c2
                                        • Opcode Fuzzy Hash: 0cd441db22e4334bece61e434f0ae093389a893528ae329a66f768e7709b589b
                                        • Instruction Fuzzy Hash: F0C13972D0E7C64FE752A72498286A46FE0EF13350F5980FBD889CB1E3EA1C58098316
                                        Function 00007FF848F0DC9E Relevance: 1.6, Strings: 1, Instructions: 358COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 7d]H
                                        • API String ID: 0-1953797699
                                        • Opcode ID: 197bf3985db03d05458c434f298ed0fd4af2127d6f835b1d03c29b625b00fedc
                                        • Instruction ID: 7525e80ad2fa54e27472ae10ab4a06cd71c2faa4dac9684d0f22eaac79f293a0
                                        • Opcode Fuzzy Hash: 197bf3985db03d05458c434f298ed0fd4af2127d6f835b1d03c29b625b00fedc
                                        • Instruction Fuzzy Hash: AAB13071E0D4061EEB59B36C8C063B93181DFAA795F641379E44EC22C7FE1CA81782DA
                                        Function 00007FF848F0AE52 Relevance: .6, Instructions: 628COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bc34a113d6b811934b21dd99b8c88f4434906731bd21598d6f231f6132a32c07
                                        • Instruction ID: 0d9dc5329b604480c7f27d25b05dbe8ee85778118f3938680ae1dcb998f87f1d
                                        • Opcode Fuzzy Hash: bc34a113d6b811934b21dd99b8c88f4434906731bd21598d6f231f6132a32c07
                                        • Instruction Fuzzy Hash: 94128D71D1E6C64FE756A7249C292A47FA0DF13391F1901FBD098CB1E3FA1C6849836A
                                        Function 00007FF848F0DC5D Relevance: .6, Instructions: 619COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82ec3b94922f67ecc0437eb9c3638504ee7e03e243a312b0b8da4e52ec0ee4da
                                        • Instruction ID: 26d46660e7d1c6c156dbe4d19e805846c933c07cdaf8c6f93a461ed72e6ade65
                                        • Opcode Fuzzy Hash: 82ec3b94922f67ecc0437eb9c3638504ee7e03e243a312b0b8da4e52ec0ee4da
                                        • Instruction Fuzzy Hash: B812D272E0D2860FE75AB3688C162B53B91DF57395F1802B6D48DC71D3FE1C684B82A6
                                        Function 00007FF848F09548 Relevance: .6, Instructions: 606COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7e47a5b47a6e8b5e0bdd5fbf66ae20e1144dff1287c22cc8d70022649f6bcbf
                                        • Instruction ID: da0c259685693fd3be1507adf3a722b405ed4b0f7acb22a31423969814f1e5b8
                                        • Opcode Fuzzy Hash: a7e47a5b47a6e8b5e0bdd5fbf66ae20e1144dff1287c22cc8d70022649f6bcbf
                                        • Instruction Fuzzy Hash: 1D91E972D0E7855FF356772868161B57FA0EF536A4F0802BBD089C71D7FE09680A836A
                                        Function 00007FF848F0F5BB Relevance: .5, Instructions: 546COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c69afaba06d75e3f8bcbe6f2d5ca9245d422a9e90bc3a27d8e77e58334914d58
                                        • Instruction ID: eedece3e23c5a37c96b53b29e0a9e7a3929802899657c0f61fd90902c7eb29d7
                                        • Opcode Fuzzy Hash: c69afaba06d75e3f8bcbe6f2d5ca9245d422a9e90bc3a27d8e77e58334914d58
                                        • Instruction Fuzzy Hash: 43F1C232D0D6CA4FE756A73488186A87BE0EF17394F1980F7D848CB1E3EB1CA8458356
                                        Function 00007FF848F01E28 Relevance: .4, Instructions: 415COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c183998a2579d813750b2a1aa8c03661c3cb2ac649cbc0c7a1cada5d9add2df
                                        • Instruction ID: e39620774ad8a1bb5c4d0b2a4d3b8b716443cd5db1108670823d2417155fd6a3
                                        • Opcode Fuzzy Hash: 3c183998a2579d813750b2a1aa8c03661c3cb2ac649cbc0c7a1cada5d9add2df
                                        • Instruction Fuzzy Hash: 69D1C631E0D54A4FEB69B72888562B83BE1EF9A391F1440BAD84DC72D3FF1C68468355
                                        Function 00007FF848F0B4F4 Relevance: .4, Instructions: 410COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b0d3d3d7390990677c212ec1d59167b3786fe59c642e46e36d7931e5f313aae0
                                        • Instruction ID: 9acddc35f661aa98466be9066788d4dafa1b2f6a3606d13afd7687bc652f86cb
                                        • Opcode Fuzzy Hash: b0d3d3d7390990677c212ec1d59167b3786fe59c642e46e36d7931e5f313aae0
                                        • Instruction Fuzzy Hash: 0AC1A272E6D90A5FE755B33CC80A2B962D1EF89394F5901B5E00DC32D7FE2CA8468385
                                        Function 00007FF848F0B5C0 Relevance: .4, Instructions: 404COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9882e22c1b9ddc86c5861c60e47cded1269eae7e7aa10804bd0e30d03d8b837
                                        • Instruction ID: 68613dd8cfbf8dcf4faead6b918b017a121cf877f13c44929b92fcfcc7c07d3e
                                        • Opcode Fuzzy Hash: b9882e22c1b9ddc86c5861c60e47cded1269eae7e7aa10804bd0e30d03d8b837
                                        • Instruction Fuzzy Hash: 3EC18472F2D9065EEBA5B33CC80A27962C2DF99790F5905B5D00DC72D7FE2CA8478285
                                        Function 00007FF848F0B55D Relevance: .4, Instructions: 369COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7b501b1be6a25bfbe8a3c56eb60c624d636f84a66fb4f314c07359df26ad0f5
                                        • Instruction ID: 1ecf30ad28953c81e897120aa9e1ae6ae7e47dc7b97c09ef694e0bed86f926a3
                                        • Opcode Fuzzy Hash: e7b501b1be6a25bfbe8a3c56eb60c624d636f84a66fb4f314c07359df26ad0f5
                                        • Instruction Fuzzy Hash: 30B19172E6D9065EE795B33CC80A27962D1EF99390F5901B5D00DC32DBFE2CA8478385
                                        Function 00007FF848F0C208 Relevance: .4, Instructions: 362COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa4847689f397244e852f77d4fe7ebcd593effbe1ccaa556b1af91fa77d43419
                                        • Instruction ID: fa375c7c4ebc2f4146a2799ed4c7cabd2f9b00bee21d38db99891c2d102eaf06
                                        • Opcode Fuzzy Hash: fa4847689f397244e852f77d4fe7ebcd593effbe1ccaa556b1af91fa77d43419
                                        • Instruction Fuzzy Hash: 03B1F872E0E5460FE765B36888162B93B91DF577A0F18117AD04DC71D3FE1CA40B43A6
                                        Function 00007FF848F0AB0A Relevance: .3, Instructions: 346COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff1b6d997b724b7687caee0db28803bc0226b071ac2e8526e97fa8ebf5d89970
                                        • Instruction ID: 9e772e48b95487dda57cecb5a0ad416553746463bea218ffc379d61b8144851f
                                        • Opcode Fuzzy Hash: ff1b6d997b724b7687caee0db28803bc0226b071ac2e8526e97fa8ebf5d89970
                                        • Instruction Fuzzy Hash: 23A11672F1D9064FFB59B32888062B873D1EF9A794F540179D44DC32D3FE1CA88A468A
                                        Function 00007FF848F07896 Relevance: .3, Instructions: 330COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da5a381b1aee54eb53888241be5b898ba3a81585fe847b2ccf76d325dec0626b
                                        • Instruction ID: 0c415a5eb575c3d037d9bf88ab9866e5f4e0d8752781e46c4afba011d731e661
                                        • Opcode Fuzzy Hash: da5a381b1aee54eb53888241be5b898ba3a81585fe847b2ccf76d325dec0626b
                                        • Instruction Fuzzy Hash: 9CB1C23090CA8D8FEB68EF28C8557E93BE1FF55350F04426EE84DC7292DB3499458B86
                                        Function 00007FF848F08EC1 Relevance: .3, Instructions: 285COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f65d0acc52170bf6bfaabfe6a5a7e21b7f11ce5c6ccc867e054551a9598c4614
                                        • Instruction ID: c090f828eac10ca5427b9d8c9e32b669b8290890313c7cbf9d89c98857a819c1
                                        • Opcode Fuzzy Hash: f65d0acc52170bf6bfaabfe6a5a7e21b7f11ce5c6ccc867e054551a9598c4614
                                        • Instruction Fuzzy Hash: AD91F532E1E6868FE762B77498655E47BA0EF53391F1801BAC189CB5D3FB1C240A8395
                                        Function 00007FF848F0C9AE Relevance: .3, Instructions: 283COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dbc19ccaf9d8f81e2bf588bae62c16d75d554982b7579c51f9c10955bc14597b
                                        • Instruction ID: 65223be3492fad688b98d1765c3a027a4baaf49b081769cc259cb20007d35f60
                                        • Opcode Fuzzy Hash: dbc19ccaf9d8f81e2bf588bae62c16d75d554982b7579c51f9c10955bc14597b
                                        • Instruction Fuzzy Hash: 6381E771E0E5460FFB69B36C88162B93691DF56395F14127AE44EC32C7FE1CA80B43A6
                                        Function 00007FF848F09E6F Relevance: .3, Instructions: 272COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d45c4c6ec27722498c17d8ee35b5689de3fe7b7fac995fcfbaff3315bcba0f63
                                        • Instruction ID: 6f6e054316f56ab1bdd6e4d0cf3d502959e9788bf4d69d5d403ddc3544cd700f
                                        • Opcode Fuzzy Hash: d45c4c6ec27722498c17d8ee35b5689de3fe7b7fac995fcfbaff3315bcba0f63
                                        • Instruction Fuzzy Hash: 5A91AC31A0DA5C8FEB55EB68D845BE9BBF0EF56310F0441BAD04DD3292EB346985CB41
                                        Function 00007FF848F0F067 Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 863f5a3707cc3f52482b2b302be3c163f1401fde579e4c9aa1b62acaec90eec2
                                        • Instruction ID: a9e066df9ae912be54efe45a69faccd7b3e449d11f5cc202ea578f7fe9b76d7a
                                        • Opcode Fuzzy Hash: 863f5a3707cc3f52482b2b302be3c163f1401fde579e4c9aa1b62acaec90eec2
                                        • Instruction Fuzzy Hash: 6D81A131E0D94A4FEB95F728C85A2B877E1EF9A351F4440BAD80DC32D2EF2968468355
                                        Function 00007FF848F0F31E Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e3bdb82a9faf2df2348292bd3597cce82d323b7ede42d72bca36b4eac22c873
                                        • Instruction ID: 77fd0263f6e91c27a922597f601b787a00059355a1899db9dd6eb5a12d750a45
                                        • Opcode Fuzzy Hash: 5e3bdb82a9faf2df2348292bd3597cce82d323b7ede42d72bca36b4eac22c873
                                        • Instruction Fuzzy Hash: E7811331D0D68A8FEB65FB64C8152B87BE0EF4B350F4441BAD88CD72D2EB2C68568745
                                        Function 00007FF848F088C1 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b80b1552deaaa857f73317724c4e7817524d00ec13bc9fd9dde905df0154eed2
                                        • Instruction ID: 6b783aaa6cc49d64b67c69119ab76f4ac6cca2e19b33f30516a804bac82ef114
                                        • Opcode Fuzzy Hash: b80b1552deaaa857f73317724c4e7817524d00ec13bc9fd9dde905df0154eed2
                                        • Instruction Fuzzy Hash: F7810F70E2D94A9FEB94FB689C552B87BE1EF8A381F44007AD40DD32D2EF286845C715
                                        Function 00007FF848F0D880 Relevance: .2, Instructions: 248COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07216e8774b56b810160f404beb9aaa7ecb990ed3906e39e9a8834650fcfd066
                                        • Instruction ID: beef5e84813d10f9e625ae5caa9efdb3b31584efb2aad7462bd8f6c919879ffc
                                        • Opcode Fuzzy Hash: 07216e8774b56b810160f404beb9aaa7ecb990ed3906e39e9a8834650fcfd066
                                        • Instruction Fuzzy Hash: A1612A32E0D6860FF76D7228A8061B53BD5DF533A1F54017EE089C31D3FE59680B4296
                                        Function 00007FF848F0EE15 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b1eee07ced5295773b3f88f0a62a14596279f8eac6cb2477b15abb4c731332c
                                        • Instruction ID: a3906a294baace9f078020b0732547624457f7c1177129728d6a26f96e75b7d9
                                        • Opcode Fuzzy Hash: 4b1eee07ced5295773b3f88f0a62a14596279f8eac6cb2477b15abb4c731332c
                                        • Instruction Fuzzy Hash: B2717231F1D9494FE799B72888592B877E2EF9A391F5400BAD40DC32D3EE286C468355
                                        Function 00007FF848F0F775 Relevance: .2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2de96f6aeae28a70b5d08db34e61097316b904297f40cded643427ff9f0882af
                                        • Instruction ID: 6f30a7005311f5d0563ea639638407ca14240dc3fb147059e2471ec751d1129f
                                        • Opcode Fuzzy Hash: 2de96f6aeae28a70b5d08db34e61097316b904297f40cded643427ff9f0882af
                                        • Instruction Fuzzy Hash: FE61C331D1EBCA4FE792A73898186B42BE1EF17350F5984F7D849CB1D3EA1C98059316
                                        Function 00007FF848F031F7 Relevance: .2, Instructions: 223COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae906318895f2722107121dc0dcf705888c05b693385bed02ac223ec532b344c
                                        • Instruction ID: 64ff79c0d6a16c48709faba1fa58b794ebff8b5a6be4c30250e08590b94a7d6d
                                        • Opcode Fuzzy Hash: ae906318895f2722107121dc0dcf705888c05b693385bed02ac223ec532b344c
                                        • Instruction Fuzzy Hash: C7615E2181D3D24FE366532868A21B47FA0AF47750F1980FBD8D9CB5D3FE1C585A839A
                                        Function 00007FF848F022DA Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e5f4a8421357832a6b68aa3f887cb5e0ee8cdc1549e471ec348842fceb0e7947
                                        • Instruction ID: 65196798a9b08ea68e6e79759d212bceb4d949c7e2cbf48bdd30fe95826901ab
                                        • Opcode Fuzzy Hash: e5f4a8421357832a6b68aa3f887cb5e0ee8cdc1549e471ec348842fceb0e7947
                                        • Instruction Fuzzy Hash: F9618032F0D5074EFB66B7A8C45577D2282AFA6394F550235D40D8B2C7FF3CA846426A
                                        Function 00007FF848F0BA95 Relevance: .2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f3dab01436b6b88a8649fa0e41e2393abb32f5b16706f8aa716fa425de6a7a7
                                        • Instruction ID: ed414aa91440dfb0a13d71667ceb67581cd8c3ca4dc8ccebfaf6ac14dc3510b6
                                        • Opcode Fuzzy Hash: 0f3dab01436b6b88a8649fa0e41e2393abb32f5b16706f8aa716fa425de6a7a7
                                        • Instruction Fuzzy Hash: 3E51BD71D2D95B8FEBA5B71894606B927A1FF86780F440576E40DC31C7FF18A8058396
                                        Function 00007FF848F0865D Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0f311f73969a4c7a298743d2978e2462c78943a501b80f71377ded6c5db8466
                                        • Instruction ID: 55884d1793c576452378ec7717a39d524f828c83510998d266b5aa0a1a040121
                                        • Opcode Fuzzy Hash: e0f311f73969a4c7a298743d2978e2462c78943a501b80f71377ded6c5db8466
                                        • Instruction Fuzzy Hash: 2251B131E1D9194FEB95FB68885A6B9B7E1EF99340F40017AD40DD32D2EF28AC418345
                                        Function 00007FF848F09EF1 Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d225d9c798c1e9588b041b73de6fa140fb3a1769a149433944c0cf69289eeda
                                        • Instruction ID: bff13976f95fded603215b84ef09b8c90546f581ff54d5a14d14f18c9709b0c5
                                        • Opcode Fuzzy Hash: 1d225d9c798c1e9588b041b73de6fa140fb3a1769a149433944c0cf69289eeda
                                        • Instruction Fuzzy Hash: 1961CE3190CA8C8FDB95EB689845BE9BBF0FF56311F0042ABD44DD3292DB349985CB41
                                        Function 00007FF848F0A79D Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eac7be503637f848a58b8cb0b22087d0681e1c67a95757d455c64bc98dcf69ad
                                        • Instruction ID: 0fa31b7895a8eb9441982fba167453a870bcbdf56d771046c0c832df63a1d55f
                                        • Opcode Fuzzy Hash: eac7be503637f848a58b8cb0b22087d0681e1c67a95757d455c64bc98dcf69ad
                                        • Instruction Fuzzy Hash: ED516531E4C99A8FE745B72868155B977E0EF86351F1901BBD00DC71D2EE2C6A868391
                                        Function 00007FF848F0B318 Relevance: .2, Instructions: 202COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e64ff82581292e1ae55d1d89a75ccd0d208f9634a228dbcab723bfd4b57bdfec
                                        • Instruction ID: 9eff95a18e676c3d2255488c1631fb7fe7e065530fc0daab805f39bf33c5b362
                                        • Opcode Fuzzy Hash: e64ff82581292e1ae55d1d89a75ccd0d208f9634a228dbcab723bfd4b57bdfec
                                        • Instruction Fuzzy Hash: 2A51013191D68A4FEB56BB6488152A93FE1EF5B350F0900BBC448CB1D3EA1D585AC356
                                        Function 00007FF848F047CC Relevance: .2, Instructions: 193COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a744e8300b0a607ae529f0af65f210fd7e966e3ab7a5cc851b78178a29290050
                                        • Instruction ID: 0df79e1290eae252e6fd1594dd18e484100cd36ce92c798cab7f8d6420ff5002
                                        • Opcode Fuzzy Hash: a744e8300b0a607ae529f0af65f210fd7e966e3ab7a5cc851b78178a29290050
                                        • Instruction Fuzzy Hash: 47517331908A1C8FDB54EB58D845BE9BBF1FB59310F0082AAD44DD3292DF34A985CF81
                                        Function 00007FF848F0E685 Relevance: .2, Instructions: 177COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30c43f29b319fb6ab4bc1202927dc15e0a8b4b3c3c318d2143f317f2a36c9b9a
                                        • Instruction ID: f2520173a299095252f04c913b0174fefd6e5367c4860d063b5c053b41a6eca3
                                        • Opcode Fuzzy Hash: 30c43f29b319fb6ab4bc1202927dc15e0a8b4b3c3c318d2143f317f2a36c9b9a
                                        • Instruction Fuzzy Hash: AC41F372E1C6491EF76C6628A8171BA7BD5DB977A0F04017FE08EC22C3FE15B817419A
                                        Function 00007FF848F0D215 Relevance: .2, Instructions: 175COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45ab9c0312d4c3959a6b56a14034929022c338c579cc92ede7a1ac99e21705b4
                                        • Instruction ID: 4b19285eaa5b6619c41c2bc0dbc108fb7cdfd8de71801ddf8ae614e39403a0a1
                                        • Opcode Fuzzy Hash: 45ab9c0312d4c3959a6b56a14034929022c338c579cc92ede7a1ac99e21705b4
                                        • Instruction Fuzzy Hash: 2141E972E0D6451EF768761C68161B977D5DB977A0F04027FE08EC31C7FE19A80742A6
                                        Function 00007FF848F032E0 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 760f9c793f11416a658486189aad8fc9bc9e16d24a870a9539ab17833982abec
                                        • Instruction ID: 7adf6fd37db398b2d306694c16d2d30d87d825846bb7a7d19ac99cfbb4312256
                                        • Opcode Fuzzy Hash: 760f9c793f11416a658486189aad8fc9bc9e16d24a870a9539ab17833982abec
                                        • Instruction Fuzzy Hash: D4418E31C1C1564EF77C576CB4862B4B284FB46B50F10A07DDCEE869C3BE1C68AA42DA
                                        Function 00007FF848F01318 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9d088ec9f97bd190bd0bfd18e8995819c95f372e3523d7819076c19077a22b4
                                        • Instruction ID: ff33d08dcd9fe77770adc4811e3a4e29b842869ccf5677b9672b473ed115f521
                                        • Opcode Fuzzy Hash: e9d088ec9f97bd190bd0bfd18e8995819c95f372e3523d7819076c19077a22b4
                                        • Instruction Fuzzy Hash: 8731AF31E199199FEB98EB6C94496B973E1FF5A751F40007DD40DD32E2EE299C018744
                                        Function 00007FF848F0A95D Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f869e9ced711c93f663da2d05ed1eeeb5c40814d57e7741ef4655451b620d331
                                        • Instruction ID: 05cc17e2739bc815f593f9ca7b20c8e5d5d201349e42f083f0da5d08a10ae3d6
                                        • Opcode Fuzzy Hash: f869e9ced711c93f663da2d05ed1eeeb5c40814d57e7741ef4655451b620d331
                                        • Instruction Fuzzy Hash: 4831A372E4C8578EFF64B7A898452F527C08F563A1F0A10B6D85CD71D2FE0C6CCA428A
                                        Function 00007FF848F0FB29 Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d743cd5f24863c28ce86d25d9ecf43a83fa1eb13484c9f26249f3354d3899cf3
                                        • Instruction ID: 5dc82ddce0772e9bc03e9264b5d580a3782f6a43ed5b270835ae5286978c127b
                                        • Opcode Fuzzy Hash: d743cd5f24863c28ce86d25d9ecf43a83fa1eb13484c9f26249f3354d3899cf3
                                        • Instruction Fuzzy Hash: 63315572D1C62A0FE718B76C98505F6B790FB863A0F04417AE84EC30C2EE18AD028B95
                                        Function 00007FF848F0A990 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1efbefaaa6324052677904bfce7b32010585d9f1b438ede029dac73a4f987547
                                        • Instruction ID: da9b4bcd349e8c9d176b779f184c6a27fef3d972e09c630218189dde5e5c215e
                                        • Opcode Fuzzy Hash: 1efbefaaa6324052677904bfce7b32010585d9f1b438ede029dac73a4f987547
                                        • Instruction Fuzzy Hash: F5219E32E0C81B8EFF64B79899412B436D08F663D1F0610B1D85CD72D2FE0CACCA429A
                                        Function 00007FF848F0AA0D Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b59dfaa1f9cb36b27f61af515d7dcb365f4e9cb54647a59c0562d1c422cab59e
                                        • Instruction ID: 36c50b81af8c413dacc6680fff8e82eac10695f4700592c4a8dac36e2399d920
                                        • Opcode Fuzzy Hash: b59dfaa1f9cb36b27f61af515d7dcb365f4e9cb54647a59c0562d1c422cab59e
                                        • Instruction Fuzzy Hash: 3B31BC31D0C9968FEB61B76888412B437E0DF573A1F0500B2E44CDB2D2FA1C6C8A8396
                                        Function 00007FF848F0FA49 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a43a0c4a2e58824cc422090cb22f4957028bb0de28b0a74d3f12a8f2f1896462
                                        • Instruction ID: 639c0e85053975efe573d50c9340608ae024ad46a40a971c2d5d7efe9500b60e
                                        • Opcode Fuzzy Hash: a43a0c4a2e58824cc422090cb22f4957028bb0de28b0a74d3f12a8f2f1896462
                                        • Instruction Fuzzy Hash: F4213622F1D9974EF765737894202B927C1EF8A3A0F4D8071D84DC75C2EB2C69825346
                                        Function 00007FF848F0FC31 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73d387a5c42fa708694bd72eea2153bc7ffb358fc58969101f4632a9d3e1e9e6
                                        • Instruction ID: 365407c27021dff33aa79598be7bfdca3c40ca8dcbea8a781a365f7985abae27
                                        • Opcode Fuzzy Hash: 73d387a5c42fa708694bd72eea2153bc7ffb358fc58969101f4632a9d3e1e9e6
                                        • Instruction Fuzzy Hash: F2210E32D0D1925EF7567378585A0F90B80DF632A4F0880BAED8CC70C3FA0C1E56829A
                                        Function 00007FF848F090C0 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cddef91d6683094d01fe79d74b25e67663b3d5d4160cf74b3dadab30959ee82
                                        • Instruction ID: 945278607ad167e3d2c8e67f0f669b4773a37e199594aa4349973a34c25385f1
                                        • Opcode Fuzzy Hash: 0cddef91d6683094d01fe79d74b25e67663b3d5d4160cf74b3dadab30959ee82
                                        • Instruction Fuzzy Hash: 10113672A0E6C65EE757A73448390A43FA09F17241B1944FFC589CB9E3FA181809C35A
                                        Function 00007FF848F09D4F Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef72c93c83ee0979bc3d0444e3951b351259aa36fa28a6cdef4eae4e682452aa
                                        • Instruction ID: 5eaa40509acf5421f12f27c74c80367bec11c8c6207f5eb379c4f228e49e665b
                                        • Opcode Fuzzy Hash: ef72c93c83ee0979bc3d0444e3951b351259aa36fa28a6cdef4eae4e682452aa
                                        • Instruction Fuzzy Hash: F901C431E0C64E8EEB9AEB6898156B977E1EF46340F040479D14ED35C2EF285C45C754
                                        Function 00007FF848F0C290 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7be5ebd358479786786e5e7ded685813b78126500d4fac2ac69c48d3de9b645c
                                        • Instruction ID: 08ab3f977b236a2e5ae5d4b05fcdb4634c18311ddd1ab3deda95901d11876e8d
                                        • Opcode Fuzzy Hash: 7be5ebd358479786786e5e7ded685813b78126500d4fac2ac69c48d3de9b645c
                                        • Instruction Fuzzy Hash: EBF09612E2D9251EE65C615D6C411B651C4D75B763F112079E88ED32C2F8091C4214D9

                                        Non-executed Functions

                                        Function 00007FF848F00958 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2604204257.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C;$!K;$"S;$#[;
                                        • API String ID: 0-1287115497
                                        • Opcode ID: badd95c910b544db656e6b949baf25b872bdc6110aab7720bd8918ac721190d0
                                        • Instruction ID: 15e20852440c3624e71179a3363ec694d22ed2879826468b7e65ce341e970836
                                        • Opcode Fuzzy Hash: badd95c910b544db656e6b949baf25b872bdc6110aab7720bd8918ac721190d0
                                        • Instruction Fuzzy Hash: 84D0177776D4262AAA44A18DB8009CA138DC6CD1B27048673F604E7282C140685B42F8

                                        Executed Functions

                                        Function 00007FF848F0D880 Relevance: 2.0, Strings: 1, Instructions: 763COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: P3&
                                        • API String ID: 0-3107531288
                                        • Opcode ID: 1aead4f17efdec4457701bd4788406edc3b4922307d95aa83a567d95bdec500c
                                        • Instruction ID: 36ac756d4ecc739569edf3c2d7a4c5b41af62e6e15a8bcc5082329ffb91be7bb
                                        • Opcode Fuzzy Hash: 1aead4f17efdec4457701bd4788406edc3b4922307d95aa83a567d95bdec500c
                                        • Instruction Fuzzy Hash: 1432CA71E1D6860FF76AB36858161B53BA0DF53390F5901FAD489C71D3FE1C680A83AA
                                        Function 00007FF848F0C30D Relevance: .7, Instructions: 680COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0e78a73c283a59ff3021bc823d0bd8efd6fb2dca4627b1c27b391b4f6c71395
                                        • Instruction ID: 2e4dd6f5f5323ef6bd9d4990b2ca501f2277152d1e225e493c6d3bb62c24fc6e
                                        • Opcode Fuzzy Hash: d0e78a73c283a59ff3021bc823d0bd8efd6fb2dca4627b1c27b391b4f6c71395
                                        • Instruction Fuzzy Hash: 6422E131E0E92A4FEBA9B7A884506BD67D1EF5A780F540079E84DD31C3FF1C68468399
                                        Function 00007FF848F0DBFC Relevance: .7, Instructions: 678COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6be4ebcb49263778a6f4b72d602fbc8b24e8720f0f85ccb3a1044f98996f00c7
                                        • Instruction ID: 8946e7857490703322aad2e162809c59805bc0ce1aea60467846d81260733ea7
                                        • Opcode Fuzzy Hash: 6be4ebcb49263778a6f4b72d602fbc8b24e8720f0f85ccb3a1044f98996f00c7
                                        • Instruction Fuzzy Hash: C822F672D0D6860FE75AB3688C162B43B91DF57395F1802BAD48DC71D3FE1C684B82A6
                                        Function 00007FF848F06ED6 Relevance: .5, Instructions: 473COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 798e53fb29661f38be0137304f3478a6245e8f313a749e7507ea2e4404405dcd
                                        • Instruction ID: 5c39f7f6776d03d8e9ea482cf84924447b704406db53127e8d6cb9ad968e1d16
                                        • Opcode Fuzzy Hash: 798e53fb29661f38be0137304f3478a6245e8f313a749e7507ea2e4404405dcd
                                        • Instruction Fuzzy Hash: 76F1B23090CA8D8FEBA8EF28C8557E937E1FF55340F14426AE84DC72D5DB3999458B82
                                        Function 00007FF848F07C82 Relevance: .5, Instructions: 459COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bde270b45db0c6a0fcbb11d47c7a2d825d636230d7b60171b8d7efc342c1322c
                                        • Instruction ID: 82962532afdbc01bfd871d9abf9cbe3171a16bc1823c6c1edb15d3f37749f6b9
                                        • Opcode Fuzzy Hash: bde270b45db0c6a0fcbb11d47c7a2d825d636230d7b60171b8d7efc342c1322c
                                        • Instruction Fuzzy Hash: 69E1C130A0DA8E8FEBA8EF28C8557E977D1EB55350F14426ED84DC7295DF7898408B81
                                        Function 00007FF848F032F0 Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee227293b82816d885d15119b0adf69a9b8a2f3ff645f21fd51650f7bdf54d97
                                        • Instruction ID: 2423953729641b86f9650faf585c7bdb9d0c4f8dde295a778a01aaf4c27619d0
                                        • Opcode Fuzzy Hash: ee227293b82816d885d15119b0adf69a9b8a2f3ff645f21fd51650f7bdf54d97
                                        • Instruction Fuzzy Hash: 6AA1D230D1C51A5FE768A72CA4862B972D1FB4A750F10507DD89EC72C2FE2C6C968399
                                        Function 00007FF848F0172E Relevance: .3, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17724eb8d0ebb04436e2fcee8e768ec18b4a53f04ced87cb9a10a3e3af9e92f9
                                        • Instruction ID: 98d5a9e9aa1be5365d6fd3cae4e0f9ddfa4062e7a95cdf339f62d224ac4a644d
                                        • Opcode Fuzzy Hash: 17724eb8d0ebb04436e2fcee8e768ec18b4a53f04ced87cb9a10a3e3af9e92f9
                                        • Instruction Fuzzy Hash: 8CB1C521E0E38B1EF75677B404122BA3EA19F83285F9404BAD4CCC76D7FE1C6946436A
                                        Function 00007FF848F083E0 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0febba379c092dadcc1e9231a13987023b58e41f66fcb2612270de7ef4833187
                                        • Instruction ID: f1cba6bc9550b3d8147674792dde8d963b454a521773d01eb7c96b51d90f57f8
                                        • Opcode Fuzzy Hash: 0febba379c092dadcc1e9231a13987023b58e41f66fcb2612270de7ef4833187
                                        • Instruction Fuzzy Hash: 83814831D2D6424EFB69B3288C451B97B90EF56390F94057AC889CB2D3FF1C681A539B
                                        Function 00007FF848F0C258 Relevance: .2, Instructions: 226COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0fe9f21397ae5c5a4b39cf66dd3b1cf72191d275038b5939ffb81c34cf768076
                                        • Instruction ID: 6d3a08d0bed7b3c116ddace284199becb579d078da0d247208ae01c425e90182
                                        • Opcode Fuzzy Hash: 0fe9f21397ae5c5a4b39cf66dd3b1cf72191d275038b5939ffb81c34cf768076
                                        • Instruction Fuzzy Hash: 55718D7590F2C64FE767A32458252717FA08F57395F1A41FBD588CB0D3FA1D280A83AA
                                        Function 00007FF848F08400 Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8ecb2bd76bae49277bf640b4022c648e9e3b7eb913d7dde3f31b9dc30923215
                                        • Instruction ID: 59760095992e93cb89b5b4d6da7e9adb2c2a8a55c4547f50d45106fe807c6db9
                                        • Opcode Fuzzy Hash: e8ecb2bd76bae49277bf640b4022c648e9e3b7eb913d7dde3f31b9dc30923215
                                        • Instruction Fuzzy Hash: B7611735D2D5434EEB69B3348C451B53B90EF56390F94057AC889CB2D2FF1C681A939B
                                        Function 00007FF848F02565 Relevance: 2.3, Strings: 1, Instructions: 1057COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: S$P_^
                                        • API String ID: 0-3256109548
                                        • Opcode ID: a12adc6555dd1e4ef94bc606716a68298f280d0c3181780ab7d89138da1f92e2
                                        • Instruction ID: 7e9e1e3a8d78a275a61ed75c9a5621f9c4dc4803ca732ebb7e7ea60b5be3a3da
                                        • Opcode Fuzzy Hash: a12adc6555dd1e4ef94bc606716a68298f280d0c3181780ab7d89138da1f92e2
                                        • Instruction Fuzzy Hash: C3728031F1D90E5FE759BB7894552BD26D2EF89391F940838E14EC72C6EE3CA8824358
                                        Function 00007FF848F0AE52 Relevance: .8, Instructions: 776COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d84ed784ae24bd2255f28d888ced4e7fd17f670743764ff666d8cdf77839859
                                        • Instruction ID: 25d8c3518731a3b26e12b9db76db056fb86c09e78ab80d9036d55b1770f0620f
                                        • Opcode Fuzzy Hash: 5d84ed784ae24bd2255f28d888ced4e7fd17f670743764ff666d8cdf77839859
                                        • Instruction Fuzzy Hash: 11328E71D1E6C64FE756A73488252A87FA0DF13391F1901FBD098CB1E3FA1C685A8366
                                        Function 00007FF848F0ED37 Relevance: .7, Instructions: 706COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f9accb662cb05af77f151878325276367e54414a1fd98af824994d891fddae1
                                        • Instruction ID: d430d134b6c6ab00f298e071f60a4cbeebe6db2ee20a5d78fba19bc751e78bac
                                        • Opcode Fuzzy Hash: 0f9accb662cb05af77f151878325276367e54414a1fd98af824994d891fddae1
                                        • Instruction Fuzzy Hash: E022B231E0E68A4FE756B73898152B83BE1EF57391F1940BAC849CB1D3FE1C68468356
                                        Function 00007FF848F09548 Relevance: .6, Instructions: 608COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70badd4976c75aea65e45ebf51f8620d02e4aa0fa8004a9b25edaef487cc9646
                                        • Instruction ID: 0183009e56ee71256d05b64326f08523aa105e944d962fa6a5dfda2c94955494
                                        • Opcode Fuzzy Hash: 70badd4976c75aea65e45ebf51f8620d02e4aa0fa8004a9b25edaef487cc9646
                                        • Instruction Fuzzy Hash: CA91E972D0E7855FF356772868161B97FA0EF536A4F0802BBD089C71D7FE09680A8366
                                        Function 00007FF848F0F067 Relevance: .5, Instructions: 501COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d71ff3c6a25ebc543b15520bf0e6e524d10cf23d0369e31b2311e7b49907e3ee
                                        • Instruction ID: 8c206ac43b86db30c1124895a6ad9a0e8ca255a4952858d041d9e5a4c04b33c4
                                        • Opcode Fuzzy Hash: d71ff3c6a25ebc543b15520bf0e6e524d10cf23d0369e31b2311e7b49907e3ee
                                        • Instruction Fuzzy Hash: ECE1D432D0D6CA4FE752A738D8182A83BE1EF17391F1984B7D849DB1D3EA1C68498356
                                        Function 00007FF848F0B4F4 Relevance: .5, Instructions: 494COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9e1b429a94c626cf35c0464f614ff76c6e2aba775cb24e5a31c58728be70456
                                        • Instruction ID: 887552feecd116257a6ed5c3f1d8c3f6ea81f520a3e33067cddd88cf0d0c92ba
                                        • Opcode Fuzzy Hash: b9e1b429a94c626cf35c0464f614ff76c6e2aba775cb24e5a31c58728be70456
                                        • Instruction Fuzzy Hash: 4FE1B232E6D90A1FE755B32CC80A2B972D1EF99790F5905B9D40DC72D7FE2CA8438285
                                        Function 00007FF848F0DC2F Relevance: .4, Instructions: 386COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e297ef043f68ec2be9d479c8922533e68f7055d87029479485b08c435894fead
                                        • Instruction ID: 8c0d87c8c4d19d6f226f32457b744aa8cac4056fe4792e0dc53ce5ef91568504
                                        • Opcode Fuzzy Hash: e297ef043f68ec2be9d479c8922533e68f7055d87029479485b08c435894fead
                                        • Instruction Fuzzy Hash: 5AB14071E0D40A1EFB59B36C88063B93181DF6A795F641379E44EC22C7FE1CA857829A
                                        Function 00007FF848F0B55D Relevance: .4, Instructions: 371COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3cdc4d05f7bbaa459ede3f48e968e320c7e0becf3f17a7ae918c4076d21a2287
                                        • Instruction ID: bf6e753254a0c932e95385140ea4667d3f20a91da58f57b95fca8e80dfbccc42
                                        • Opcode Fuzzy Hash: 3cdc4d05f7bbaa459ede3f48e968e320c7e0becf3f17a7ae918c4076d21a2287
                                        • Instruction Fuzzy Hash: D9B18172E6D9461EE795B33CC80A2B962D1EF99390F5901B9D40DC32D7FE2CA8438395
                                        Function 00007FF848F0AB0A Relevance: .3, Instructions: 349COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6a9a7aa8eed2a6275fd2e936157019e663fe3f3d4cd3f75bbbaea252537a723d
                                        • Instruction ID: 5e71b474ce2425921407fe2d64af841ae905e1aa4314fe6c0728cf1b5d14dada
                                        • Opcode Fuzzy Hash: 6a9a7aa8eed2a6275fd2e936157019e663fe3f3d4cd3f75bbbaea252537a723d
                                        • Instruction Fuzzy Hash: CBA11572F1D90A4FFB59B32888062B873D1EF5A795F140179D44DC32D3FE1CA896468A
                                        Function 00007FF848F0C208 Relevance: .3, Instructions: 347COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe08482f9253a592da9414f3c95d4a53d519de4a788f7c45600083318976fb44
                                        • Instruction ID: bc59d76d3864b870798d3b5ac111e602d1f903b176f880d12e9abcee91a1bc5d
                                        • Opcode Fuzzy Hash: fe08482f9253a592da9414f3c95d4a53d519de4a788f7c45600083318976fb44
                                        • Instruction Fuzzy Hash: 02A1D772E0E5461FE75AB36888162B93B91DF57790F1401BAE44DC72D3FE1C980B83A6
                                        Function 00007FF848F0F0AF Relevance: .3, Instructions: 342COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52a7724b5f724f74e1b313375b98a249af31b04b2a2f1a0f6baea95a855a08a1
                                        • Instruction ID: ef88ecacca2d53a7c5ab01a4447a5c030279ad5fe928f0aa130ed52bd335469a
                                        • Opcode Fuzzy Hash: 52a7724b5f724f74e1b313375b98a249af31b04b2a2f1a0f6baea95a855a08a1
                                        • Instruction Fuzzy Hash: A3B16F72D0E7C64FE752A73498292647FA1EF23391F5980F7C889CB1E3EA1C58098356
                                        Function 00007FF848F07896 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 810dc5cb83f095e4430f171df232fcc7ac1d381ad0ed9d92f70ce3a7b9e5cd89
                                        • Instruction ID: 7fc1ff08f55a559b72a7e2a4313c9f729da3e5736bdb8a676aedc215fe724771
                                        • Opcode Fuzzy Hash: 810dc5cb83f095e4430f171df232fcc7ac1d381ad0ed9d92f70ce3a7b9e5cd89
                                        • Instruction Fuzzy Hash: A0B1D33060CA8D8FEB68EF28C8557E93BE1FF55350F04426AE84DC7292DB3599458B86
                                        Function 00007FF848F0B5C0 Relevance: .3, Instructions: 322COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f0829d9c9b8e5d018936727804ee6c0f952f9c7aab8314ff7a53d93e24579e3
                                        • Instruction ID: 0dd88feaf55dacc9db0c7e2f0621b6e197b9c4e30c36f2258d9e6a19ccfc8d9d
                                        • Opcode Fuzzy Hash: 0f0829d9c9b8e5d018936727804ee6c0f952f9c7aab8314ff7a53d93e24579e3
                                        • Instruction Fuzzy Hash: 29A15271F6D91A1EFB95B33CC80A27961C2EF99794F590578D40DC32DAFE2CA8434285
                                        Function 00007FF848F08EC1 Relevance: .3, Instructions: 295COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eca43ee9ee42d238f1a63cb54f1e60cd1e31e2080b7cc08b9d8e4327b4b149ba
                                        • Instruction ID: ef4f30a16ddd26974ed9b8187c9a6f8844b72680bc4fac9cb1210085c6739f4b
                                        • Opcode Fuzzy Hash: eca43ee9ee42d238f1a63cb54f1e60cd1e31e2080b7cc08b9d8e4327b4b149ba
                                        • Instruction Fuzzy Hash: BC91F432E0E6864FE762B77498655E47BB0EF53391F1801BAC589CB5D3FB1C280A8395
                                        Function 00007FF848F09E6F Relevance: .3, Instructions: 273COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66c0108a5966fa858ce483afa3fe831a3e8f0e6abf0d4f913814d1618e517321
                                        • Instruction ID: dfdd697b22f97c8cf8a1a9514c072100af3ddfc9e9b92622df367c5375ff6cb8
                                        • Opcode Fuzzy Hash: 66c0108a5966fa858ce483afa3fe831a3e8f0e6abf0d4f913814d1618e517321
                                        • Instruction Fuzzy Hash: C191BD31A0CA5C8FEB55EB68D845BE9BBF0EF56310F0041BAD00DD3292EB346985CB51
                                        Function 00007FF848F088C1 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a697dbc8a57962aa8fe5526d6afd8f28f5d43fde8b56749b484bb898f8f6d8f4
                                        • Instruction ID: d1d99aebcee5f13701a9f331c3dc63279e71bbcc0e5ca2e1da922b4709aa1c55
                                        • Opcode Fuzzy Hash: a697dbc8a57962aa8fe5526d6afd8f28f5d43fde8b56749b484bb898f8f6d8f4
                                        • Instruction Fuzzy Hash: 3C81DC70E2D94E9FEB94FB689C552B87BE0EF4A381F44007AD449D32D2EF286845C719
                                        Function 00007FF848F0C9AE Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb9b6dc872545a2c448e77535471f0077e6df16e2527b22d33a71f7cc1ecca5f
                                        • Instruction ID: 6376abc49606a6912f5ca00b98ad795f1b866cab177198d7dc2b32202f5a58bf
                                        • Opcode Fuzzy Hash: bb9b6dc872545a2c448e77535471f0077e6df16e2527b22d33a71f7cc1ecca5f
                                        • Instruction Fuzzy Hash: 8F71C472F0E44A1FFB59B36C98162BA3681DF96395F141279E40EC32C7FF1CA8164296
                                        Function 00007FF848F031F7 Relevance: .3, Instructions: 255COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 922158108febd9a8fec54ab8f58e8054f4e395e3e2d085f464cd82c8e2db6d8d
                                        • Instruction ID: 3748809e3a2ec624762951a0d89fb254cc2506e58334886ad1234ec57dc8d092
                                        • Opcode Fuzzy Hash: 922158108febd9a8fec54ab8f58e8054f4e395e3e2d085f464cd82c8e2db6d8d
                                        • Instruction Fuzzy Hash: C371602181D3D60FE326573868661B47FB0AF47750F1980FBD8D9CB5D3EA0C585A83A6
                                        Function 00007FF848F0EE15 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a7280d161ffbab40fab13c558bbcca4dfeb390af6b603da146a8fb292906eff
                                        • Instruction ID: a3b6f18e5bd22a1972085db027a1f2e25992bccf60ff8fe52e49c7a6bb12ac27
                                        • Opcode Fuzzy Hash: 8a7280d161ffbab40fab13c558bbcca4dfeb390af6b603da146a8fb292906eff
                                        • Instruction Fuzzy Hash: C871A230F1D9494FE799B72888592B837E2EF9A381F54007AD84EC32D3FE286C468355
                                        Function 00007FF848F022DA Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9390fda3aeffad6a8b63dac0ade6f7ce794c2e02956493e0a83b15fa0bf10fb2
                                        • Instruction ID: b3d4a3bf1becfad891b09e4963371dc07befb4de38551e8f0ea8f0684cebedb2
                                        • Opcode Fuzzy Hash: 9390fda3aeffad6a8b63dac0ade6f7ce794c2e02956493e0a83b15fa0bf10fb2
                                        • Instruction Fuzzy Hash: A0618132F0D5074EFB65B7A8C45577D2282AFA6394F550235D40D8B2C7FF3CA846426A
                                        Function 00007FF848F0BA95 Relevance: .2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ad00a9b0c1d871a18822a4c296f0b6ccd1095bfc5293eb0c481b9affe54c271
                                        • Instruction ID: ff94581eb962ecf7d2196253a33c35ffa859423507ee7578992e543cc6223862
                                        • Opcode Fuzzy Hash: 0ad00a9b0c1d871a18822a4c296f0b6ccd1095bfc5293eb0c481b9affe54c271
                                        • Instruction Fuzzy Hash: 9A51CE31D2D95E4FEBA5B72894606BD37A1FF46780F44097AE849C31C7EF1CA8418356
                                        Function 00007FF848F09EF1 Relevance: .2, Instructions: 209COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72086cd8c9160c2a0786537c33447700b815daa58174bdbdb07321f5a53cbdc7
                                        • Instruction ID: 98f5f6e88595e313e610d1107580e38a8b11f034b5bb9cd6490a5436b7e5190f
                                        • Opcode Fuzzy Hash: 72086cd8c9160c2a0786537c33447700b815daa58174bdbdb07321f5a53cbdc7
                                        • Instruction Fuzzy Hash: 1461CE3190CA8C8FDB95EB689845BE9BBF0FF56311F0042ABD04DD3292DB349985CB41
                                        Function 00007FF848F0865D Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2db8f2a96fa103c3ad09c77b1ff7d509394fb691c73a70a326587330b59f56c
                                        • Instruction ID: 47796774d7cfda799d4d853c6fb096e4e68dadfc00658170900c2e6d0099a176
                                        • Opcode Fuzzy Hash: b2db8f2a96fa103c3ad09c77b1ff7d509394fb691c73a70a326587330b59f56c
                                        • Instruction Fuzzy Hash: B151CF31E2DA1D4FEB95FB6888496B9B7E1EF59340F40017AD40DD32D2EE28AC818755
                                        Function 00007FF848F0A79D Relevance: .2, Instructions: 207COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e834ebdb45a51e931505a4be3a704162aea5d8a928ac94bd778fb9316928ccf5
                                        • Instruction ID: 2d3469538aefd4fd2c523bd52cc29c76d76b8cc8250d48cf75780a4c71f59aa4
                                        • Opcode Fuzzy Hash: e834ebdb45a51e931505a4be3a704162aea5d8a928ac94bd778fb9316928ccf5
                                        • Instruction Fuzzy Hash: 78517431E8C85A4FE745BB3868165F977E0EF86351F1501BAD00DC71D2EE2C69C283A5
                                        Function 00007FF848F047CC Relevance: .2, Instructions: 193COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4697e1909e1e8c49095482cbea1f8aa42674aece3b76ad9c8be06eddb4b28b89
                                        • Instruction ID: 0df79e1290eae252e6fd1594dd18e484100cd36ce92c798cab7f8d6420ff5002
                                        • Opcode Fuzzy Hash: 4697e1909e1e8c49095482cbea1f8aa42674aece3b76ad9c8be06eddb4b28b89
                                        • Instruction Fuzzy Hash: 47517331908A1C8FDB54EB58D845BE9BBF1FB59310F0082AAD44DD3292DF34A985CF81
                                        Function 00007FF848F0E685 Relevance: .2, Instructions: 177COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad2fb3e84d2458a0bae007e282e05db8f72d685ef2516ca70e22451f955b8504
                                        • Instruction ID: f2520173a299095252f04c913b0174fefd6e5367c4860d063b5c053b41a6eca3
                                        • Opcode Fuzzy Hash: ad2fb3e84d2458a0bae007e282e05db8f72d685ef2516ca70e22451f955b8504
                                        • Instruction Fuzzy Hash: AC41F372E1C6491EF76C6628A8171BA7BD5DB977A0F04017FE08EC22C3FE15B817419A
                                        Function 00007FF848F0D215 Relevance: .2, Instructions: 175COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfdecdc0f330a4514193364458aa3f257474ff9617d383fdb30e3f32b7ad1379
                                        • Instruction ID: 4b19285eaa5b6619c41c2bc0dbc108fb7cdfd8de71801ddf8ae614e39403a0a1
                                        • Opcode Fuzzy Hash: cfdecdc0f330a4514193364458aa3f257474ff9617d383fdb30e3f32b7ad1379
                                        • Instruction Fuzzy Hash: 2141E972E0D6451EF768761C68161B977D5DB977A0F04027FE08EC31C7FE19A80742A6
                                        Function 00007FF848F01318 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 991d308083e3ebef020b14eb512fd6de691d642b06c40affd3fb2472cde137d2
                                        • Instruction ID: 4472a398c3cbecb4d2917d296f05d050b5c0fbf4109878cbfdff85f22ce237b7
                                        • Opcode Fuzzy Hash: 991d308083e3ebef020b14eb512fd6de691d642b06c40affd3fb2472cde137d2
                                        • Instruction Fuzzy Hash: BA31BF31E199199FEB98EB6C94496BD73E1FF5A751F40007DD40DD32E2EE299C018744
                                        Function 00007FF848F09072 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55580a3069bfd847a8f8d3b5f8e578ac9400ebf2c5441dc584e89322ae6a7f62
                                        • Instruction ID: d73e4b449eb663bfc012010c12df19d006e6e6ad9649d847b9c011a8801d2582
                                        • Opcode Fuzzy Hash: 55580a3069bfd847a8f8d3b5f8e578ac9400ebf2c5441dc584e89322ae6a7f62
                                        • Instruction Fuzzy Hash: 8831236290E7C65FE317A374583A4A07FB09F17541B1E40EBC589CB9E3EA0D280AC366
                                        Function 00007FF848F0F4A9 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cab9b5380837334e53b132f332702422d3fad352cb9d342f9753746054b7a46
                                        • Instruction ID: 1e41ffeba7e33754adc460513c63a73836d5616222daff22a2d5f3f779917066
                                        • Opcode Fuzzy Hash: 0cab9b5380837334e53b132f332702422d3fad352cb9d342f9753746054b7a46
                                        • Instruction Fuzzy Hash: 85213822F1D9970FF7A57368E4552B82782EF873B0F498076D84DCB5C2EA2C5882425A
                                        Function 00007FF848F08FB6 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 940a6279a2534de38241db08ef83390f84252824d95443ab565454adf008475e
                                        • Instruction ID: dfe2805c37192175e0fc44f65ed18e095105e7f7206bc10c3785086a633cb843
                                        • Opcode Fuzzy Hash: 940a6279a2534de38241db08ef83390f84252824d95443ab565454adf008475e
                                        • Instruction Fuzzy Hash: D9314931E0D6894FE757A73888654B87FA0EF53251F5802BEC589CB9E3FB18180AC385
                                        Function 00007FF848F0F589 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d462c35662b33a7d62f9bc1f42bac380c00ee88fec3a3af4d580145ee747d726
                                        • Instruction ID: aa78fc163f42d2a8e78dfc133a7122fa029415597cca018b9911e78ed904131f
                                        • Opcode Fuzzy Hash: d462c35662b33a7d62f9bc1f42bac380c00ee88fec3a3af4d580145ee747d726
                                        • Instruction Fuzzy Hash: 7A110132D0D8A21EF7653B68981E2F91680EF66390F4A40B5DD8DDB1C3FE1C1C554299
                                        Function 00007FF848F0B318 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86cea67635cf9018f427877673c93f4a818e0a64a58f14a0f6894714a38aa942
                                        • Instruction ID: 197b0e0b30feffaddfe570bb1f846a9020ad6562b5581c5a429b8a7707118c1a
                                        • Opcode Fuzzy Hash: 86cea67635cf9018f427877673c93f4a818e0a64a58f14a0f6894714a38aa942
                                        • Instruction Fuzzy Hash: 3801493290D94C9FDB10BB56DC449DA7BA8FB8A3A9F10023AE41CC3080E7666555C354
                                        Function 00007FF848F09D4F Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 298a36bf9069d64bdff9a93de3dd330a4e86b4084e06236e7dbb9d2ea007c31f
                                        • Instruction ID: 5eaa40509acf5421f12f27c74c80367bec11c8c6207f5eb379c4f228e49e665b
                                        • Opcode Fuzzy Hash: 298a36bf9069d64bdff9a93de3dd330a4e86b4084e06236e7dbb9d2ea007c31f
                                        • Instruction Fuzzy Hash: F901C431E0C64E8EEB9AEB6898156B977E1EF46340F040479D14ED35C2EF285C45C754
                                        Function 00007FF848F0C290 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F06000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F06000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f06000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7be5ebd358479786786e5e7ded685813b78126500d4fac2ac69c48d3de9b645c
                                        • Instruction ID: 08ab3f977b236a2e5ae5d4b05fcdb4634c18311ddd1ab3deda95901d11876e8d
                                        • Opcode Fuzzy Hash: 7be5ebd358479786786e5e7ded685813b78126500d4fac2ac69c48d3de9b645c
                                        • Instruction Fuzzy Hash: EBF09612E2D9251EE65C615D6C411B651C4D75B763F112079E88ED32C2F8091C4214D9

                                        Non-executed Functions

                                        Function 00007FF848F00958 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2681540396.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ff848f00000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C;$!K;$"S;$#[;
                                        • API String ID: 0-1287115497
                                        • Opcode ID: badd95c910b544db656e6b949baf25b872bdc6110aab7720bd8918ac721190d0
                                        • Instruction ID: 15e20852440c3624e71179a3363ec694d22ed2879826468b7e65ce341e970836
                                        • Opcode Fuzzy Hash: badd95c910b544db656e6b949baf25b872bdc6110aab7720bd8918ac721190d0
                                        • Instruction Fuzzy Hash: 84D0177776D4262AAA44A18DB8009CA138DC6CD1B27048673F604E7282C140685B42F8

                                        Executed Functions

                                        Function 00007FF848F31E48 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: P3&
                                        • API String ID: 0-3107531288
                                        • Opcode ID: 724c7d981cb3e089392d84b4e1abe13fca90613c754ee39847fcaea399dd9f11
                                        • Instruction ID: c33793993ba1e7604c6132b0f39634e3a37fb5eb300a5469c6867094df6a834a
                                        • Opcode Fuzzy Hash: 724c7d981cb3e089392d84b4e1abe13fca90613c754ee39847fcaea399dd9f11
                                        • Instruction Fuzzy Hash: 9F12A831D1E6824FE76BB36858161B53BA09F52384F5901FBD449C75D3EF1C680A83AA
                                        Function 00007FF848F3C30D Relevance: .7, Instructions: 681COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc4d069e69ab094bbccc043bf3bee766af0a2ab6db1fc93bb23e24304e7d302f
                                        • Instruction ID: 90ad500ff606be30a97e9c18626ee69f309d37a52688d8e0e5f4317f7f3a9a24
                                        • Opcode Fuzzy Hash: dc4d069e69ab094bbccc043bf3bee766af0a2ab6db1fc93bb23e24304e7d302f
                                        • Instruction Fuzzy Hash: 1222EE31E0D92A4FEB99F76894502BD77D1EF89790F04007AE44DD32C2EF2CA8528399
                                        Function 00007FF848F3DBFC Relevance: .7, Instructions: 678COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce4bba12746794cd498a1f2fbb6fc817d3e238e8bbe1c60e65bd796aca93bae1
                                        • Instruction ID: 003ee55392e378922eb237c13acf478a84c59649aef91d13efc94601e3f544a3
                                        • Opcode Fuzzy Hash: ce4bba12746794cd498a1f2fbb6fc817d3e238e8bbe1c60e65bd796aca93bae1
                                        • Instruction Fuzzy Hash: 75220472D0D6860FF75AB36888162B43B91DF563D4F1801BBD44DC71D3EE1CA85B82AA
                                        Function 00007FF848F36ED6 Relevance: .5, Instructions: 471COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55696ee614a11fc943b0126d12231259fcff4150309affb5abdc218e1741057e
                                        • Instruction ID: 697c551c289b130e2b5a217809c2b278681b90c495efb514408a2de30b9efeef
                                        • Opcode Fuzzy Hash: 55696ee614a11fc943b0126d12231259fcff4150309affb5abdc218e1741057e
                                        • Instruction Fuzzy Hash: 3EF1A23090CA8D8FEBA8EF28C8557E937E1FF54350F14427AE84DC7295DB3899458B82
                                        Function 00007FF848F37C82 Relevance: .5, Instructions: 457COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bd34da0f3e09993039a59c5615471015cdaa851cdc0a8e068e4e204c4edc893
                                        • Instruction ID: 4b9a2cfa50b86e011accb717fc49380c8732d496bbef0e1b574b221ccc27e540
                                        • Opcode Fuzzy Hash: 6bd34da0f3e09993039a59c5615471015cdaa851cdc0a8e068e4e204c4edc893
                                        • Instruction Fuzzy Hash: BFE1803090CA8E8FEBA8EF28C8557E977D1FB54350F14427AD84DC7295DF7899808B85
                                        Function 00007FF848F332F0 Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a7a9bfc7297d2bbc6d0c472b53574e9efda5dbfb746a65369bf93ff118fa848
                                        • Instruction ID: de29715d23be5b3d5363c8d65d2108a33f57c6064ab0daa28462f2d4bfe2d9c8
                                        • Opcode Fuzzy Hash: 0a7a9bfc7297d2bbc6d0c472b53574e9efda5dbfb746a65369bf93ff118fa848
                                        • Instruction Fuzzy Hash: 95A1C230D1C5165FF7A8E72CE4862B972D1FB49751F10907ED89EC32C2EE2CAC568295
                                        Function 00007FF848F3172E Relevance: .3, Instructions: 337COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45d184ab4cd7ce213219481ab9e2a3f46e54c242d8ea5b69291e954d726e3783
                                        • Instruction ID: 9d601194c2cd4ac72b7548aa7b473ab8a8eb82ad509a6c9dff4d11165fff2ea0
                                        • Opcode Fuzzy Hash: 45d184ab4cd7ce213219481ab9e2a3f46e54c242d8ea5b69291e954d726e3783
                                        • Instruction Fuzzy Hash: 0EB1B731E1E2871FFB56737454112BA2EA19F82284F9405B7E488C72D7DE1CA94A837A
                                        Function 00007FF848F383E0 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c974a3cc20e9c5aa1fc935fac8e51f8d58bf8c12fc710e467865c19fbfe20894
                                        • Instruction ID: 4d9b285a5bbfe9e3ebefc91fe034ec9002f209ab9c63bb61ee83ca05b45f809c
                                        • Opcode Fuzzy Hash: c974a3cc20e9c5aa1fc935fac8e51f8d58bf8c12fc710e467865c19fbfe20894
                                        • Instruction Fuzzy Hash: FB812731D2D6424FFBA9B338C8451B57B90EF54390F94057BD889C32D2EF1D681A539A
                                        Function 00007FF848F3C258 Relevance: .2, Instructions: 226COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c07abf372a0d09f888d43e638ea22d58499808a4a002f588c7e3adff9ef37bfc
                                        • Instruction ID: 362bb1521c2fc8d710a89c3bf0af51e55bbc31c6d41f76b3ce27e1c13653daca
                                        • Opcode Fuzzy Hash: c07abf372a0d09f888d43e638ea22d58499808a4a002f588c7e3adff9ef37bfc
                                        • Instruction Fuzzy Hash: 0771937190E3D24FE767A33458252617F609F57345F0A41FBD588CB1D3EA0D286A839A
                                        Function 00007FF848F38400 Relevance: .2, Instructions: 213COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f84e28b364227e7415b4925cbdd6c18cb6cff44ee9d93d9a17c739cfccf3eace
                                        • Instruction ID: 40a448a1ab241ba11b67f519567efaca85a20a0d88e3c35493edf4487e0a8871
                                        • Opcode Fuzzy Hash: f84e28b364227e7415b4925cbdd6c18cb6cff44ee9d93d9a17c739cfccf3eace
                                        • Instruction Fuzzy Hash: A661D231D2D6434FEBAAB334C8451B53B90EF65390F94057BC849C76D2EF1C681A939A
                                        Function 00007FF848F32565 Relevance: 2.3, Strings: 1, Instructions: 1050COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: S$M_^
                                        • API String ID: 0-3605690831
                                        • Opcode ID: 2fab13b5c8c12a25e8dbba878d02bb8b9ef70634eda3085629e54a6a50feb517
                                        • Instruction ID: e5a43a0d587a0005b6f1e24510d3b2fd6d1e3ab9161e081ad83a53def3848cd6
                                        • Opcode Fuzzy Hash: 2fab13b5c8c12a25e8dbba878d02bb8b9ef70634eda3085629e54a6a50feb517
                                        • Instruction Fuzzy Hash: 5E725D32F1D90A5FFB98B77894552B926D2EFD8395F940436E10EC72C6DE3CA8428354
                                        Function 00007FF848F3AE52 Relevance: .8, Instructions: 764COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80d13c0d0702c5df6e4e546f52971ce3f16bee5c21ce586fdeacc4a4b0bdcb20
                                        • Instruction ID: c5cd31b0126ed006b546b8124279c42484b7df0cc1aa7fc44e6365a30409f676
                                        • Opcode Fuzzy Hash: 80d13c0d0702c5df6e4e546f52971ce3f16bee5c21ce586fdeacc4a4b0bdcb20
                                        • Instruction Fuzzy Hash: C8329271D1E7C64FE757A73488252A87FA0DF16390F0901FBD098CB1E3EA1D985A835A
                                        Function 00007FF848F31E28 Relevance: .7, Instructions: 679COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86d20739a91732038cb670e5d6775fa58a54df40d3f6816b6ab42438c6965e21
                                        • Instruction ID: 4434f5ba5d8061146668f2e77d8003d3077494e8bfef91263c8de0ac49f20947
                                        • Opcode Fuzzy Hash: 86d20739a91732038cb670e5d6775fa58a54df40d3f6816b6ab42438c6965e21
                                        • Instruction Fuzzy Hash: 0A22E771D0DA864FE756B73898192B83BE1EF56391F0900BBD84DC72D3EE1CA8468356
                                        Function 00007FF848F3F067 Relevance: .5, Instructions: 501COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3a519561897fa70e814fdff82aadca14bc27f3951d7d2b33716bd4cc0f7d307
                                        • Instruction ID: 8620cb7aecc8bc7b9f9c569ee754a1872782063643e8be095311029dbc4aaeef
                                        • Opcode Fuzzy Hash: a3a519561897fa70e814fdff82aadca14bc27f3951d7d2b33716bd4cc0f7d307
                                        • Instruction Fuzzy Hash: 57E1B372D0DACA8FE752B734D8182B93BE1EF16390F1900B7D849DB1E3DA1D98458356
                                        Function 00007FF848F3B4F4 Relevance: .4, Instructions: 407COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2110656e6f5f27101041dca7de061752504de7aa6246e01f2ad5f8dd457052c0
                                        • Instruction ID: 7fe6384d141112ad25d5a55fbc1ebfed8074aea026e2c9daadaceabc0ac20ffe
                                        • Opcode Fuzzy Hash: 2110656e6f5f27101041dca7de061752504de7aa6246e01f2ad5f8dd457052c0
                                        • Instruction Fuzzy Hash: 39C18431E2D9061FEB95B33CC81A2B972D1EF98394F5901B6D40DC32D6EE2CA9438395
                                        Function 00007FF848F3B5C0 Relevance: .4, Instructions: 405COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9c966e0e2bb71866380deeb7ad8f894f0f20796435d893a6013c12eeb8c3dd1
                                        • Instruction ID: 423bccd38bf0a66cbc7369ce0268b7c6d17ed529d6a1dc5cda12512d513a5e86
                                        • Opcode Fuzzy Hash: e9c966e0e2bb71866380deeb7ad8f894f0f20796435d893a6013c12eeb8c3dd1
                                        • Instruction Fuzzy Hash: 76C1A232E2D9061EEB95B32CC81A27972C1EF98790F580576D00DC72D7FE2CE9438285
                                        Function 00007FF848F3DC2F Relevance: .4, Instructions: 388COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12fdb94a15a25ef4909cd87e46b0fb2fb08925b1e3af73efe204778e280446a8
                                        • Instruction ID: a6eda30c70a0fea50aa211ece659480df1c0bc92fbaf3e5ce18edbac09a2913f
                                        • Opcode Fuzzy Hash: 12fdb94a15a25ef4909cd87e46b0fb2fb08925b1e3af73efe204778e280446a8
                                        • Instruction Fuzzy Hash: B3B16171E1D4061EFB59B32C98063B93181DFA87D5F64127AE44EC22C7FE1CA85782DA
                                        Function 00007FF848F3AADD Relevance: .4, Instructions: 373COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04659d41e944c81f53d273cadd1c3b58fadc9c3e432014c67da5f8fa39ede6f3
                                        • Instruction ID: c8253a3d3d0906eb6e864cc6ea5cfed6935ed604f3d13d38078f9738be0b75d9
                                        • Opcode Fuzzy Hash: 04659d41e944c81f53d273cadd1c3b58fadc9c3e432014c67da5f8fa39ede6f3
                                        • Instruction Fuzzy Hash: EDB12632E1D9064FFB59B729880A2B873D1EF95795F14007AD44DC32D3EF1CAC8A469A
                                        Function 00007FF848F3B55D Relevance: .4, Instructions: 369COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 310ea3379c6e5e8941ea115d1a31ea63b0f0a6ca4d0f63a79c5f4ec0a2862367
                                        • Instruction ID: 9be08fadbe1a7580d3e6cbeec5927998b62748d09caf99d81b4c7ed783302a61
                                        • Opcode Fuzzy Hash: 310ea3379c6e5e8941ea115d1a31ea63b0f0a6ca4d0f63a79c5f4ec0a2862367
                                        • Instruction Fuzzy Hash: 71B19371E2D9461FEB95B33CC81A27961D1EF98390F5901B6D00DC32DBEE2CA9438395
                                        Function 00007FF848F3C208 Relevance: .3, Instructions: 347COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 716c07e51fe144e9590c7f16351e6bc5405c30e67d950fcd6822279a4c3a2d6f
                                        • Instruction ID: 9d6b1fa571e5cca06e319b3a6ec66fe952d9863e0dd2001584ce49baae94a90e
                                        • Opcode Fuzzy Hash: 716c07e51fe144e9590c7f16351e6bc5405c30e67d950fcd6822279a4c3a2d6f
                                        • Instruction Fuzzy Hash: BEA1D772E0D6461FEB5AB36888162B93B91DF56790F0401BBE44DC72D3FE1C981783A6
                                        Function 00007FF848F3F0AF Relevance: .3, Instructions: 342COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66785465ff05330415a4b658f12f09fb79428cc6ae5cbed40317cc974388022e
                                        • Instruction ID: 5c8f39e671656108b6ff1ef5b55dfb27773804094796a2320b9ffa28bfbe10b8
                                        • Opcode Fuzzy Hash: 66785465ff05330415a4b658f12f09fb79428cc6ae5cbed40317cc974388022e
                                        • Instruction Fuzzy Hash: CAB16F72D1EBC64FE753A734A8192643FA1DF26390F0940F7D889CB1E3DA1D98498366
                                        Function 00007FF848F37896 Relevance: .3, Instructions: 330COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04e9fa129fc4d4dffc182d697967965bd112a99dbfaeb96a65be30e31fe6f836
                                        • Instruction ID: 703f1ee2e7e56f6a25ee3426836b200f1874937338919b741850c78ded0e6051
                                        • Opcode Fuzzy Hash: 04e9fa129fc4d4dffc182d697967965bd112a99dbfaeb96a65be30e31fe6f836
                                        • Instruction Fuzzy Hash: E1B1A23050CA8D8FEB68EF28D8557E93BE1FF55350F14426AE84DC7292CB389945CB86
                                        Function 00007FF848F38EC1 Relevance: .3, Instructions: 285COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d486f6236f56cd4206a97cf9b6909c154599290682bd1d485060b1beb14a9fa3
                                        • Instruction ID: 94b1e0109e2c421e47144e0d828dba01e6e4c6819d6b604518cdbf86911894af
                                        • Opcode Fuzzy Hash: d486f6236f56cd4206a97cf9b6909c154599290682bd1d485060b1beb14a9fa3
                                        • Instruction Fuzzy Hash: E2914A72E1E6864FE752B77498554F87BB0EF52390F0841BBC088CB9D3DB2C280A8395
                                        Function 00007FF848F39E6F Relevance: .3, Instructions: 272COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: edf2c2a6194319d53d584c92642424413efcfe5b828889fec0cf873dfd59ffd0
                                        • Instruction ID: cdb8daff959bd26b8abfdcd6d124fd6d7b18205e5e5360490af3483cb21c7ca1
                                        • Opcode Fuzzy Hash: edf2c2a6194319d53d584c92642424413efcfe5b828889fec0cf873dfd59ffd0
                                        • Instruction Fuzzy Hash: 5A91AC31A0CA5C8FDB95EB68D845BE9BBB0EF56310F0441BBD44DD3292DB38A985CB41
                                        Function 00007FF848F388C1 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1fd14254f9ef8019191bd7d6763805beb36b3711bdf141188dac09cdbebdb73d
                                        • Instruction ID: 6886fa602e3a2269df3ff05eea478120a59fa742043c37516cb93531c00c83e9
                                        • Opcode Fuzzy Hash: 1fd14254f9ef8019191bd7d6763805beb36b3711bdf141188dac09cdbebdb73d
                                        • Instruction Fuzzy Hash: 0E81EE70E2DA4AAFEB84FB6898552B877E0EF89381F44007AD40DD32D2DF2C6841C755
                                        Function 00007FF848F3C9AE Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 967e97800b7a80fc76d84f26fb30df89f57473965ea396521a65755a0551d613
                                        • Instruction ID: 971c7dc6abbf3b729e315943dcc739039dc1c5a65c6ff670235fce5a3766ab63
                                        • Opcode Fuzzy Hash: 967e97800b7a80fc76d84f26fb30df89f57473965ea396521a65755a0551d613
                                        • Instruction Fuzzy Hash: DD71B571E0D40A1FFB59B32C98162BA3681DF95395F14127BE40EC32C7FF1CA82642A6
                                        Function 00007FF848F3D880 Relevance: .2, Instructions: 248COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb201c8c553ade7f160fee0c6b8180a3a152505bb9c2b18ed23817156d188ca3
                                        • Instruction ID: 7fab56e74773e165bd1df2d48eef4ba35ae438d0757da65285976584c5982157
                                        • Opcode Fuzzy Hash: cb201c8c553ade7f160fee0c6b8180a3a152505bb9c2b18ed23817156d188ca3
                                        • Instruction Fuzzy Hash: C9613972E0D6860FF76D722898061B63B95DF923A1F54017FE089C35D3EE597807429A
                                        Function 00007FF848F3EE15 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d6b4994248035ac9fcdac49a242415077bdadfbb759325ebd199b5a50903594
                                        • Instruction ID: 86e44c672783e5d59c3aadd707f167b71eff3a9e843b83f7922dd96836159154
                                        • Opcode Fuzzy Hash: 6d6b4994248035ac9fcdac49a242415077bdadfbb759325ebd199b5a50903594
                                        • Instruction Fuzzy Hash: 6271A331E1D9494FEB99F73888592B836E1EF99391F54007BD80ED32D2DE2CAC468355
                                        Function 00007FF848F39548 Relevance: .2, Instructions: 225COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c8f4e6f39fdfd4debaf2822dc4f2a9e15bc302c2d924fcd3cf5eed09aaf2fe8
                                        • Instruction ID: 8c2afdd046737366f4dde27a5826b4fabd989abf81c7510112d3c701628f47ca
                                        • Opcode Fuzzy Hash: 2c8f4e6f39fdfd4debaf2822dc4f2a9e15bc302c2d924fcd3cf5eed09aaf2fe8
                                        • Instruction Fuzzy Hash: 26510472E0D6851FF369662868061797BD5EB577A0F0401BFE08EC31C7EE19A80682A6
                                        Function 00007FF848F331F7 Relevance: .2, Instructions: 223COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7ab4ceb50e68435f0583c68ac57af6c597333f80a7b64e173d7a844c0228dca2
                                        • Instruction ID: 683e4c2f571c7c08fa582a597f331f5c2ba2f4e1195cac51567a02899e0aee80
                                        • Opcode Fuzzy Hash: 7ab4ceb50e68435f0583c68ac57af6c597333f80a7b64e173d7a844c0228dca2
                                        • Instruction Fuzzy Hash: 68617230C1D3D24FE7569328A8521B47FA0AF46350F1980FBD8D9CB5D3EE1C585A83A6
                                        Function 00007FF848F322DA Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a141ed1523ea1cb8eaf0198aa9768952276b742ddc4f31ad588e0c6db72b64a
                                        • Instruction ID: 88d3daa120582f742126f5a6e65669ddfe83806935a43902404c6110945a3c57
                                        • Opcode Fuzzy Hash: 9a141ed1523ea1cb8eaf0198aa9768952276b742ddc4f31ad588e0c6db72b64a
                                        • Instruction Fuzzy Hash: 6A61AE32F0D5075AFBA4B3A8D45677D2282EFA4395F25023BD40D872C7EF3CA842425A
                                        Function 00007FF848F3BA95 Relevance: .2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d22d87f43b9ea33244d4f481277c283acc73bb22aa327c4bda94d3e2baea479f
                                        • Instruction ID: 8c0ef3433f1764195d2f2f4e0c6ff7f2f929c06953c2e7a7b65c41c7f8c7e2a7
                                        • Opcode Fuzzy Hash: d22d87f43b9ea33244d4f481277c283acc73bb22aa327c4bda94d3e2baea479f
                                        • Instruction Fuzzy Hash: 6851AC31E2D95A5EEBA9B728E4606B937A1FF853C0F440577E409C32C6DF1CA84583A5
                                        Function 00007FF848F3865D Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21e288013cc2cd0cd2f47f28dc6d3b026d55fa5b11cb52544b724c972a9ea0a1
                                        • Instruction ID: 358d21ce1ecfc0ecb0d86254a9d78b2260fd717675dfd44ad09acdf6854e4280
                                        • Opcode Fuzzy Hash: 21e288013cc2cd0cd2f47f28dc6d3b026d55fa5b11cb52544b724c972a9ea0a1
                                        • Instruction Fuzzy Hash: BA51F331E2CA1D5FEB99FB6894496B9B7E2EF98340F50017AD40DD32D2DF28AD418345
                                        Function 00007FF848F39EF1 Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9468f633770da184687c41a3769a09908e53e52070a5a0018cae058a2e19336
                                        • Instruction ID: 9a61db1e1af90053d3bdcdd92d67a17f9f1c0277e6e99126cc2be5d74ee9ac9e
                                        • Opcode Fuzzy Hash: e9468f633770da184687c41a3769a09908e53e52070a5a0018cae058a2e19336
                                        • Instruction Fuzzy Hash: 4061BE7190CA9C8FDB95EB689849BE9BBF0FF55310F0442ABD44DD3292CB349985CB41
                                        Function 00007FF848F3A79D Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e034035175bd762b3e2301042af3cdcb68d38f5a43aef574fba3f276b57ab21d
                                        • Instruction ID: d58053a05672868a22f9d66430f50c8932791d930dc5dea7fe6b1f68bea7b43c
                                        • Opcode Fuzzy Hash: e034035175bd762b3e2301042af3cdcb68d38f5a43aef574fba3f276b57ab21d
                                        • Instruction Fuzzy Hash: D3515631D4CA8A4FE749BB3868165B9B7E0EF95351F1801BBD40DC71D2DF2C69828395
                                        Function 00007FF848F347CC Relevance: .2, Instructions: 193COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b62f7b9b83e20989bdb6f2d4bcf090259f051a99730411db5ac90c8f78c6cba
                                        • Instruction ID: e347156ca593050752d83ff8e275542fca2fbb2eb16f3d36871af2c5de6e6822
                                        • Opcode Fuzzy Hash: 7b62f7b9b83e20989bdb6f2d4bcf090259f051a99730411db5ac90c8f78c6cba
                                        • Instruction Fuzzy Hash: 84516231919A1C8FDB54EB58D845BE9BBF1FB59310F0082ABD44DD3292DF34A9858F81
                                        Function 00007FF848F3E685 Relevance: .2, Instructions: 177COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 78e1478d883ade4961bb693f5f4081e9c1f126e555e2fa6491063eef88c6b210
                                        • Instruction ID: bfd9c4861591a1d9dcbe3c4fea18c0e3a8a9f8a46624337162c3b4ee7b2e639d
                                        • Opcode Fuzzy Hash: 78e1478d883ade4961bb693f5f4081e9c1f126e555e2fa6491063eef88c6b210
                                        • Instruction Fuzzy Hash: B2411372E1C6491FF7286628A8171BA7BD5DF967A0F04017FE08EC25C2FE157817429A
                                        Function 00007FF848F3D215 Relevance: .2, Instructions: 175COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17101a4cf9b61d0a50b466de9713a84b5c914638695d67c27bac0ec2fc3a92f3
                                        • Instruction ID: 880a8674e40ec90e5ddda4fb7496693e24af53e93296b5b9f50e66352b7ecbf3
                                        • Opcode Fuzzy Hash: 17101a4cf9b61d0a50b466de9713a84b5c914638695d67c27bac0ec2fc3a92f3
                                        • Instruction Fuzzy Hash: 86412872E0D6491EF76C7A2C68161B977D5DB967A0F04017FE08EC31C7EE19A8078296
                                        Function 00007FF848F332E0 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09844ad3556726925591c3e20228910e3d2eb15c577bace429d44a12f719d41e
                                        • Instruction ID: ee40947300bc6e603006a092fde855cb886f383828701e2a2882a072a1f28e38
                                        • Opcode Fuzzy Hash: 09844ad3556726925591c3e20228910e3d2eb15c577bace429d44a12f719d41e
                                        • Instruction Fuzzy Hash: DF415C30C1C1565EF778A76CB4822B47284FB45760F10D07ED8EE825C2BE1C68A642DA
                                        Function 00007FF848F31318 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a33cf1828137c5ae9f3e324457ccd4dcca9474a7abed10ee387161c6c3c8a5ff
                                        • Instruction ID: 6ceb77917c46c28bd9f59d4684aa10f42f41a791136b4b7468b5af8c9c7bc099
                                        • Opcode Fuzzy Hash: a33cf1828137c5ae9f3e324457ccd4dcca9474a7abed10ee387161c6c3c8a5ff
                                        • Instruction Fuzzy Hash: BA318F31E2D91A9FEB98EB6C94496B972E1FF58751F50007ED40DD32D2DE29AC018744
                                        Function 00007FF848F3F4A9 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93962f765d44ad737222ef3fc5f33b374b13a25d738cd084e3dae57f1d1ee277
                                        • Instruction ID: a6de451e2e228a34b74e9768188887f32e8f9a31492495bf3c2d3c6eed3c698a
                                        • Opcode Fuzzy Hash: 93962f765d44ad737222ef3fc5f33b374b13a25d738cd084e3dae57f1d1ee277
                                        • Instruction Fuzzy Hash: 11214522F1D9971FFBA97328E4152B82381EF853A0F490073D84DC75C2CB2C6992439A
                                        Function 00007FF848F3F589 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d183668ac98f3d0127d2cacd5ba3d3465f2a14952d956a340a8d145b7e55e0d6
                                        • Instruction ID: 732c8f967552d86c4fb16a860e4d8fe1d5ced5773e5da81b3faede47eb57b7ab
                                        • Opcode Fuzzy Hash: d183668ac98f3d0127d2cacd5ba3d3465f2a14952d956a340a8d145b7e55e0d6
                                        • Instruction Fuzzy Hash: 21110E32D0D8A25FF7A53B68981E1F92680EF75390F0A00B6E94DDB1D3EE1C2D518299
                                        Function 00007FF848F390C0 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a55d2b61fce240ef398af4e62bb8fcbd6d36ec56cc0844e3b842ce27e3e5eb02
                                        • Instruction ID: dff348205684ca8c64cc1a31cb1ac163005510bbd1dcc28d4031f5cccaaede76
                                        • Opcode Fuzzy Hash: a55d2b61fce240ef398af4e62bb8fcbd6d36ec56cc0844e3b842ce27e3e5eb02
                                        • Instruction Fuzzy Hash: BA1145B290EAC55FE717A73448390A43FA09F17281F0944FFC48ACB9E3DA181809C35A
                                        Function 00007FF848F3B318 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f474756e5fdb756d699bf4ab2906f6e749fb0b3148dc536d4a0dd73c7baba3f
                                        • Instruction ID: f375d0a3390daafeda55eb29caa5ac39eb6e24ff9af932c3e147eb4b52c5957e
                                        • Opcode Fuzzy Hash: 8f474756e5fdb756d699bf4ab2906f6e749fb0b3148dc536d4a0dd73c7baba3f
                                        • Instruction Fuzzy Hash: 6501493291D94C9FDB10BB56DC949DA7BA8FB893A9F01023BE41CC3080E7765555C354
                                        Function 00007FF848F39D4F Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e9860aacc4823cce879216fec6f17f880700ec16c0a6b7a1148fd87f43ca340
                                        • Instruction ID: 8df454bdbf3d543a96976d3e01453b79c35cd1f0d13d498bb1c90245ef4d328e
                                        • Opcode Fuzzy Hash: 1e9860aacc4823cce879216fec6f17f880700ec16c0a6b7a1148fd87f43ca340
                                        • Instruction Fuzzy Hash: 46016131E0CA4A8EEB9AAB6898566B977A1EB46340F44047AD049D29C2CF299C45CB54
                                        Function 00007FF848F3C290 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cae36da097948eddf1ff2f66bd40241739576c19493e8e518a131b85452f200b
                                        • Instruction ID: 1416445c9a16744acd426eb973d32a1e327a8c6199328cefaa8bde517d9adb49
                                        • Opcode Fuzzy Hash: cae36da097948eddf1ff2f66bd40241739576c19493e8e518a131b85452f200b
                                        • Instruction Fuzzy Hash: 8CF09612E2C9251FE65C616C6C411B651C4D75A767F11207AE88ED31C2E8091C9214D8

                                        Non-executed Functions

                                        Function 00007FF848F30958 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000018.00000002.2752167061.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_24_2_7ff848f30000_xdwdUnreal Engine.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C;$!K;$"S;$#[;
                                        • API String ID: 0-1287115497
                                        • Opcode ID: 592419b71e77a6259960c55914c826d07c0ac1ff876a8e3b4b9af4f1cd165d0d
                                        • Instruction ID: f9780dce10f04acd9d8fc664b1ec615e7b42d168bc44e042e9c9c47419121d3e
                                        • Opcode Fuzzy Hash: 592419b71e77a6259960c55914c826d07c0ac1ff876a8e3b4b9af4f1cd165d0d
                                        • Instruction Fuzzy Hash: B6D05E17777C2F015E54730DB8000E8F385E6C71B374887F3EA44C72825951685B82F4