Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
exe006.exe

Overview

General Information

Sample name:exe006.exe
Analysis ID:1560742
MD5:fdea1687b2827f9fc9b4ae8c81f1f0e4
SHA1:d2597adf0ab33094036db10bddad6cb05ea51273
SHA256:bc506cb36843e83ddc49c96ae3d3eacf598bccc569b2d84db925eda26f6c31b4
Infos:

Detection

SheetRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected SheetRat
.NET source code contains potential unpacker
Allows loading of unsigned dll using appinit_dll
Creates an undocumented autostart registry key
Drops large PE files
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • exe006.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\exe006.exe" MD5: FDEA1687B2827F9FC9B4AE8C81F1F0E4)
    • dllhost.exe (PID: 1292 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • WmiPrvSE.exe (PID: 2600 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 5172 cmdline: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 5588 cmdline: SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 1636 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 6224 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 3008 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 444 cmdline: SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 6860 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4888 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 5692 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4156 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 1292 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 1788 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 4104 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4604 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 7356 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 5084 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 3080 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 2236 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 1248 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4712 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
        • Conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1648 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 1996 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
        • Conhost.exe (PID: 2856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5268 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 3888 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 3396 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 4156 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4724 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 3876 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 1116 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 7180 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 5424 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 3040 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4360 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 2584 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 3208 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 2956 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 7460 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 3468 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 5820 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 1524 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 5724 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 4644 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 7696 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 2480 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 3124 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 4244 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • xdwdInkscape.exe (PID: 3516 cmdline: C:\Users\user\AppData\Roaming\xdwdInkscape.exe MD5: 89274B9A87E952C530F24B5F7313A15F)
    • cmd.exe (PID: 2224 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 3396 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
        • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 488 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • xdwdMicrosoft Paint.exe (PID: 6316 cmdline: "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" MD5: 8737317BC2D5452B3E7403F57A663093)
      • cmd.exe (PID: 6072 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 1640 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
      • cmd.exe (PID: 7732 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 8072 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
  • xdwdInkscape.exe (PID: 5216 cmdline: "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" MD5: 89274B9A87E952C530F24B5F7313A15F)
    • cmd.exe (PID: 7936 cmdline: "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 1244 cmdline: scHTaSks /Run /I /TN "Inkscape Upgrade" MD5: 796B784E98008854C27F4B18D287BA30)
  • xdwdMicrosoft Paint.exe (PID: 5628 cmdline: "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" MD5: 8737317BC2D5452B3E7403F57A663093)
    • cmd.exe (PID: 7588 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 7372 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
  • xdwdInkscape.exe (PID: 4236 cmdline: "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" MD5: 89274B9A87E952C530F24B5F7313A15F)
    • cmd.exe (PID: 1840 cmdline: "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4216 cmdline: scHTaSks /Run /I /TN "Inkscape Upgrade" MD5: 796B784E98008854C27F4B18D287BA30)
  • xdwdMicrosoft Paint.exe (PID: 6984 cmdline: "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" MD5: 8737317BC2D5452B3E7403F57A663093)
    • cmd.exe (PID: 4848 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 7660 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
    • cmd.exe (PID: 6908 cmdline: "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • schtasks.exe (PID: 4888 cmdline: SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST MD5: 796B784E98008854C27F4B18D287BA30)
        • Conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.165949609284.0000000012596000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SheetRatYara detected SheetRatJoe Security
    Process Memory Space: exe006.exe PID: 6344JoeSecurity_SheetRatYara detected SheetRatJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.exe006.exe.1260b320.0.raw.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security
        0.2.exe006.exe.1260b320.0.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security
          0.2.exe006.exe.12596ae8.1.raw.unpackJoeSecurity_SheetRatYara detected SheetRatJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit, CommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\exe006.exe", ParentImage: C:\Users\user\Desktop\exe006.exe, ParentProcessId: 6344, ParentProcessName: exe006.exe, ProcessCommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit, ProcessId: 5172, ProcessName: cmd.exe
            Sigma detected: Invoke-Obfuscation VAR+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit, CommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\exe006.exe", ParentImage: C:\Users\user\Desktop\exe006.exe, ParentProcessId: 6344, ParentProcessName: exe006.exe, ProcessCommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit, ProcessId: 5172, ProcessName: cmd.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\xdwdInkscape.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\exe006.exe, ProcessId: 6344, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost
            Sigma detected: CurrentVersion NT Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\xdwd.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\exe006.exe, ProcessId: 6344, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" , CommandLine: SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" , CommandLine|base64offset|contains: ISi", Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5172, ParentProcessName: cmd.exe, ProcessCommandLine: SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" , ProcessId: 5588, ProcessName: schtasks.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
            Multi AV Scanner detection for submitted file
            Source: exe006.exeReversingLabs: Detection: 68%
            Machine Learning detection for sample
            Source: exe006.exeJoe Sandbox ML: detected
            Source: exe006.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\SheetRat\SheetRat\bin\Release\Stub\UserMode.pdb source: exe006.exe, 00000000.00000002.165949609284.0000000012596000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: global trafficTCP traffic: 192.168.11.20:49759 -> 147.185.221.23:56698
            Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: true-lung.gl.at.ply.gg
            Source: exe006.exe, 00000000.00000002.165937013906.0000000002511000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000000C.00000002.165032989220.0000000002834000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000016.00000002.165110312696.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000001A.00000002.165070264178.0000000002760000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000024.00000002.165097279064.000000000312E000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000002E.00000002.165153038587.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000035.00000002.165241336712.0000000002F4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: xdwdInkscape.exe, 0000000C.00000002.165040416149.000000001B2CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
            Source: schtasks.exeProcess created: 66
            Source: cmd.exeProcess created: 60

            System Summary

            barindex
            Drops large PE files
            Source: C:\Users\user\Desktop\exe006.exeFile dump: xdwdMicrosoft Paint.exe.0.dr 764889088Jump to dropped file
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD34BE0 NtProtectVirtualMemory,0_2_00007FFACCD34BE0
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD416B7 NtProtectVirtualMemory,0_2_00007FFACCD416B7
            Source: C:\Users\user\Desktop\exe006.exeFile created: C:\Windows\xdwd.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD325B40_2_00007FFACCD325B4
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD3AD750_2_00007FFACCD3AD75
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD3FD1C0_2_00007FFACCD3FD1C
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD375360_2_00007FFACCD37536
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD3D28E0_2_00007FFACCD3D28E
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD38A6C0_2_00007FFACCD38A6C
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD316790_2_00007FFACCD31679
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD315F00_2_00007FFACCD315F0
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD382E20_2_00007FFACCD382E2
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD390480_2_00007FFACCD39048
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD318280_2_00007FFACCD31828
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD3C0050_2_00007FFACCD3C005
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD314080_2_00007FFACCD31408
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD338100_2_00007FFACCD33810
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD315400_2_00007FFACCD31540
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD3AE830_2_00007FFACCD3AE83
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD337B90_2_00007FFACCD337B9
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD313080_2_00007FFACCD31308
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD3C30D0_2_00007FFACCD3C30D
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD313100_2_00007FFACCD31310
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD3F4A00_2_00007FFACCD3F4A0
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD4043E0_2_00007FFACCD4043E
            Source: C:\Users\user\Desktop\exe006.exeCode function: 0_2_00007FFACCD403F00_2_00007FFACCD403F0
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD225B412_2_00007FFACCD225B4
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2753612_2_00007FFACCD27536
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2D28E12_2_00007FFACCD2D28E
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD28A6C12_2_00007FFACCD28A6C
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2EE7012_2_00007FFACCD2EE70
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2167912_2_00007FFACCD21679
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2BA2012_2_00007FFACCD2BA20
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2AE3012_2_00007FFACCD2AE30
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD215F012_2_00007FFACCD215F0
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2E7A512_2_00007FFACCD2E7A5
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD282E212_2_00007FFACCD282E2
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2904812_2_00007FFACCD29048
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2381012_2_00007FFACCD23810
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2BFF512_2_00007FFACCD2BFF5
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2E54012_2_00007FFACCD2E540
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD237B912_2_00007FFACCD237B9
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2130812_2_00007FFACCD21308
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2C30D12_2_00007FFACCD2C30D
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD2131012_2_00007FFACCD21310
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD3174112_2_00007FFACCD31741
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0EEDA22_2_00007FFACCD0EEDA
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0E4C422_2_00007FFACCD0E4C4
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0AEA022_2_00007FFACCD0AEA0
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0D28E22_2_00007FFACCD0D28E
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0C05522_2_00007FFACCD0C055
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0E85522_2_00007FFACCD0E855
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0BA2022_2_00007FFACCD0BA20
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0C30D22_2_00007FFACCD0C30D
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD025B422_2_00007FFACCD025B4
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0753622_2_00007FFACCD07536
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD082E222_2_00007FFACCD082E2
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD08A6C22_2_00007FFACCD08A6C
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0167022_2_00007FFACCD01670
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD037B922_2_00007FFACCD037B9
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD0130822_2_00007FFACCD01308
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0BFB026_2_00007FFACCD0BFB0
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD025B426_2_00007FFACCD025B4
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0AD8526_2_00007FFACCD0AD85
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0753626_2_00007FFACCD07536
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD082E226_2_00007FFACCD082E2
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD08A6C26_2_00007FFACCD08A6C
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0904826_2_00007FFACCD09048
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0E64826_2_00007FFACCD0E648
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0BA2026_2_00007FFACCD0BA20
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0381026_2_00007FFACCD03810
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD015F026_2_00007FFACCD015F0
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD037B926_2_00007FFACCD037B9
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0130826_2_00007FFACCD01308
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 26_2_00007FFACCD0C30D26_2_00007FFACCD0C30D
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2EEDA36_2_00007FFACCD2EEDA
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2E4C436_2_00007FFACCD2E4C4
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2AEA036_2_00007FFACCD2AEA0
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2D28E36_2_00007FFACCD2D28E
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2C05536_2_00007FFACCD2C055
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2E85536_2_00007FFACCD2E855
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2BA2036_2_00007FFACCD2BA20
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2C30D36_2_00007FFACCD2C30D
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD225B436_2_00007FFACCD225B4
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2753636_2_00007FFACCD27536
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD282E236_2_00007FFACCD282E2
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD28A6C36_2_00007FFACCD28A6C
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2167036_2_00007FFACCD21670
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2130836_2_00007FFACCD21308
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD2380036_2_00007FFACCD23800
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1BFB046_2_00007FFACCD1BFB0
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD125B446_2_00007FFACCD125B4
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1AD8546_2_00007FFACCD1AD85
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1753646_2_00007FFACCD17536
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD182E246_2_00007FFACCD182E2
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1E4C446_2_00007FFACCD1E4C4
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD18A6C46_2_00007FFACCD18A6C
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1904846_2_00007FFACCD19048
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1381046_2_00007FFACCD13810
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD115F046_2_00007FFACCD115F0
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1130846_2_00007FFACCD11308
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1C30D46_2_00007FFACCD1C30D
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1703946_2_00007FFACCD17039
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1380046_2_00007FFACCD13800
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 46_2_00007FFACCD1E5DD46_2_00007FFACCD1E5DD
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1EEDA53_2_00007FFACCD1EEDA
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1AEA053_2_00007FFACCD1AEA0
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1D28E53_2_00007FFACCD1D28E
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1E85D53_2_00007FFACCD1E85D
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1C05553_2_00007FFACCD1C055
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1C30D53_2_00007FFACCD1C30D
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1E62053_2_00007FFACCD1E620
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD175B353_2_00007FFACCD175B3
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD125B453_2_00007FFACCD125B4
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1836353_2_00007FFACCD18363
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD18A6C53_2_00007FFACCD18A6C
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1167053_2_00007FFACCD11670
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1130853_2_00007FFACCD11308
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 53_2_00007FFACCD1380053_2_00007FFACCD13800
            Source: exe006.exe, 00000000.00000000.164680913845.00000000000A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotify.exeP vs exe006.exe
            Source: exe006.exe, 00000000.00000002.165949609284.0000000012596000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotify.exeP vs exe006.exe
            Source: exe006.exe, 00000000.00000002.165949609284.0000000012511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotify.exeP vs exe006.exe
            Source: exe006.exeBinary or memory string: OriginalFilenameSpotify.exeP vs exe006.exe
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, NLjRjZRyOddZzO.csSecurity API names: Directory.GetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, NLjRjZRyOddZzO.csSecurity API names: Directory.SetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, iKlbjEWF.csSecurity API names: Directory.GetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, iKlbjEWF.csSecurity API names: Directory.SetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, iKlbjEWF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, wlUgJZsPPjkAj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: exe006.exe, iKlbjEWF.csSecurity API names: Directory.GetAccessControl
            Source: exe006.exe, iKlbjEWF.csSecurity API names: Directory.SetAccessControl
            Source: exe006.exe, iKlbjEWF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, rHbAUfkVVvVbmF.csSecurity API names: File.GetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, rHbAUfkVVvVbmF.csSecurity API names: File.SetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, rHbAUfkVVvVbmF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, iKlbjEWF.csSecurity API names: Directory.GetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, iKlbjEWF.csSecurity API names: Directory.SetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, iKlbjEWF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, JLFJyQOxrUocHMR.csSecurity API names: File.GetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, JLFJyQOxrUocHMR.csSecurity API names: File.SetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, rHbAUfkVVvVbmF.csSecurity API names: File.GetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, rHbAUfkVVvVbmF.csSecurity API names: File.SetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, rHbAUfkVVvVbmF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, wlUgJZsPPjkAj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: exe006.exe, rHbAUfkVVvVbmF.csSecurity API names: File.GetAccessControl
            Source: exe006.exe, rHbAUfkVVvVbmF.csSecurity API names: File.SetAccessControl
            Source: exe006.exe, rHbAUfkVVvVbmF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: exe006.exe, NLjRjZRyOddZzO.csSecurity API names: Directory.GetAccessControl
            Source: exe006.exe, NLjRjZRyOddZzO.csSecurity API names: Directory.SetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, NLjRjZRyOddZzO.csSecurity API names: Directory.GetAccessControl
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, NLjRjZRyOddZzO.csSecurity API names: Directory.SetAccessControl
            Source: exe006.exe, JLFJyQOxrUocHMR.csSecurity API names: File.GetAccessControl
            Source: exe006.exe, JLFJyQOxrUocHMR.csSecurity API names: File.SetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, JLFJyQOxrUocHMR.csSecurity API names: File.GetAccessControl
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, JLFJyQOxrUocHMR.csSecurity API names: File.SetAccessControl
            Source: exe006.exe, wlUgJZsPPjkAj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@181/3@1/1
            Source: C:\Users\user\Desktop\exe006.exeFile created: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:820:304:WilStaging_02
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:684:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:304:WilStaging_02
            Source: C:\Users\user\Desktop\exe006.exeMutant created: \Sessions\1\BaseNamedObjects\Sheet_logcmaxafpeqogwwv
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3244:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3420:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3420:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2556:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2556:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1116:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:332:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1116:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:332:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:684:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:820:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3244:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
            Source: exe006.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: exe006.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\dllhost.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: exe006.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\Desktop\exe006.exeFile read: C:\Users\user\Desktop\exe006.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\exe006.exe "C:\Users\user\Desktop\exe006.exe"
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdInkscape.exe C:\Users\user\AppData\Roaming\xdwdInkscape.exe
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdInkscape.exe "C:\Users\user\AppData\Roaming\xdwdInkscape.exe"
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: unknownProcess created: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xdwdInkscape.exe "C:\Users\user\AppData\Roaming\xdwdInkscape.exe"
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: unknownProcess created: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: devenum.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: msdmo.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: photometadatahandler.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: mfsrcsnk.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: mfplat.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: rtworkq.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: devenum.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msdmo.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: twext.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: cscui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: workfoldersshell.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: shacct.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: idstore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: samlib.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wlidprov.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: provsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: starttiledata.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: usermgrcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: usermgrproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: acppage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: windows.staterepositorycore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: devenum.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: msdmo.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: devenum.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msdmo.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: edgegdi.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: sxs.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: devenum.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: devobj.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: msdmo.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: edgegdi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: sxs.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: devenum.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: devobj.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: msdmo.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: edgegdi.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: sxs.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: devenum.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: devobj.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: msdmo.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeSection loaded: secur32.dll
            Source: C:\Users\user\Desktop\exe006.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: exe006.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: exe006.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\Malware\Desktop\hack tool\Backdoor\SheetRat\SheetRat\bin\Release\Stub\UserMode.pdb source: exe006.exe, 00000000.00000002.165949609284.0000000012596000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: exe006.exe, qsdQmnOoVClj.cs.Net Code: DJbAgnDsKCQrOL
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, qsdQmnOoVClj.cs.Net Code: DJbAgnDsKCQrOL
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, qsdQmnOoVClj.cs.Net Code: DJbAgnDsKCQrOL
            Source: exe006.exeStatic PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD311E6 push edx; ret 12_2_00007FFACCD312AE
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD311E6 push edi; ret 12_2_00007FFACCD312BE
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD200BD pushad ; iretd 12_2_00007FFACCD200C1
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeCode function: 12_2_00007FFACCD312B5 push edi; ret 12_2_00007FFACCD312B6
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 22_2_00007FFACCD054ED push esi; retf 22_2_00007FFACCD054EE
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeCode function: 36_2_00007FFACCD200BD pushad ; iretd 36_2_00007FFACCD200C1
            Source: exe006.exe, qsdQmnOoVClj.csHigh entropy of concatenated method names: 'BBZkvyAPXc', 'RGrLJYfTz', 'DQVngFtARgbT', 'JufAgWuMTPRzf', 'DewXSjoxkExPsGP', 'vkxYhQdY', 'wERkAEnBKqVUIJk', 'MJbCReoxMUgBGN', 'BXZVeXNjAKOiQ', 'lmbNfVHCWhSQTXg'
            Source: exe006.exe, srWopDvYJJOjOnI.csHigh entropy of concatenated method names: 'uimypVWDtvrBM', 'qKQlldlrakIFge', 'ncjdWsAM', 'JWUTutMuLQTESd', 'eADICpjo', 'yGTHXqAqycbOJS', 'gYOuQKBUyhyWpsK', 'aibUnaEWUPdGqCo', 'hGbdbpXiwmV', 'ZULxneAghxJG'
            Source: exe006.exe, XrMMxtush.csHigh entropy of concatenated method names: 'dwVYqImEIhTDpP', 'KpXdLLHt', 'lXvRBCdIIcKswUU', 'lrBSqUBwImDWO', 'eWCVmSNUCGD', 'uMFLOUDsa', 'GbJRVyJOyHt', 'yopbiBXQouOfZp', 'wYjTVuJQbLVwPL', 'HwRHORVmmBUKgL'
            Source: exe006.exe, hBbQNQJD.csHigh entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'KurqwgagxNy', 'CGaKKTHmdelMnLw', 'KQHVXscSdXLnZZ', 'tOBfuBGDwBQuf', 'fDlkjWhGc', 'KdIgnIUNEurx'
            Source: exe006.exe, frZPmBqczWzjyX.csHigh entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'PxZzaRzv', 'RLamSbrSfiZhgX', 'QyWViugRl', 'JKpSZYfvl', 'baDKXegDQyTjaSi', 'ueNsltpZIQCA', 'JtmuZfqu', 'xDOcBntaj', 'jxdBitMhkdC'
            Source: exe006.exe, xUOyeShR.csHigh entropy of concatenated method names: 'DbVGEuzydnVE', 'uOaMwvWnTrZWN', 'qTftniuklHFU', 'RQalZANZAYR', 'mvojkvkqUIe', 'uhWqKcTHbZEWtFA', 'AAqvNXAnFAB', 'UdAImcqre', 'PXEKuNqRqev', 'qTSjkXhikJ'
            Source: exe006.exe, JLFJyQOxrUocHMR.csHigh entropy of concatenated method names: 'BesGKPjZklF', 'JsABkLHTIdxtom', 'GvZiLNwEQ', 'jmubgZNKYnzUm', 'wEyPXgzSYDcdKC', 'cMnjUAYNrbEjiPy', 'mJimHPggk', 'ROqyCPLPvbMlR', 'XqGoTwQCZrqUbP', 'NfGzniKXtZpYTU'
            Source: exe006.exe, iKlbjEWF.csHigh entropy of concatenated method names: 'oREAjAFwuPLSSMF', 'ZwcsRkGQwxz', 'sNpajGqQZIzlfL', 'COkQxfGJHtMg', 'LnEmBPEh', 'kiMWpvRxqNGF', 'BMgBKmDh', 'WZmEmENkPGxbe', 'EbpKsKCz', 'yHlsFzESdtEL'
            Source: exe006.exe, JPENuWcmsm.csHigh entropy of concatenated method names: 'rciNtryioDyxr', 'ydwqwguTCB', 'XYPTHQscVbsxXh', 'GNLMLRNyvtfw', 'FnXZhXWTiPhnGVW', 'GfYJWahHqpYKZT', 'bUwWhDSPAKG', 'yeYEwqKpNGm', 'fFQjsyLtOpF', 'KyokoQYyPCi'
            Source: exe006.exe, YNztyhHeKkmQHuK.csHigh entropy of concatenated method names: 'QOdKPQKDllsyRlV', 'bXonLTWHVeoW', 'IulNJGRguhID', 'HMoJMZOFokGXlwr', 'pkcnccrHkHe', 'AhqgjPLK', 'LSPHUTKeqY', 'ZKEwfPTfV', 'ZEuJFHuanVkhD', 'SNfIJgctjVfq'
            Source: exe006.exe, aBntsXuMmjIFHIP.csHigh entropy of concatenated method names: 'tXkUzvNYRAowV', 'lfagTZlKYVLotM', 'boNLdNsydu', 'nObrjxqtycfb', 'pyjyOILCAKpMbl', 'fsgwlpmWihmOxz', 'kwNYWeeukV', 'bnElfHMyNGwjp', 'DcARcuNCmZtyCOO', 'xwbCNyRw'
            Source: exe006.exe, bwAaLGyc.csHigh entropy of concatenated method names: 'jkaiIzFGVBHqhz', 'XbXawtov', 'KukIziUBcb', 'sjdmnGafMhMt', 'vDjiXfvupHYNPwG', 'gGOGVMoxlnpTJ', 'lyAnMwymdwgjD', 'FYXKTsfaynbi', 'lxkpckHVaN', 'kJnudRamJLsM'
            Source: exe006.exe, OWTOYIZIJyNpKGH.csHigh entropy of concatenated method names: 'LnHAELgikUQp', 'NhgCvHdVYixGPY', 'vgNftLwb', 'zqDpleEs', 'PvQhnOydGnEJt', 'mdmDHkwhQFaCFE', 'kteFWzcnOtyhQF', 'XwGAQMyaw', 'nieKGkJto', 'taDWpJpYKIC'
            Source: exe006.exe, JhLaGgFnnm.csHigh entropy of concatenated method names: 'BBjJuiKHFhm', 'nWnwFzteBFN', 'RaRCAxpwyRa', 'MzItENDlW', 'YDTkznuIUv', 'PsTRHGIsqVWwbk', 'qzZoCbxD', 'NjPxCBqx', 'XwHpbxGutgrB', 'rAtxujftM'
            Source: exe006.exe, IDIkloTpeDEKz.csHigh entropy of concatenated method names: 'RtTbNdmgGNTiJ', 'BLozuJcwWEM', 'OoFXWLLvM', 'XvFCAcwvR', 'etnSPEPp', 'UXOOCPxb', 'rIWONsosurJzz', 'nJhVBmIRvWpr', 'IhDnCBNDIhQgu', 'WKXfGVvaFVuw'
            Source: exe006.exe, pGsFKCRggcflWBU.csHigh entropy of concatenated method names: 'csbRpcNXkOoIzfw', 'uIxOoEjoAXb', 'DluUoDhMLzH', 'tUUwOJgBgJ', 'NEFJXJnQSBtUzU', 'UwxjJuBjVUj', 'arqZntugQitKCY', 'pMAzUcupkDwAx', 'UkpnVNYbb', 'aFnDlCnh'
            Source: exe006.exe, ABjlTGoWuueDjB.csHigh entropy of concatenated method names: 'JYOTNpHAD', 'reVCOQvt', 'SWrZvqwwII', 'XcphJzhmw', 'tBgkbcSU', 'djJSinSyTcQt', 'rrdPoosPiIxQYUK', 'TOecdecNJHurAO', 'fHuJoGMne', 'QvaMCJSHJzNm'
            Source: exe006.exe, jtMfOsvbzLJS.csHigh entropy of concatenated method names: 'OXvquBcTtRB', 'PetEeZGgzc', 'ZMJZQzqsHMAFC', 'jeZuIpcLQzOB', 'VmCmXloVdlc', 'TDYuBPZqe', 'vhlrnGOvJLOdUGE', 'cTOFFsxhomDQ', 'koKsaqVAfy', 'GibQyqjRpamFc'
            Source: exe006.exe, TfVjXoNYBK.csHigh entropy of concatenated method names: 'fFjUeBGQwOKqkzc', 'OrEmJMyvye', 'MAZQLNineBcsV', 'QPCJoljv', 'zhxYlSHoVzR', 'PXxycCLxRlyijtw', 'lJtzQfajOpwUXNH', 'EHAsFLLiXxENiP', 'sWLCLGSekxOknF', 'aEeFecsEqayKbT'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, qsdQmnOoVClj.csHigh entropy of concatenated method names: 'BBZkvyAPXc', 'RGrLJYfTz', 'DQVngFtARgbT', 'JufAgWuMTPRzf', 'DewXSjoxkExPsGP', 'vkxYhQdY', 'wERkAEnBKqVUIJk', 'MJbCReoxMUgBGN', 'BXZVeXNjAKOiQ', 'lmbNfVHCWhSQTXg'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, srWopDvYJJOjOnI.csHigh entropy of concatenated method names: 'uimypVWDtvrBM', 'qKQlldlrakIFge', 'ncjdWsAM', 'JWUTutMuLQTESd', 'eADICpjo', 'yGTHXqAqycbOJS', 'gYOuQKBUyhyWpsK', 'aibUnaEWUPdGqCo', 'hGbdbpXiwmV', 'ZULxneAghxJG'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, XrMMxtush.csHigh entropy of concatenated method names: 'dwVYqImEIhTDpP', 'KpXdLLHt', 'lXvRBCdIIcKswUU', 'lrBSqUBwImDWO', 'eWCVmSNUCGD', 'uMFLOUDsa', 'GbJRVyJOyHt', 'yopbiBXQouOfZp', 'wYjTVuJQbLVwPL', 'HwRHORVmmBUKgL'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, hBbQNQJD.csHigh entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'KurqwgagxNy', 'CGaKKTHmdelMnLw', 'KQHVXscSdXLnZZ', 'tOBfuBGDwBQuf', 'fDlkjWhGc', 'KdIgnIUNEurx'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, frZPmBqczWzjyX.csHigh entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'PxZzaRzv', 'RLamSbrSfiZhgX', 'QyWViugRl', 'JKpSZYfvl', 'baDKXegDQyTjaSi', 'ueNsltpZIQCA', 'JtmuZfqu', 'xDOcBntaj', 'jxdBitMhkdC'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, xUOyeShR.csHigh entropy of concatenated method names: 'DbVGEuzydnVE', 'uOaMwvWnTrZWN', 'qTftniuklHFU', 'RQalZANZAYR', 'mvojkvkqUIe', 'uhWqKcTHbZEWtFA', 'AAqvNXAnFAB', 'UdAImcqre', 'PXEKuNqRqev', 'qTSjkXhikJ'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, JLFJyQOxrUocHMR.csHigh entropy of concatenated method names: 'BesGKPjZklF', 'JsABkLHTIdxtom', 'GvZiLNwEQ', 'jmubgZNKYnzUm', 'wEyPXgzSYDcdKC', 'cMnjUAYNrbEjiPy', 'mJimHPggk', 'ROqyCPLPvbMlR', 'XqGoTwQCZrqUbP', 'NfGzniKXtZpYTU'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, iKlbjEWF.csHigh entropy of concatenated method names: 'oREAjAFwuPLSSMF', 'ZwcsRkGQwxz', 'sNpajGqQZIzlfL', 'COkQxfGJHtMg', 'LnEmBPEh', 'kiMWpvRxqNGF', 'BMgBKmDh', 'WZmEmENkPGxbe', 'EbpKsKCz', 'yHlsFzESdtEL'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, JPENuWcmsm.csHigh entropy of concatenated method names: 'rciNtryioDyxr', 'ydwqwguTCB', 'XYPTHQscVbsxXh', 'GNLMLRNyvtfw', 'FnXZhXWTiPhnGVW', 'GfYJWahHqpYKZT', 'bUwWhDSPAKG', 'yeYEwqKpNGm', 'fFQjsyLtOpF', 'KyokoQYyPCi'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, YNztyhHeKkmQHuK.csHigh entropy of concatenated method names: 'QOdKPQKDllsyRlV', 'bXonLTWHVeoW', 'IulNJGRguhID', 'HMoJMZOFokGXlwr', 'pkcnccrHkHe', 'AhqgjPLK', 'LSPHUTKeqY', 'ZKEwfPTfV', 'ZEuJFHuanVkhD', 'SNfIJgctjVfq'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, aBntsXuMmjIFHIP.csHigh entropy of concatenated method names: 'tXkUzvNYRAowV', 'lfagTZlKYVLotM', 'boNLdNsydu', 'nObrjxqtycfb', 'pyjyOILCAKpMbl', 'fsgwlpmWihmOxz', 'kwNYWeeukV', 'bnElfHMyNGwjp', 'DcARcuNCmZtyCOO', 'xwbCNyRw'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, bwAaLGyc.csHigh entropy of concatenated method names: 'jkaiIzFGVBHqhz', 'XbXawtov', 'KukIziUBcb', 'sjdmnGafMhMt', 'vDjiXfvupHYNPwG', 'gGOGVMoxlnpTJ', 'lyAnMwymdwgjD', 'FYXKTsfaynbi', 'lxkpckHVaN', 'kJnudRamJLsM'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, OWTOYIZIJyNpKGH.csHigh entropy of concatenated method names: 'LnHAELgikUQp', 'NhgCvHdVYixGPY', 'vgNftLwb', 'zqDpleEs', 'PvQhnOydGnEJt', 'mdmDHkwhQFaCFE', 'kteFWzcnOtyhQF', 'XwGAQMyaw', 'nieKGkJto', 'taDWpJpYKIC'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, JhLaGgFnnm.csHigh entropy of concatenated method names: 'BBjJuiKHFhm', 'nWnwFzteBFN', 'RaRCAxpwyRa', 'MzItENDlW', 'YDTkznuIUv', 'PsTRHGIsqVWwbk', 'qzZoCbxD', 'NjPxCBqx', 'XwHpbxGutgrB', 'rAtxujftM'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, IDIkloTpeDEKz.csHigh entropy of concatenated method names: 'RtTbNdmgGNTiJ', 'BLozuJcwWEM', 'OoFXWLLvM', 'XvFCAcwvR', 'etnSPEPp', 'UXOOCPxb', 'rIWONsosurJzz', 'nJhVBmIRvWpr', 'IhDnCBNDIhQgu', 'WKXfGVvaFVuw'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, pGsFKCRggcflWBU.csHigh entropy of concatenated method names: 'csbRpcNXkOoIzfw', 'uIxOoEjoAXb', 'DluUoDhMLzH', 'tUUwOJgBgJ', 'NEFJXJnQSBtUzU', 'UwxjJuBjVUj', 'arqZntugQitKCY', 'pMAzUcupkDwAx', 'UkpnVNYbb', 'aFnDlCnh'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, ABjlTGoWuueDjB.csHigh entropy of concatenated method names: 'JYOTNpHAD', 'reVCOQvt', 'SWrZvqwwII', 'XcphJzhmw', 'tBgkbcSU', 'djJSinSyTcQt', 'rrdPoosPiIxQYUK', 'TOecdecNJHurAO', 'fHuJoGMne', 'QvaMCJSHJzNm'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, jtMfOsvbzLJS.csHigh entropy of concatenated method names: 'OXvquBcTtRB', 'PetEeZGgzc', 'ZMJZQzqsHMAFC', 'jeZuIpcLQzOB', 'VmCmXloVdlc', 'TDYuBPZqe', 'vhlrnGOvJLOdUGE', 'cTOFFsxhomDQ', 'koKsaqVAfy', 'GibQyqjRpamFc'
            Source: 0.2.exe006.exe.12519ac0.2.raw.unpack, TfVjXoNYBK.csHigh entropy of concatenated method names: 'fFjUeBGQwOKqkzc', 'OrEmJMyvye', 'MAZQLNineBcsV', 'QPCJoljv', 'zhxYlSHoVzR', 'PXxycCLxRlyijtw', 'lJtzQfajOpwUXNH', 'EHAsFLLiXxENiP', 'sWLCLGSekxOknF', 'aEeFecsEqayKbT'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, qsdQmnOoVClj.csHigh entropy of concatenated method names: 'BBZkvyAPXc', 'RGrLJYfTz', 'DQVngFtARgbT', 'JufAgWuMTPRzf', 'DewXSjoxkExPsGP', 'vkxYhQdY', 'wERkAEnBKqVUIJk', 'MJbCReoxMUgBGN', 'BXZVeXNjAKOiQ', 'lmbNfVHCWhSQTXg'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, srWopDvYJJOjOnI.csHigh entropy of concatenated method names: 'uimypVWDtvrBM', 'qKQlldlrakIFge', 'ncjdWsAM', 'JWUTutMuLQTESd', 'eADICpjo', 'yGTHXqAqycbOJS', 'gYOuQKBUyhyWpsK', 'aibUnaEWUPdGqCo', 'hGbdbpXiwmV', 'ZULxneAghxJG'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, XrMMxtush.csHigh entropy of concatenated method names: 'dwVYqImEIhTDpP', 'KpXdLLHt', 'lXvRBCdIIcKswUU', 'lrBSqUBwImDWO', 'eWCVmSNUCGD', 'uMFLOUDsa', 'GbJRVyJOyHt', 'yopbiBXQouOfZp', 'wYjTVuJQbLVwPL', 'HwRHORVmmBUKgL'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, hBbQNQJD.csHigh entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'KurqwgagxNy', 'CGaKKTHmdelMnLw', 'KQHVXscSdXLnZZ', 'tOBfuBGDwBQuf', 'fDlkjWhGc', 'KdIgnIUNEurx'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, frZPmBqczWzjyX.csHigh entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'PxZzaRzv', 'RLamSbrSfiZhgX', 'QyWViugRl', 'JKpSZYfvl', 'baDKXegDQyTjaSi', 'ueNsltpZIQCA', 'JtmuZfqu', 'xDOcBntaj', 'jxdBitMhkdC'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, xUOyeShR.csHigh entropy of concatenated method names: 'DbVGEuzydnVE', 'uOaMwvWnTrZWN', 'qTftniuklHFU', 'RQalZANZAYR', 'mvojkvkqUIe', 'uhWqKcTHbZEWtFA', 'AAqvNXAnFAB', 'UdAImcqre', 'PXEKuNqRqev', 'qTSjkXhikJ'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, JLFJyQOxrUocHMR.csHigh entropy of concatenated method names: 'BesGKPjZklF', 'JsABkLHTIdxtom', 'GvZiLNwEQ', 'jmubgZNKYnzUm', 'wEyPXgzSYDcdKC', 'cMnjUAYNrbEjiPy', 'mJimHPggk', 'ROqyCPLPvbMlR', 'XqGoTwQCZrqUbP', 'NfGzniKXtZpYTU'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, iKlbjEWF.csHigh entropy of concatenated method names: 'oREAjAFwuPLSSMF', 'ZwcsRkGQwxz', 'sNpajGqQZIzlfL', 'COkQxfGJHtMg', 'LnEmBPEh', 'kiMWpvRxqNGF', 'BMgBKmDh', 'WZmEmENkPGxbe', 'EbpKsKCz', 'yHlsFzESdtEL'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, JPENuWcmsm.csHigh entropy of concatenated method names: 'rciNtryioDyxr', 'ydwqwguTCB', 'XYPTHQscVbsxXh', 'GNLMLRNyvtfw', 'FnXZhXWTiPhnGVW', 'GfYJWahHqpYKZT', 'bUwWhDSPAKG', 'yeYEwqKpNGm', 'fFQjsyLtOpF', 'KyokoQYyPCi'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, YNztyhHeKkmQHuK.csHigh entropy of concatenated method names: 'QOdKPQKDllsyRlV', 'bXonLTWHVeoW', 'IulNJGRguhID', 'HMoJMZOFokGXlwr', 'pkcnccrHkHe', 'AhqgjPLK', 'LSPHUTKeqY', 'ZKEwfPTfV', 'ZEuJFHuanVkhD', 'SNfIJgctjVfq'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, aBntsXuMmjIFHIP.csHigh entropy of concatenated method names: 'tXkUzvNYRAowV', 'lfagTZlKYVLotM', 'boNLdNsydu', 'nObrjxqtycfb', 'pyjyOILCAKpMbl', 'fsgwlpmWihmOxz', 'kwNYWeeukV', 'bnElfHMyNGwjp', 'DcARcuNCmZtyCOO', 'xwbCNyRw'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, bwAaLGyc.csHigh entropy of concatenated method names: 'jkaiIzFGVBHqhz', 'XbXawtov', 'KukIziUBcb', 'sjdmnGafMhMt', 'vDjiXfvupHYNPwG', 'gGOGVMoxlnpTJ', 'lyAnMwymdwgjD', 'FYXKTsfaynbi', 'lxkpckHVaN', 'kJnudRamJLsM'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, OWTOYIZIJyNpKGH.csHigh entropy of concatenated method names: 'LnHAELgikUQp', 'NhgCvHdVYixGPY', 'vgNftLwb', 'zqDpleEs', 'PvQhnOydGnEJt', 'mdmDHkwhQFaCFE', 'kteFWzcnOtyhQF', 'XwGAQMyaw', 'nieKGkJto', 'taDWpJpYKIC'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, JhLaGgFnnm.csHigh entropy of concatenated method names: 'BBjJuiKHFhm', 'nWnwFzteBFN', 'RaRCAxpwyRa', 'MzItENDlW', 'YDTkznuIUv', 'PsTRHGIsqVWwbk', 'qzZoCbxD', 'NjPxCBqx', 'XwHpbxGutgrB', 'rAtxujftM'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, IDIkloTpeDEKz.csHigh entropy of concatenated method names: 'RtTbNdmgGNTiJ', 'BLozuJcwWEM', 'OoFXWLLvM', 'XvFCAcwvR', 'etnSPEPp', 'UXOOCPxb', 'rIWONsosurJzz', 'nJhVBmIRvWpr', 'IhDnCBNDIhQgu', 'WKXfGVvaFVuw'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, pGsFKCRggcflWBU.csHigh entropy of concatenated method names: 'csbRpcNXkOoIzfw', 'uIxOoEjoAXb', 'DluUoDhMLzH', 'tUUwOJgBgJ', 'NEFJXJnQSBtUzU', 'UwxjJuBjVUj', 'arqZntugQitKCY', 'pMAzUcupkDwAx', 'UkpnVNYbb', 'aFnDlCnh'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, ABjlTGoWuueDjB.csHigh entropy of concatenated method names: 'JYOTNpHAD', 'reVCOQvt', 'SWrZvqwwII', 'XcphJzhmw', 'tBgkbcSU', 'djJSinSyTcQt', 'rrdPoosPiIxQYUK', 'TOecdecNJHurAO', 'fHuJoGMne', 'QvaMCJSHJzNm'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, jtMfOsvbzLJS.csHigh entropy of concatenated method names: 'OXvquBcTtRB', 'PetEeZGgzc', 'ZMJZQzqsHMAFC', 'jeZuIpcLQzOB', 'VmCmXloVdlc', 'TDYuBPZqe', 'vhlrnGOvJLOdUGE', 'cTOFFsxhomDQ', 'koKsaqVAfy', 'GibQyqjRpamFc'
            Source: 0.2.exe006.exe.12596ae8.1.raw.unpack, TfVjXoNYBK.csHigh entropy of concatenated method names: 'fFjUeBGQwOKqkzc', 'OrEmJMyvye', 'MAZQLNineBcsV', 'QPCJoljv', 'zhxYlSHoVzR', 'PXxycCLxRlyijtw', 'lJtzQfajOpwUXNH', 'EHAsFLLiXxENiP', 'sWLCLGSekxOknF', 'aEeFecsEqayKbT'
            Source: C:\Users\user\Desktop\exe006.exeFile created: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeJump to dropped file

            Boot Survival

            barindex
            Allows loading of unsigned dll using appinit_dll
            Source: C:\Users\user\Desktop\exe006.exeRegistry value created: RequireSignedAppInit_DLLs 0Jump to behavior
            Creates an undocumented autostart registry key
            Source: C:\Users\user\Desktop\exe006.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLsJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
            Source: C:\Users\user\Desktop\exe006.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhostJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhostJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: xdwdInkscape.exe, 0000000C.00000002.165032989220.0000000002601000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000016.00000002.165110312696.0000000002901000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000001A.00000002.165070264178.0000000002531000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000024.00000002.165097279064.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000002E.00000002.165153038587.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000035.00000002.165241336712.0000000002D11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\exe006.exeMemory allocated: B40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeMemory allocated: 1A510000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeMemory allocated: AB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeMemory allocated: 1A600000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeMemory allocated: 1A900000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeMemory allocated: 8A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeMemory allocated: 1A530000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeMemory allocated: 1520000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeMemory allocated: 1AF00000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeMemory allocated: AD0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeMemory allocated: 1AA80000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeMemory allocated: 1050000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeMemory allocated: 1AD10000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\exe006.exe TID: 5876Thread sleep count: 255 > 30Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exe TID: 5876Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exe TID: 7864Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe TID: 5812Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exe TID: 3464Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe TID: 1396Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exe TID: 3332Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe TID: 5556Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\exe006.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\exe006.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: exe006.exe, 00000000.00000002.165953008158.000000001B1AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWic%SystemRoot%\system32\mswsock.dll </endpointExtensions>
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\exe006.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\exe006.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exitJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe scHTaSks /Run /I /TN "Inkscape Upgrade"
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeProcess created: C:\Windows\System32\cmd.exe "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\exe006.exeQueries volume information: C:\Users\user\Desktop\exe006.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdInkscape.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeQueries volume information: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdInkscape.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeQueries volume information: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeQueries volume information: C:\Users\user\AppData\Roaming\xdwdInkscape.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeQueries volume information: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe VolumeInformation
            Source: C:\Users\user\Desktop\exe006.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: exe006.exe, 00000000.00000002.165952530116.000000001B179000.00000004.00000020.00020000.00000000.sdmp, xdwdInkscape.exe, 0000000C.00000002.165031270911.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000016.00000002.165109345652.0000000000970000.00000004.00000020.00020000.00000000.sdmp, xdwdInkscape.exe, 0000001A.00000002.165068912675.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000024.00000002.165096238283.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, xdwdInkscape.exe, 0000002E.00000002.165150754699.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, xdwdInkscape.exe, 0000002E.00000002.165150754699.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000035.00000002.165239981243.0000000000D6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: xdwdMicrosoft Paint.exe, 00000024.00000002.165102814305.000000001BAFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\exe006.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\xdwdInkscape.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected SheetRat
            Source: Yara matchFile source: 0.2.exe006.exe.1260b320.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.exe006.exe.1260b320.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.exe006.exe.12596ae8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.165949609284.0000000012596000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: exe006.exe PID: 6344, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected SheetRat
            Source: Yara matchFile source: 0.2.exe006.exe.1260b320.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.exe006.exe.1260b320.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.exe006.exe.12596ae8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.165949609284.0000000012596000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: exe006.exe PID: 6344, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts331
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		11
            Masquerading            		OS Credential Dumping441
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		251
            Virtualization/Sandbox Evasion            		Security Account Manager251
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS2
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets123
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560742 Sample: exe006.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 77 true-lung.gl.at.ply.gg 2->77 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected SheetRat 2->85 87 6 other signatures 2->87 9 exe006.exe 3 5 2->9         started        14 xdwdInkscape.exe 2 2->14         started        16 xdwdMicrosoft Paint.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 79 true-lung.gl.at.ply.gg 147.185.221.23, 56698 SALSGIVERUS United States 9->79 75 C:\Users\user\...\xdwdMicrosoft Paint.exe, PE32 9->75 dropped 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->91 93 Creates an undocumented autostart registry key 9->93 95 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->95 101 2 other signatures 9->101 20 cmd.exe 1 9->20         started        23 cmd.exe 9->23         started        25 cmd.exe 9->25         started        35 23 other processes 9->35 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->97 99 Queries memory information (via WMI often done to detect virtual machines) 14->99 27 xdwdMicrosoft Paint.exe 1 14->27         started        29 cmd.exe 14->29         started        31 cmd.exe 16->31         started        33 cmd.exe 16->33         started        37 3 other processes 18->37 file6 signatures7 process8 signatures9 89 Uses schtasks.exe or at.exe to add and modify task schedules 20->89 39 2 other processes 20->39 41 2 other processes 23->41 43 2 other processes 25->43 45 2 other processes 27->45 47 2 other processes 29->47 49 2 other processes 31->49 51 2 other processes 33->51 53 39 other processes 35->53 55 6 other processes 37->55 process10 process11 57 Conhost.exe 41->57         started        59 Conhost.exe 43->59         started        61 conhost.exe 45->61         started        63 schtasks.exe 45->63         started        65 conhost.exe 45->65         started        67 schtasks.exe 45->67         started        69 conhost.exe 47->69         started        71 schtasks.exe 47->71         started        73 Conhost.exe 49->73         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            exe006.exe68%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
            exe006.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe100%AviraTR/Crypt.OPACK.Gen

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            true-lung.gl.at.ply.gg
            		147.185.221.23
            		truefalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameexe006.exe, 00000000.00000002.165937013906.0000000002511000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000000C.00000002.165032989220.0000000002834000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000016.00000002.165110312696.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000001A.00000002.165070264178.0000000002760000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000024.00000002.165097279064.000000000312E000.00000004.00000800.00020000.00000000.sdmp, xdwdInkscape.exe, 0000002E.00000002.165153038587.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, xdwdMicrosoft Paint.exe, 00000035.00000002.165241336712.0000000002F4B000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/odirmxdwdInkscape.exe, 0000000C.00000002.165040416149.000000001B2CB000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  147.185.221.23
                  		true-lung.gl.at.ply.ggUnited States
                  		12087SALSGIVERUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1560742
                  Start date and time:2024-11-22 09:24:27 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 59s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                  Run name:Suspected VM Detection
                  Number of analysed new started processes analysed:114
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:exe006.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@181/3@1/1
                  EGA Information:
                  • Successful, ratio: 14.3%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 201
                  • Number of non-executed functions: 9
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): Conhost.exe
                  • Execution Graph export aborted for target xdwdInkscape.exe, PID 3516 because it is empty
                  • Execution Graph export aborted for target xdwdInkscape.exe, PID 4236 because it is empty
                  • Execution Graph export aborted for target xdwdInkscape.exe, PID 5216 because it is empty
                  • Execution Graph export aborted for target xdwdMicrosoft Paint.exe, PID 5628 because it is empty
                  • Execution Graph export aborted for target xdwdMicrosoft Paint.exe, PID 6316 because it is empty
                  • Execution Graph export aborted for target xdwdMicrosoft Paint.exe, PID 6984 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: exe006.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:26:33API Interceptor1x Sleep call for process: dllhost.exe modified
                  03:26:34API Interceptor1x Sleep call for process: exe006.exe modified
                  03:27:02API Interceptor3x Sleep call for process: xdwdInkscape.exe modified
                  03:27:09API Interceptor4x Sleep call for process: xdwdMicrosoft Paint.exe modified
                  09:26:35Task SchedulerRun new task: Inkscape Upgrade path: C:\Users\user\AppData\Local\xdwdMicrosoft s>Paint.exe
                  09:27:00Task SchedulerRun new task: Paint.NET Update path: C:\Users\user\AppData\Roaming\xdwdInkscape.exe
                  09:27:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svhost C:\Users\user\AppData\Roaming\xdwdInkscape.exe
                  09:27:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svhost C:\Users\user\AppData\Roaming\xdwdInkscape.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  147.185.221.23yF21ypxRB7.exeGet hashmaliciousXWormBrowse
                    9GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                      fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                        EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                          eternal.exeGet hashmaliciousXWormBrowse
                            svchost.exeGet hashmaliciousUnknownBrowse
                              msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                exe030.exeGet hashmaliciousXWormBrowse
                                  pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                    jkL96SLfWS.exeGet hashmaliciousXWormBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      SALSGIVERUSexe003.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.22
                                      yF21ypxRB7.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23
                                      OXhiMvksgM.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.22
                                      9GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23
                                      fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23
                                      EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                      • 147.185.221.23
                                      eternal.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23
                                      svchost.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.23
                                      msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23
                                      exe030.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdInkscape.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\xdwdInkscape.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):871
                                      Entropy (8bit):5.36845336122342
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPyEsOKbbDLI4MWuPOKMAKhap+92n4MNQpVhU9tWzAbDLI4MNux+:ML9E4KaCKDE4KGKMAKh6+84xpcKsXE4w
                                      MD5:15332C93136041700B0E3D5AEB01CFCE
                                      SHA1:77EBA09260200C3EA967778E460A7A0D83A2E152
                                      SHA-256:5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
                                      SHA-512:419B6BCD31744FE9494F0FB8CF0AA57C59E338898BD5A9832A7C59BE5E478A27D53D40861AF2F4ED38426574781E2DA38237805CB765C7BD582FB8F4C547102A
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\782dd7dd89e97af687ff0bdfb301ea5f\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d168bb79d8c202ee2de4b8f1cab215dd\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\3a54af634388e6223cd280a434ab6a59\System.Management.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xdwdMicrosoft Paint.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):871
                                      Entropy (8bit):5.36845336122342
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPyEsOKbbDLI4MWuPOKMAKhap+92n4MNQpVhU9tWzAbDLI4MNux+:ML9E4KaCKDE4KGKMAKh6+84xpcKsXE4w
                                      MD5:15332C93136041700B0E3D5AEB01CFCE
                                      SHA1:77EBA09260200C3EA967778E460A7A0D83A2E152
                                      SHA-256:5B95602CCE052DF6412A02E94AAC5326A41419C13C56B1FE0CE9389D3CB77D30
                                      SHA-512:419B6BCD31744FE9494F0FB8CF0AA57C59E338898BD5A9832A7C59BE5E478A27D53D40861AF2F4ED38426574781E2DA38237805CB765C7BD582FB8F4C547102A
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d1b08a492d712e019f310913d82efb4d\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\782dd7dd89e97af687ff0bdfb301ea5f\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d168bb79d8c202ee2de4b8f1cab215dd\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\3a54af634388e6223cd280a434ab6a59\System.Management.ni.dll",0..

                                      C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\exe006.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):764889088
                                      Entropy (8bit):0.008375076540240368
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:8737317BC2D5452B3E7403F57A663093
                                      SHA1:A6A8B75479B59406FD6B7B8D3068442EFFD18B05
                                      SHA-256:3F7FA42BF34CFC79616030251CC86238833AE8A8253F3D5FFD895D6F3AF87E96
                                      SHA-512:5BB794D0B8943329D210D5B4182EFA2CCE77746EC091460457363B91F34C55AEA9610612D9643B182F8EA361EA2E9C4D66CED3A91D792D2735C17830CE4FFD79
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..<..........^Z... ...`....@.. ....................................@..................................Z..K....`............................................................................... ............... ..H............text...d:... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............F..............@..B................@Z......H.......p....L...........4..i............................................W......H3.......W......3.........(....*b.{.....oR...(S....oT...*.(....(....sV........(....(....sV........( ...(....sV........*J.s....}.....(....*...$...*.s.....%...*.(....*..o....*.(....*.s.... .:.. 0u..o....(....~=...(....&*.s.....*...*..*j(1...(....~/...(i....-...*V(i....Y...(j....Z...*".(.....*..(..... .On. 1..*ai.....!.............*.r.7.p.....!.e.................r.8.p.....r$8.p...........*.rD:.p.....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):5.8360150988175725
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:exe006.exe
                                      File size:477'184 bytes
                                      MD5:fdea1687b2827f9fc9b4ae8c81f1f0e4
                                      SHA1:d2597adf0ab33094036db10bddad6cb05ea51273
                                      SHA256:bc506cb36843e83ddc49c96ae3d3eacf598bccc569b2d84db925eda26f6c31b4
                                      SHA512:9dbda7d8760dfbbf6ba7fd8539056c437cb4f56d4982b84e31a59b832d656b4c292330b14ef0f4ad20a9446fd678f6db5797601960eadb730a14119d355b78ff
                                      SSDEEP:6144:unEwRanXWLUU2+l2e6VlWT8b9ubayfRT0oHQa7b519cnCTa5:kvPyDPVle8MayL7DcnB5
                                      TLSH:91A4B40CFE91F806DE2E3DB7CBE614044B7125C12E2192563259AFFE8BA537258E257C
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..<..........^Z... ...`....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x475a5e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x75a100x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x614.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x73a640x73c00e536e1530ac6a963d6a6461ef3eb37c4False0.47976005669546434data5.842200965540925IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x760000x6140x8005679185f8006e6fc0cda81c0e580bbe9False0.36572265625data4.69048508251588IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x780000xc0x2000ffa3cdccf84b7e9cf8c9d1e69a29501False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x760a00x388data0.47123893805309736
                                      RT_MANIFEST0x764280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 22, 2024 09:26:36.637908936 CET4975956698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:26:37.639547110 CET4975956698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:26:39.653522968 CET4975956698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:26:43.669327974 CET4975956698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:26:51.682864904 CET4975956698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:26:57.700592995 CET4976056698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:26:58.711905003 CET4976056698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:00.727179050 CET4976056698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:04.741848946 CET4976056698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:12.755609989 CET4976056698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:18.989264011 CET4976156698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:20.004070997 CET4976156698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:22.019248009 CET4976156698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:26.034004927 CET4976156698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:34.047842979 CET4976156698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:40.359496117 CET4976256698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:41.374424934 CET4976256698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:43.389681101 CET4976256698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:47.404253960 CET4976256698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:27:55.418159008 CET4976256698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:01.589266062 CET4976356698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:02.604063034 CET4976356698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:04.619323969 CET4976356698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:08.634033918 CET4976356698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:16.648017883 CET4976356698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:22.975279093 CET4976456698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:23.989988089 CET4976456698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:26.005194902 CET4976456698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:30.019944906 CET4976456698192.168.11.20147.185.221.23
                                      Nov 22, 2024 09:28:38.033781052 CET4976456698192.168.11.20147.185.221.23

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 22, 2024 09:26:36.459240913 CET5430953192.168.11.201.1.1.1
                                      Nov 22, 2024 09:26:36.635374069 CET53543091.1.1.1192.168.11.20

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Nov 22, 2024 09:26:36.459240913 CET192.168.11.201.1.1.10x4d3bStandard query (0)true-lung.gl.at.ply.ggA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Nov 22, 2024 09:26:36.635374069 CET1.1.1.1192.168.11.200x4d3bNo error (0)true-lung.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:26:32
                                      Start date:22/11/2024
                                      Path:C:\Users\user\Desktop\exe006.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\exe006.exe"
                                      Imagebase:0xa0000
                                      File size:477'184 bytes
                                      MD5 hash:FDEA1687B2827F9FC9B4AE8C81F1F0E4
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_SheetRat, Description: Yara detected SheetRat, Source: 00000000.00000002.165949609284.0000000012596000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:1
                                      Start time:03:26:33
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\dllhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                      Imagebase:0x7ff794cf0000
                                      File size:21'312 bytes
                                      MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:03:26:34
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff6213a0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:03:26:34
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:03:26:35
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:03:26:35
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:03:26:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:03:26:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:03:26:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:03:26:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:03:26:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:03:26:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo 5 /tn "Paint.NET Update" /tr "C:\Users\user\AppData\Roaming\xdwdInkscape.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:03:27:01
                                      Start date:22/11/2024
                                      Path:C:\Users\user\AppData\Roaming\xdwdInkscape.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\xdwdInkscape.exe
                                      Imagebase:0x110000
                                      File size:778'520'576 bytes
                                      MD5 hash:89274B9A87E952C530F24B5F7313A15F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:03:27:01
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:03:27:01
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:03:27:01
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:03:27:03
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:03:27:03
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:03:27:03
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:03:27:04
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:03:27:04
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:03:27:04
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:03:27:07
                                      Start date:22/11/2024
                                      Path:C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
                                      Imagebase:0x3d0000
                                      File size:764'889'088 bytes
                                      MD5 hash:8737317BC2D5452B3E7403F57A663093
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:03:27:08
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:03:27:08
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:03:27:08
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:03:27:10
                                      Start date:22/11/2024
                                      Path:C:\Users\user\AppData\Roaming\xdwdInkscape.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\xdwdInkscape.exe"
                                      Imagebase:0x80000
                                      File size:778'520'576 bytes
                                      MD5 hash:89274B9A87E952C530F24B5F7313A15F
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:03:27:09
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:03:27:09
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:03:27:09
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:03:27:11
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:03:27:11
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:03:27:11
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:03:27:11
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:03:27:11
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:03:27:11
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:scHTaSks /Run /I /TN "Inkscape Upgrade"
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:03:27:12
                                      Start date:22/11/2024
                                      Path:C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
                                      Imagebase:0xa80000
                                      File size:764'889'088 bytes
                                      MD5 hash:8737317BC2D5452B3E7403F57A663093
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:37
                                      Start time:03:27:12
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:38
                                      Start time:03:27:12
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:03:27:12
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:03:27:14
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:03:27:14
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:03:27:14
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:03:27:14
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:03:27:14
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:03:27:14
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:03:27:18
                                      Start date:22/11/2024
                                      Path:C:\Users\user\AppData\Roaming\xdwdInkscape.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\xdwdInkscape.exe"
                                      Imagebase:0x4a0000
                                      File size:778'520'576 bytes
                                      MD5 hash:89274B9A87E952C530F24B5F7313A15F
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:47
                                      Start time:03:27:17
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:48
                                      Start time:03:27:17
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:49
                                      Start time:03:27:17
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:50
                                      Start time:03:27:19
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c scHTaSks /Run /I /TN "Inkscape Upgrade"
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:51
                                      Start time:03:27:19
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:52
                                      Start time:03:27:19
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:scHTaSks /Run /I /TN "Inkscape Upgrade"
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:53
                                      Start time:03:27:21
                                      Start date:22/11/2024
                                      Path:C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe"
                                      Imagebase:0x930000
                                      File size:764'889'088 bytes
                                      MD5 hash:8737317BC2D5452B3E7403F57A663093
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:54
                                      Start time:03:27:20
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:55
                                      Start time:03:27:20
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:56
                                      Start time:03:27:20
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:57
                                      Start time:03:27:22
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:58
                                      Start time:03:27:22
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:59
                                      Start time:03:27:22
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:60
                                      Start time:03:27:23
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:61
                                      Start time:03:27:23
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:62
                                      Start time:03:27:23
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:63
                                      Start time:03:27:25
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:64
                                      Start time:03:27:25
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:65
                                      Start time:03:27:25
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:66
                                      Start time:03:27:27
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:67
                                      Start time:03:27:27
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:68
                                      Start time:03:27:27
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:69
                                      Start time:03:27:30
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:70
                                      Start time:03:27:30
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:71
                                      Start time:03:27:30
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:72
                                      Start time:03:27:33
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:73
                                      Start time:03:27:33
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:74
                                      Start time:03:27:33
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:75
                                      Start time:03:27:36
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:76
                                      Start time:03:27:36
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:77
                                      Start time:03:27:36
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:78
                                      Start time:03:27:39
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:79
                                      Start time:03:27:39
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:80
                                      Start time:03:27:39
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:81
                                      Start time:03:27:42
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:82
                                      Start time:03:27:42
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:83
                                      Start time:03:27:42
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:84
                                      Start time:03:27:46
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:85
                                      Start time:03:27:46
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:86
                                      Start time:03:27:46
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:87
                                      Start time:03:27:49
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff799ea0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:88
                                      Start time:03:27:49
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:89
                                      Start time:03:27:49
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:90
                                      Start time:03:27:52
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:91
                                      Start time:03:27:52
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:92
                                      Start time:03:27:52
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:93
                                      Start time:03:27:55
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:94
                                      Start time:03:27:55
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:95
                                      Start time:03:27:55
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:96
                                      Start time:03:27:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:97
                                      Start time:03:27:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:98
                                      Start time:03:27:58
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:99
                                      Start time:03:28:01
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:100
                                      Start time:03:28:01
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:101
                                      Start time:03:28:02
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST
                                      Imagebase:0x7ff793de0000
                                      File size:235'008 bytes
                                      MD5 hash:796B784E98008854C27F4B18D287BA30
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:102
                                      Start time:03:28:05
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks Upgrade" /tr "C:\Users\user\AppData\Local\xdwdMicrosoft Paint.exe" /RL HIGHEST & exit
                                      Imagebase:0x7ff69b590000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:103
                                      Start time:03:28:05
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e0fa0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:113
                                      Start time:03:28:11
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:128
                                      Start time:03:28:20
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:133
                                      Start time:03:28:24
                                      Start date:22/11/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:16.4%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:61.5%
                                        Total number of Nodes:13
                                        Total number of Limit Nodes:1
                                        execution_graph 17558 7ffaccd413fd 17559 7ffaccd4140f 17558->17559 17560 7ffaccd4162a 17559->17560 17561 7ffaccd41794 NtProtectVirtualMemory 17559->17561 17562 7ffaccd417d5 17561->17562 17549 7ffaccd34be0 17551 7ffaccd41410 17549->17551 17550 7ffaccd4162a 17551->17550 17552 7ffaccd41794 NtProtectVirtualMemory 17551->17552 17553 7ffaccd417d5 17552->17553 17554 7ffaccd416b7 17555 7ffaccd416c3 NtProtectVirtualMemory 17554->17555 17557 7ffaccd417d5 17555->17557

                                        Executed Functions

                                        Function 00007FFACCD39048 Relevance: 4.4, Strings: 3, Instructions: 606COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 7ffaccd39048-7ffaccd39490 2 7ffaccd3949a 0->2 3 7ffaccd3949f-7ffaccd394a5 2->3 4 7ffaccd39492-7ffaccd39498 3->4 5 7ffaccd394a7-7ffaccd394b3 3->5 4->2 4->3 7 7ffaccd394ce 5->7 8 7ffaccd394b5-7ffaccd394cd 5->8 9 7ffaccd394cf-7ffaccd394d0 7->9 8->7 8->9 10 7ffaccd394d9 9->10 11 7ffaccd394de-7ffaccd394e3 10->11 12 7ffaccd394e5-7ffaccd39511 11->12 13 7ffaccd394d2-7ffaccd394d7 11->13 17 7ffaccd39512-7ffaccd39517 12->17 13->10 13->11 18 7ffaccd3951e-7ffaccd39523 17->18 19 7ffaccd39519 17->19 18->17 20 7ffaccd39525-7ffaccd39554 18->20 19->18 25 7ffaccd39555-7ffaccd3955e 20->25 27 7ffaccd3956b-7ffaccd3956d 25->27 28 7ffaccd39560 25->28 30 7ffaccd3959d 27->30 31 7ffaccd3956f-7ffaccd39574 27->31 28->27 29 7ffaccd39562-7ffaccd39564 28->29 32 7ffaccd39576 29->32 33 7ffaccd39566 29->33 34 7ffaccd3959f-7ffaccd395b2 30->34 31->25 31->32 32->25 35 7ffaccd39578-7ffaccd3959b 32->35 33->27 40 7ffaccd395b4 34->40 35->30 41 7ffaccd395b5-7ffaccd395be 40->41 43 7ffaccd395cb-7ffaccd395cd 41->43 44 7ffaccd395c0 41->44 46 7ffaccd395fd-7ffaccd39611 43->46 47 7ffaccd395cf-7ffaccd395d4 43->47 44->43 45 7ffaccd395c2-7ffaccd395c4 44->45 48 7ffaccd395d6 45->48 49 7ffaccd395c6 45->49 52 7ffaccd39612-7ffaccd39617 46->52 47->41 47->48 48->41 51 7ffaccd395d8-7ffaccd395fb 48->51 49->43 51->46 54 7ffaccd3961e-7ffaccd39623 52->54 55 7ffaccd39619 52->55 54->52 56 7ffaccd39625-7ffaccd39651 54->56 55->54 61 7ffaccd39652-7ffaccd39657 56->61 62 7ffaccd3965e-7ffaccd39663 61->62 63 7ffaccd39659 61->63 62->61 64 7ffaccd39665-7ffaccd39691 62->64 63->62 68 7ffaccd39692-7ffaccd39697 64->68 69 7ffaccd3969e-7ffaccd396a3 68->69 70 7ffaccd39699 68->70 69->68 71 7ffaccd396a5-7ffaccd396d8 69->71 70->69 75 7ffaccd396da 71->75 76 7ffaccd396df-7ffaccd396f3 71->76 75->76 79 7ffaccd3970e 76->79 80 7ffaccd396f5-7ffaccd3970d 76->80 81 7ffaccd3970f-7ffaccd3971e 79->81 80->81 83 7ffaccd3972b-7ffaccd3972d 81->83 84 7ffaccd39720 81->84 85 7ffaccd3975d-7ffaccd3977a 83->85 86 7ffaccd3972f-7ffaccd39734 83->86 84->83 87 7ffaccd39722-7ffaccd39724 84->87 95 7ffaccd3977c 85->95 96 7ffaccd39740 85->96 88 7ffaccd39736-7ffaccd3973f 86->88 87->88 89 7ffaccd39726 87->89 92 7ffaccd39741-7ffaccd3975b 88->92 89->83 92->85 97 7ffaccd3977e-7ffaccd3979a 95->97 98 7ffaccd397f6-7ffaccd397f9 95->98 96->92 100 7ffaccd397ac 97->100 101 7ffaccd3979c 97->101 99 7ffaccd397fa-7ffaccd397fc 98->99 102 7ffaccd3982c-7ffaccd39849 99->102 103 7ffaccd397fe-7ffaccd39803 99->103 105 7ffaccd397ae-7ffaccd397b9 call 7ffaccd34d18 100->105 106 7ffaccd397d7-7ffaccd397d9 100->106 104 7ffaccd397a1-7ffaccd397a3 101->104 118 7ffaccd3984b-7ffaccd39852 102->118 119 7ffaccd39862-7ffaccd398a6 call 7ffaccd34d28 102->119 103->104 107 7ffaccd39805 103->107 111 7ffaccd397a5-7ffaccd397aa 104->111 112 7ffaccd397d3 104->112 127 7ffaccd397be-7ffaccd397d0 105->127 108 7ffaccd397db-7ffaccd397e0 106->108 109 7ffaccd39809-7ffaccd3980b 106->109 107->104 114 7ffaccd39807 107->114 116 7ffaccd397e4-7ffaccd397e6 108->116 117 7ffaccd397e2 108->117 115 7ffaccd3980c-7ffaccd39815 109->115 111->100 111->106 112->106 122 7ffaccd398fc-7ffaccd39902 114->122 123 7ffaccd39816-7ffaccd39824 115->123 116->123 124 7ffaccd397e8-7ffaccd397ed 116->124 117->115 117->116 125 7ffaccd39854-7ffaccd39858 118->125 126 7ffaccd39853 118->126 169 7ffaccd398c8-7ffaccd398d4 call 7ffaccd34d38 119->169 170 7ffaccd398a8-7ffaccd398c0 119->170 130 7ffaccd3992c-7ffaccd3992e 122->130 131 7ffaccd39904 122->131 136 7ffaccd3982a-7ffaccd3982b 123->136 137 7ffaccd398d6-7ffaccd398de call 7ffaccd39910 123->137 124->99 132 7ffaccd397ef 124->132 125->119 133 7ffaccd3985a-7ffaccd39860 125->133 126->125 127->117 151 7ffaccd397d2 127->151 134 7ffaccd3992f-7ffaccd39948 130->134 135 7ffaccd39978-7ffaccd39994 130->135 138 7ffaccd3992a-7ffaccd3992b 131->138 139 7ffaccd39906-7ffaccd3990f 131->139 132->99 140 7ffaccd397f1-7ffaccd397f3 132->140 133->119 148 7ffaccd3995c-7ffaccd3996c 134->148 149 7ffaccd3994a-7ffaccd39957 134->149 146 7ffaccd39996 135->146 136->102 155 7ffaccd398ea-7ffaccd398ee 137->155 156 7ffaccd398e0-7ffaccd398e8 call 7ffaccd39910 137->156 138->130 140->107 147 7ffaccd397f5 140->147 147->99 148->135 149->148 151->106 160 7ffaccd398f0 155->160 161 7ffaccd39918-7ffaccd3991a 155->161 156->122 163 7ffaccd398f2-7ffaccd398fb 160->163 164 7ffaccd39916-7ffaccd39917 160->164 161->156 165 7ffaccd3991c 161->165 163->122 164->161 165->146 167 7ffaccd3991e-7ffaccd39927 165->167 167->138 169->156 170->136 174 7ffaccd398c6 170->174 174->137
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@$@
                                        • API String ID: 0-1177533131
                                        • Opcode ID: f02fd881dff85b19feb057c95884a339da83f0cdbcef94a355c2ae4cd64b26c8
                                        • Instruction ID: 3530ea80a806f947b42c815c5e927bcf99c9b67b9638e63c4705566bbc2a0435
                                        • Opcode Fuzzy Hash: f02fd881dff85b19feb057c95884a339da83f0cdbcef94a355c2ae4cd64b26c8
                                        • Instruction Fuzzy Hash: 90026F62E0E6C64FF7A79B2C98292746BB09F57310F1D80BAD44DC72E2E91DD8498352
                                        Function 00007FFACCD325B4 Relevance: 4.2, Strings: 2, Instructions: 1750COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: jq${$L_^
                                        • API String ID: 0-1738612908
                                        • Opcode ID: dd8b6c3773215dc46bcf82f01ade7dc373bc4179cff098864e4b22144c4a16e1
                                        • Instruction ID: 58d615a34133e2f8ad2bf0b303bfc88e75df89e733f9a83f5c2d9e4594bd5d29
                                        • Opcode Fuzzy Hash: dd8b6c3773215dc46bcf82f01ade7dc373bc4179cff098864e4b22144c4a16e1
                                        • Instruction Fuzzy Hash: BFD24060E1D6C30EE75BAB3888661B53FB19F57215F5D85B6C08EC72E3DD1CA80A8352
                                        Function 00007FFACCD3AD75 Relevance: 3.0, Strings: 2, Instructions: 481COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 778 7ffaccd3ad75-7ffaccd3ad78 779 7ffaccd3ad8d-7ffaccd3adb9 778->779 780 7ffaccd3ad7a-7ffaccd3ad89 778->780 787 7ffaccd3adbb-7ffaccd3ae11 779->787 788 7ffaccd3ad63-7ffaccd3ad6c 779->788 780->779 795 7ffaccd3ae5a-7ffaccd3ae81 787->795 796 7ffaccd3ae13-7ffaccd3ae4b 787->796 788->778 805 7ffaccd3aecc-7ffaccd3aed8 795->805 796->795 808 7ffaccd3aeda 805->808 809 7ffaccd3ae9e-7ffaccd3aea0 805->809 810 7ffaccd3aedc-7ffaccd3aefb 808->810 811 7ffaccd3af54-7ffaccd3af68 808->811 809->805 812 7ffaccd3af0d 810->812 813 7ffaccd3aefd-7ffaccd3af02 810->813 817 7ffaccd3af6a 811->817 815 7ffaccd3af38-7ffaccd3af3a 812->815 816 7ffaccd3af0f 812->816 813->815 815->817 819 7ffaccd3af3c-7ffaccd3af41 815->819 816->815 818 7ffaccd3af11-7ffaccd3af31 816->818 820 7ffaccd3af7c 817->820 821 7ffaccd3af6c 817->821 822 7ffaccd3af43 818->822 823 7ffaccd3af33 818->823 819->822 824 7ffaccd3af71-7ffaccd3af73 819->824 827 7ffaccd3af7e-7ffaccd3af80 820->827 828 7ffaccd3af87-7ffaccd3af89 820->828 821->824 822->824 830 7ffaccd3af45-7ffaccd3af50 822->830 829 7ffaccd3af36 823->829 825 7ffaccd3af75-7ffaccd3af7a 824->825 826 7ffaccd3afa3-7ffaccd3afb2 824->826 825->820 825->828 841 7ffaccd3afb4-7ffaccd3afb5 826->841 842 7ffaccd3b016-7ffaccd3b01b 826->842 838 7ffaccd3af92-7ffaccd3af96 827->838 839 7ffaccd3af82 827->839 832 7ffaccd3af8b-7ffaccd3af90 828->832 833 7ffaccd3afb9-7ffaccd3afbc 828->833 829->815 830->811 832->838 840 7ffaccd3af04-7ffaccd3af06 832->840 836 7ffaccd3afbe-7ffaccd3afc0 833->836 837 7ffaccd3afc2-7ffaccd3afea 833->837 843 7ffaccd3afec-7ffaccd3b013 call 7ffaccd3a9e0 836->843 837->843 838->840 847 7ffaccd3af9c-7ffaccd3afa2 838->847 839->828 840->829 846 7ffaccd3af08 840->846 841->833 844 7ffaccd3b01d 842->844 845 7ffaccd3b045-7ffaccd3b0b3 842->845 843->842 848 7ffaccd3b01f-7ffaccd3b026 844->848 849 7ffaccd3b043 844->849 856 7ffaccd3b0b8-7ffaccd3b0bf 845->856 846->812 847->826 849->845 857 7ffaccd3b0c1 856->857 858 7ffaccd3b0c6-7ffaccd3b0cd 856->858 857->858 858->856 862 7ffaccd3b0cf-7ffaccd3b0ef 858->862 865 7ffaccd3b0f1-7ffaccd3b103 call 7ffaccd33810 call 7ffaccd39218 862->865 866 7ffaccd3b13f-7ffaccd3b143 862->866 876 7ffaccd3b108-7ffaccd3b10b call 7ffaccd321d0 865->876 867 7ffaccd3b15c-7ffaccd3b18f call 7ffaccd33810 * 2 call 7ffaccd39228 866->867 868 7ffaccd3b145-7ffaccd3b152 866->868 885 7ffaccd3b191-7ffaccd3b1a1 867->885 886 7ffaccd3b1a8-7ffaccd3b1c9 call 7ffaccd33810 call 7ffaccd39228 867->886 868->867 875 7ffaccd3b154-7ffaccd3b15a 868->875 875->867 881 7ffaccd3b110-7ffaccd3b113 876->881 884 7ffaccd3b11a-7ffaccd3b122 881->884 889 7ffaccd3b129-7ffaccd3b12b 884->889 890 7ffaccd3b12e-7ffaccd3b130 885->890 891 7ffaccd3b1a3-7ffaccd3b1a6 885->891 898 7ffaccd3b1cb-7ffaccd3b1d8 886->898 899 7ffaccd3b1e2-7ffaccd3b22c 886->899 889->890 893 7ffaccd3b232-7ffaccd3b251 call 7ffaccd3b252 889->893 894 7ffaccd3b131-7ffaccd3b13e 890->894 891->886 894->866 898->899 903 7ffaccd3b1da-7ffaccd3b1e0 898->903 899->893 899->894 903->899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ]$uK_H
                                        • API String ID: 0-1352239608
                                        • Opcode ID: 06c3d2c549c38889dba056e028ede75089307bd8ec3bea29986ba9dff5257924
                                        • Instruction ID: e135c6f321aa1cebb242058dd8d00733c1c337b6a1a385a31083e077ebacd185
                                        • Opcode Fuzzy Hash: 06c3d2c549c38889dba056e028ede75089307bd8ec3bea29986ba9dff5257924
                                        • Instruction Fuzzy Hash: 9CF1C261F0CACA5BE7AB9F6C88552B97BE1EF66310F0C41BAD44DC72D2ED18E8458341
                                        Function 00007FFACCD34BE0 Relevance: 2.0, APIs: 1, Instructions: 484nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1207 7ffaccd34be0-7ffaccd41420 1209 7ffaccd41455-7ffaccd41496 1207->1209 1210 7ffaccd41422-7ffaccd41442 1207->1210 1235 7ffaccd414a8-7ffaccd414c5 1209->1235 1236 7ffaccd41498-7ffaccd414a7 1209->1236 1212 7ffaccd41591-7ffaccd41598 1210->1212 1213 7ffaccd4159a-7ffaccd415a0 1212->1213 1214 7ffaccd415a5-7ffaccd415ac 1212->1214 1213->1214 1215 7ffaccd41621-7ffaccd41628 1214->1215 1216 7ffaccd415ae-7ffaccd415d5 call 7ffaccd33810 * 2 1214->1216 1218 7ffaccd4163b-7ffaccd41642 1215->1218 1219 7ffaccd4162a-7ffaccd4163a 1215->1219 1234 7ffaccd415d7-7ffaccd415d9 1216->1234 1223 7ffaccd4164a-7ffaccd41651 1218->1223 1224 7ffaccd41644-7ffaccd41645 1218->1224 1227 7ffaccd41447-7ffaccd4144e 1223->1227 1228 7ffaccd41657-7ffaccd41660 1223->1228 1224->1223 1227->1212 1229 7ffaccd41454 1227->1229 1232 7ffaccd41662-7ffaccd41678 1228->1232 1233 7ffaccd416a6-7ffaccd416c1 1228->1233 1229->1209 1241 7ffaccd4168c-7ffaccd416a5 1232->1241 1242 7ffaccd4167a-7ffaccd4168b 1232->1242 1245 7ffaccd416de-7ffaccd416e5 1233->1245 1246 7ffaccd416c3-7ffaccd416dd 1233->1246 1239 7ffaccd415db-7ffaccd415e1 1234->1239 1240 7ffaccd41561-7ffaccd41566 1234->1240 1255 7ffaccd414d7-7ffaccd414fa 1235->1255 1256 7ffaccd414c7-7ffaccd414d6 1235->1256 1236->1235 1247 7ffaccd415e3-7ffaccd41600 call 7ffaccd39380 1239->1247 1240->1247 1248 7ffaccd41567 1240->1248 1242->1241 1250 7ffaccd416ed-7ffaccd417d3 NtProtectVirtualMemory 1245->1250 1251 7ffaccd416e7-7ffaccd416eb 1245->1251 1246->1245 1267 7ffaccd41614-7ffaccd41619 1247->1267 1268 7ffaccd41602-7ffaccd41613 1247->1268 1253 7ffaccd415c5-7ffaccd415d5 call 7ffaccd33810 1248->1253 1254 7ffaccd41568-7ffaccd4156a 1248->1254 1280 7ffaccd417db-7ffaccd41806 1250->1280 1281 7ffaccd417d5 1250->1281 1251->1250 1253->1234 1260 7ffaccd4156f 1254->1260 1273 7ffaccd4150c-7ffaccd41510 1255->1273 1274 7ffaccd414fc-7ffaccd41508 1255->1274 1256->1255 1263 7ffaccd41570-7ffaccd4157f 1260->1263 1272 7ffaccd41585-7ffaccd4158c 1263->1272 1267->1228 1271 7ffaccd4161b-7ffaccd4161c 1267->1271 1268->1267 1271->1215 1272->1212 1273->1272 1276 7ffaccd41511 1273->1276 1282 7ffaccd4151a-7ffaccd41532 1274->1282 1283 7ffaccd4150a 1274->1283 1276->1260 1279 7ffaccd41512-7ffaccd41517 1276->1279 1279->1282 1281->1280 1286 7ffaccd41544-7ffaccd4154d 1282->1286 1287 7ffaccd41534-7ffaccd4153b 1282->1287 1283->1273 1289 7ffaccd4154e-7ffaccd4155e 1286->1289 1288 7ffaccd4153d-7ffaccd41541 1287->1288 1287->1289 1288->1286 1289->1263 1292 7ffaccd41560 1289->1292 1292->1240
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: e0fabd25eebe90aa4ea839d4a0fef171ea6e2defd24984d567c7796e2371f1bb
                                        • Instruction ID: a122750c506e2d30dfb321468b36dd1399d62a8c81c1470c01adf8245e908775
                                        • Opcode Fuzzy Hash: e0fabd25eebe90aa4ea839d4a0fef171ea6e2defd24984d567c7796e2371f1bb
                                        • Instruction Fuzzy Hash: 24D11A72F1C7854FE71ADB6C98466F877E1EB96320F04427ED14DC3293DD28E8468685
                                        Function 00007FFACCD416B7 Relevance: 1.7, APIs: 1, Instructions: 158nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1293 7ffaccd416b7-7ffaccd416c1 1294 7ffaccd416de-7ffaccd416e5 1293->1294 1295 7ffaccd416c3-7ffaccd416dd 1293->1295 1296 7ffaccd416ed-7ffaccd417d3 NtProtectVirtualMemory 1294->1296 1297 7ffaccd416e7-7ffaccd416eb 1294->1297 1295->1294 1302 7ffaccd417db-7ffaccd41806 1296->1302 1303 7ffaccd417d5 1296->1303 1297->1296 1303->1302
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: ebd5a49df5801e241fd55cc12a18e2cb7d53f0fae5bee9ec8083adba59458eab
                                        • Instruction ID: cd557683eb53e6dbb945542389e3a8e433dae2d5e2671b41a0ea9c80b726cb7d
                                        • Opcode Fuzzy Hash: ebd5a49df5801e241fd55cc12a18e2cb7d53f0fae5bee9ec8083adba59458eab
                                        • Instruction Fuzzy Hash: 1A41C97190C7C84FD71A9B689C056E97FF1EB96320F0442AFE089D7293CA74984987D2
                                        Function 00007FFACCD31408 Relevance: 1.2, Instructions: 1218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bedf7137360540d79e163210fca3c8e7e5d72f0367d93ea7ca16d9f538a63b17
                                        • Instruction ID: 0e961cc40cff9ffdb5cd2a7d4bab4fd74306c2746f08a5c06695c246624ea8a0
                                        • Opcode Fuzzy Hash: bedf7137360540d79e163210fca3c8e7e5d72f0367d93ea7ca16d9f538a63b17
                                        • Instruction Fuzzy Hash: 1B82C6A1F0C9874AEB5AFB28DC972B93791AF55311F144275E50DC33C3EE1CE80A9686
                                        Function 00007FFACCD3C005 Relevance: 1.2, Instructions: 1216COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3aa15963bd995415b5829742900c2e5ce1063ad3f977836b0b80b3591b6e593f
                                        • Instruction ID: 49b6454dc367eb8aed8f620142c26bc311b9431250c70c5a57d6ca495248fc97
                                        • Opcode Fuzzy Hash: 3aa15963bd995415b5829742900c2e5ce1063ad3f977836b0b80b3591b6e593f
                                        • Instruction Fuzzy Hash: 3282E961E4D7C60FE7679B2868551B47FB09F97310F1D82BAC48DC72D3DA1DA80A8392
                                        Function 00007FFACCD315F0 Relevance: .9, Instructions: 891COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2292 7ffaccd315f0 2293 7ffaccd315f5-7ffaccd39a20 2292->2293 2296 7ffaccd39a22-7ffaccd39a27 2293->2296 2297 7ffaccd39a29 2293->2297 2296->2297 2298 7ffaccd39a2e-7ffaccd39a33 2296->2298 2297->2298 2298->2296 2299 7ffaccd39a35-7ffaccd39a61 2298->2299 2303 7ffaccd39a62-7ffaccd39a67 2299->2303 2304 7ffaccd39a6e-7ffaccd39a73 2303->2304 2305 7ffaccd39a69 2303->2305 2304->2303 2306 7ffaccd39a75-7ffaccd39aa1 2304->2306 2305->2304 2310 7ffaccd39aa2-7ffaccd39aa7 2306->2310 2311 7ffaccd39aae-7ffaccd39ab3 2310->2311 2312 7ffaccd39aa9 2310->2312 2311->2310 2313 7ffaccd39ab5-7ffaccd39ae1 2311->2313 2312->2311 2318 7ffaccd39ae2-7ffaccd39ae7 2313->2318 2319 7ffaccd39aee-7ffaccd39af3 2318->2319 2320 7ffaccd39ae9 2318->2320 2319->2318 2321 7ffaccd39af5-7ffaccd39b43 2319->2321 2320->2319 2328 7ffaccd39b5e 2321->2328 2329 7ffaccd39b45-7ffaccd39b5d 2321->2329 2330 7ffaccd39b5f-7ffaccd39b64 2328->2330 2329->2330
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad63bb7bd58e98ab82835598c4d2896e9f7c4d71143030fe8942a658b3b0d9d8
                                        • Instruction ID: 40be2eff04712807a4926013b64f188d5888f82cd73b751cdd6bcbc0119db16b
                                        • Opcode Fuzzy Hash: ad63bb7bd58e98ab82835598c4d2896e9f7c4d71143030fe8942a658b3b0d9d8
                                        • Instruction Fuzzy Hash: B842C562E1D6C64AF7276B689C561B43BB0DF13310F1D85BAD08DC72D3ED1CA84A8392
                                        Function 00007FFACCD3FD1C Relevance: .7, Instructions: 695COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e92f20cb389754b238eaee28b60b1ee661ed8d47987cd309838fd332b25964ab
                                        • Instruction ID: e31a9f2cffa14679aa715fcc17201ed608d39f157843fbb3c3bfa6f601c337c9
                                        • Opcode Fuzzy Hash: e92f20cb389754b238eaee28b60b1ee661ed8d47987cd309838fd332b25964ab
                                        • Instruction Fuzzy Hash: 1F328121E0D6CA4FEB579B2898551B47BB0AF57314F4945FAC48DC72E3DE1CE80A8352
                                        Function 00007FFACCD33810 Relevance: .6, Instructions: 584COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4a2371d525555263193457c34ff9d5b190b1fc13018310af3f852ba346dd1138
                                        • Instruction ID: 46baaff0107d1544944c20fc52d3bbb1d1bf17a519a4977cff7a038a51fb17cf
                                        • Opcode Fuzzy Hash: 4a2371d525555263193457c34ff9d5b190b1fc13018310af3f852ba346dd1138
                                        • Instruction Fuzzy Hash: C3222E21A0D2C24EEB5B9B2889551757F709F53215F0D85FAC48DCB2E3D91CE85B83A2
                                        Function 00007FFACCD38A6C Relevance: .5, Instructions: 538COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f36b3d42153478a8d5e183f5288e8a893823c4ee76527d0c3feb67533abd8b45
                                        • Instruction ID: 3c6186c31917d01760eec7b17a936c71ac9a70207ba47ec7ae38a4bb51b641b1
                                        • Opcode Fuzzy Hash: f36b3d42153478a8d5e183f5288e8a893823c4ee76527d0c3feb67533abd8b45
                                        • Instruction Fuzzy Hash: BD029F61A0E7C20FE7579B289C552B57BB09F97210F1D85BBD48CC72D3D91CE88A8392
                                        Function 00007FFACCD37536 Relevance: .5, Instructions: 474COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9784c6ffa99b9a19814c67f0f8f208c3b9ec853fcb0ebcf110be577ef790e486
                                        • Instruction ID: 46cd0a7e823493dffe919e9e29596fa523c64b4085d698186fc0df5c7817ad12
                                        • Opcode Fuzzy Hash: 9784c6ffa99b9a19814c67f0f8f208c3b9ec853fcb0ebcf110be577ef790e486
                                        • Instruction Fuzzy Hash: CDF1A470A08A8D8FEBA9DF2CC8557E977E1FF55310F04826AE84DC7291DB34D9458B81
                                        Function 00007FFACCD382E2 Relevance: .5, Instructions: 460COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e5f8e18231e016262a062377e5c8e45772253f712079873ca3b946772688152
                                        • Instruction ID: 0d90843393af314d5f5da8bd9060bd2ba79a3f242f3824000a0eb70ecdc7fa25
                                        • Opcode Fuzzy Hash: 2e5f8e18231e016262a062377e5c8e45772253f712079873ca3b946772688152
                                        • Instruction Fuzzy Hash: 5AE1B470A08A8E8FEBA9DF28CC557E977E1EB55310F04826ED84DC7291DF74D8858781
                                        Function 00007FFACCD31828 Relevance: .5, Instructions: 458COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 330b534a796a31a586d44b4a610ecc530b251444fa76f4677960db4870cc3297
                                        • Instruction ID: c5ca98638f09e68988b1f804fdf1d7389935373410f907a3219a885464b1433f
                                        • Opcode Fuzzy Hash: 330b534a796a31a586d44b4a610ecc530b251444fa76f4677960db4870cc3297
                                        • Instruction Fuzzy Hash: 3EE17331F189AB4EEA96FF6894916BD62E1EF5A304F544578D50ED33C2DE2CFC028681
                                        Function 00007FFACCD403F0 Relevance: .4, Instructions: 415COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89c7c369af5deb6ad61c1ffe31f1200afd0f9446802876e68f9744264d659ac0
                                        • Instruction ID: d2e6b579a4eacfdc3c2dfe290c078aecbdbff3dcf30619ed7c99ca0fc38bef69
                                        • Opcode Fuzzy Hash: 89c7c369af5deb6ad61c1ffe31f1200afd0f9446802876e68f9744264d659ac0
                                        • Instruction Fuzzy Hash: DED18531F1D99A4BEB9AEF6894516BD66A1EF5A304F484578D50ED33C2DE2CFC028780
                                        Function 00007FFACCD4043E Relevance: .4, Instructions: 381COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6edbfe4f7f677e64c55452e0f79accf12e9a8adad6741fefb1d352538036ce4d
                                        • Instruction ID: 5de42af02283645aecb9cb9200ab94e51d58db640f7efdb0daecf405e0424f79
                                        • Opcode Fuzzy Hash: 6edbfe4f7f677e64c55452e0f79accf12e9a8adad6741fefb1d352538036ce4d
                                        • Instruction Fuzzy Hash: 8DC18431F1D99A4BEB9BEF6894516BDA6A1EF5A304F488578D50ED33C2DD1CFC028680
                                        Function 00007FFACCD337B9 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a6804416bcd9d497eddcfaa236828280e4ca345847084989ac3b285080b5255
                                        • Instruction ID: 18372b9e3dc1df385ba11aa466afc4eae4a330e41bc0ae978fce727d441100b4
                                        • Opcode Fuzzy Hash: 5a6804416bcd9d497eddcfaa236828280e4ca345847084989ac3b285080b5255
                                        • Instruction Fuzzy Hash: A581B121F1D1D349FBAF9B2C8A46075BA709F13315F5D967AC84CC22D2AA1DF81B42A1
                                        Function 00007FFACCD31679 Relevance: .2, Instructions: 170COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d27c660dd7c94b231eb8e0e70e271700de0cf68d302fe515ead010a9310147fa
                                        • Instruction ID: eb6b7d39ce634879ac0f47ee7a1b9f5d53ff01c2ed178cb5382340e89947b17a
                                        • Opcode Fuzzy Hash: d27c660dd7c94b231eb8e0e70e271700de0cf68d302fe515ead010a9310147fa
                                        • Instruction Fuzzy Hash: A751AB91A0D3D34EE767AB78882A1657F704F13255F5D95FBC08DCB1E3E90C981A83A2
                                        Function 00007FFACCD3D28E Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52a8e1550eeeeb74f1268edcda0184451e62189a1b6f35fc78f1b9d19d3f2ad3
                                        • Instruction ID: 88d3d11297a178d4fae79a0d4a1224e18978f5b3213edf42a6b793068705bdb7
                                        • Opcode Fuzzy Hash: 52a8e1550eeeeb74f1268edcda0184451e62189a1b6f35fc78f1b9d19d3f2ad3
                                        • Instruction Fuzzy Hash: 1C41305DF2D2D24AF7AB5F2888112763B705F13204F1C85F5C98DCB2D2E90DEC1A4A96

                                        Non-executed Functions

                                        Function 00007FFACCD31308 Relevance: 2.9, Strings: 2, Instructions: 378COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 793726ce26cbec4fc70664fb293cd7a177f4b47499a150cbf010b70ca7988d58
                                        • Instruction ID: cfc107560db7e58be0bf46347a979384a5c5959b6ab291ed6256d4ce6e83cd1f
                                        • Opcode Fuzzy Hash: 793726ce26cbec4fc70664fb293cd7a177f4b47499a150cbf010b70ca7988d58
                                        • Instruction Fuzzy Hash: 82C17F52E0E7D66EE7675B2C98592B47FB09F17310F0D85BAC48CCB2E3D91CA8498352
                                        Function 00007FFACCD3AE83 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: uK_H
                                        • API String ID: 0-1145988522
                                        • Opcode ID: c0d07dd0da0138511139a732b53d6aad911f80ab25080f42c9921ff7c0870024
                                        • Instruction ID: 8df2380eb7a9fd5d4cabd1d1405a3736e89e6a21f1eabfbbaa777ec5db11192c
                                        • Opcode Fuzzy Hash: c0d07dd0da0138511139a732b53d6aad911f80ab25080f42c9921ff7c0870024
                                        • Instruction Fuzzy Hash: 8751D361F0C6C24AF7AB9BAC8C5517577E19F62350F0C81BAE44CC62D1ED1CE88983A1
                                        Function 00007FFACCD31310 Relevance: .3, Instructions: 279COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f98f94715b4abe33d97485e3cf0c74191565b26d2ea285d46428cc334446453b
                                        • Instruction ID: 9aeb7399f8cf3484cb15f975cb6874351a6df064447c7f9bf70171422a19acea
                                        • Opcode Fuzzy Hash: f98f94715b4abe33d97485e3cf0c74191565b26d2ea285d46428cc334446453b
                                        • Instruction Fuzzy Hash: C781A252E0D7C66AE7679F2C98552B47BB0EF13350F0D85B6C08CCB2E2D91CE9498391
                                        Function 00007FFACCD3F4A0 Relevance: .2, Instructions: 194COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 95cb71f44363d5694ab401a9136204a42f18b592f518ea29d755b13bb51bb419
                                        • Instruction ID: b292e162ba3c8853d72158be170d8ba679e80b77637510fd398fa21ee5064c01
                                        • Opcode Fuzzy Hash: 95cb71f44363d5694ab401a9136204a42f18b592f518ea29d755b13bb51bb419
                                        • Instruction Fuzzy Hash: 00613F61A0E2DA4AEB579F7898252653F705F13244F5D84FAC48CCB2E3E91DE80D8367
                                        Function 00007FFACCD31540 Relevance: .2, Instructions: 185COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d8ab9963b9002b35e6428bf8fb6c3b6df176f7e24cb31c047fcc88889f34b8a
                                        • Instruction ID: fcab015cbca4e4221b7338385408c295e18c8649d297396047bbf318a35291d5
                                        • Opcode Fuzzy Hash: 7d8ab9963b9002b35e6428bf8fb6c3b6df176f7e24cb31c047fcc88889f34b8a
                                        • Instruction Fuzzy Hash: 60618151E1D7D20FE767DB2888152653FA05F13211F4989FAC68DDB2D3ED1CA80983A3
                                        Function 00007FFACCD3C30D Relevance: .2, Instructions: 157COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.165954827100.00007FFACCD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaccd30000_exe006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a5f4a4a1192779abc542f7cfd363bfd1a2c4fb04e8c409ade9eb4dea9c69f170
                                        • Instruction ID: b66eddcc3ad7434493ed967c42a481871d18128899313b8a289e9bc98720bd88
                                        • Opcode Fuzzy Hash: a5f4a4a1192779abc542f7cfd363bfd1a2c4fb04e8c409ade9eb4dea9c69f170
                                        • Instruction Fuzzy Hash: 52515111E8E3D20FE7679B2868111743B705F93211F1D82FAC48CCB2D3E94DA81E82A2

                                        Executed Functions

                                        Function 00007FFACCD29048 Relevance: 4.4, Strings: 3, Instructions: 606COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@$@
                                        • API String ID: 0-1177533131
                                        • Opcode ID: 068001349e6db6dca3664f725760baccb8bd0af5438477393ac0b74c23bad403
                                        • Instruction ID: d612a913b8c6bd707ec0c4961263c6533b5bd55917e6b6f0286b763212674054
                                        • Opcode Fuzzy Hash: 068001349e6db6dca3664f725760baccb8bd0af5438477393ac0b74c23bad403
                                        • Instruction Fuzzy Hash: BB024C61F0D6C64EF7E79B6498296746BA0AF17311F1980BAD48CC72E3F919EC098352
                                        Function 00007FFACCD225B4 Relevance: 3.0, Strings: 1, Instructions: 1753COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: jq
                                        • API String ID: 0-3102666281
                                        • Opcode ID: 0daf7affc4349fcf5c6c99f1623abb63021366814cff95549b0bcd8431f8c60b
                                        • Instruction ID: e22a0eca5c507e1c47a99efc76483729761b9911d5a66f2edd99dc751cf34bdf
                                        • Opcode Fuzzy Hash: 0daf7affc4349fcf5c6c99f1623abb63021366814cff95549b0bcd8431f8c60b
                                        • Instruction Fuzzy Hash: 17D2A250A1D7C30EE79BAB3488661793FA1AF53211F5545BAD08EC72E7ED1CEC0A8352
                                        Function 00007FFACCD2AE30 Relevance: 2.9, Strings: 2, Instructions: 416COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H$uL_H
                                        • API String ID: 0-114101333
                                        • Opcode ID: f458449f3b4bebc5f2b41e64fc5e396b9cd8f8d1e29f86e9658ea8582142f4ee
                                        • Instruction ID: 19a6a0d8b40d32745226e4a16f1f08f25dbbd27aab1940b71ce53a08540b67d5
                                        • Opcode Fuzzy Hash: f458449f3b4bebc5f2b41e64fc5e396b9cd8f8d1e29f86e9658ea8582142f4ee
                                        • Instruction Fuzzy Hash: D8D1E361B0CBCA4FE7AB9F2888556B97BD1EF96300F4541BAD04DC72D2ED28EC458381
                                        Function 00007FFACCD2BA20 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: afe3cbb8dcb62539574917b817904608a1a90c3d0d87e493e30e1a51bd990fe7
                                        • Instruction ID: 5445cbce9ac579dbaab9d4a2d9eb545e1d1b6c1572a5f61cc1bd04e3b7a6c4f8
                                        • Opcode Fuzzy Hash: afe3cbb8dcb62539574917b817904608a1a90c3d0d87e493e30e1a51bd990fe7
                                        • Instruction Fuzzy Hash: 7FB18451E0D3C76EE7975B3498666B53FA09F17210F0845FAD48ECA1E3F94DAC098392
                                        Function 00007FFACCD2BFF5 Relevance: 1.2, Instructions: 1196COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e459b2c60ad123331bc4b0b9288423c55e680e38e887d29eaba345271eaf25a0
                                        • Instruction ID: e3a15070cfc27c616e7959a982f48e72b1423657deb325ae680bb83d3315da69
                                        • Opcode Fuzzy Hash: e459b2c60ad123331bc4b0b9288423c55e680e38e887d29eaba345271eaf25a0
                                        • Instruction Fuzzy Hash: AE82C861E0D3C60FF7A79B24A8551B97B909F97311F1581BAC48DC72D3FA1DAC0A8392
                                        Function 00007FFACCD31741 Relevance: 1.1, Instructions: 1064COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d31c75d300bc2ab1217f9e7d5642d7f64a6c426b962727875d2903285727662
                                        • Instruction ID: 5172249e3df6d3db55f187930909f3a1bfc7194fac1e5d0200c7276846d21ff9
                                        • Opcode Fuzzy Hash: 9d31c75d300bc2ab1217f9e7d5642d7f64a6c426b962727875d2903285727662
                                        • Instruction Fuzzy Hash: A5817DA1E0D3C35EE7676B7888251A57F709F13211F1D40FAD48DCB2D3E90DA85A83A6
                                        Function 00007FFACCD215F0 Relevance: .9, Instructions: 896COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01cc3aac35bb07e446d4b829d384c67a8d46b5cec7cbaa31817a449dfc2a6a7d
                                        • Instruction ID: d05c8a07d1ba863b97268a48f12185cf35ab5c5dbf1dd9a20f944d2fb0a3d302
                                        • Opcode Fuzzy Hash: 01cc3aac35bb07e446d4b829d384c67a8d46b5cec7cbaa31817a449dfc2a6a7d
                                        • Instruction Fuzzy Hash: CB52B462E1D7C64AF7AB6B648C561B43B90DF13311F1981BAD08DC72D3F91CAC4A9392
                                        Function 00007FFACCD2EE70 Relevance: .6, Instructions: 603COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04c4ffa7e223bfc462597654a1f7bfde509c58e6d07153116a3a85a2a51d5a39
                                        • Instruction ID: 1e43eb3216b2cc35918b33de4cef2a22dbab8be050f01d80dba4f665004670b3
                                        • Opcode Fuzzy Hash: 04c4ffa7e223bfc462597654a1f7bfde509c58e6d07153116a3a85a2a51d5a39
                                        • Instruction Fuzzy Hash: 6FF16031F1C9AA4AEBD6AF6894A16BD62D1FF5A700F548879D40ED33C3EE18EC425241
                                        Function 00007FFACCD23810 Relevance: .6, Instructions: 584COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bea4ace57fd218e6fea6f197ed91a631b77588d2ecad2b9e7ae2c276521aec58
                                        • Instruction ID: cfac4dcc39c4975a821b87aef5287a7ac6d073ac8e723f5eae736282ad185022
                                        • Opcode Fuzzy Hash: bea4ace57fd218e6fea6f197ed91a631b77588d2ecad2b9e7ae2c276521aec58
                                        • Instruction Fuzzy Hash: 1A223F21A1D3C20EE79F9B2488561757F649F13210F0985FAD58DCB2E3E91DEC5A83A2
                                        Function 00007FFACCD28A6C Relevance: .5, Instructions: 539COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f845f7a441d1c3611684b00d37af03c19ef2c4942819a3148c2cf512939c29e7
                                        • Instruction ID: 6c28fa18a35e5ccc3eb453efeee3e63e6a766d3bc9613eacdb4de75745c59667
                                        • Opcode Fuzzy Hash: f845f7a441d1c3611684b00d37af03c19ef2c4942819a3148c2cf512939c29e7
                                        • Instruction Fuzzy Hash: 6E02B562A0D7C20FE79B9B349C561B57B909F57311F0985BAD44CC72D3FA1CAC8A8392
                                        Function 00007FFACCD27536 Relevance: .5, Instructions: 474COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84c820525a7c17507a408e2c4c0d6a06f11918e27c5d4fe420d8a7322a77f6b0
                                        • Instruction ID: 542a31e57c93b33043fdb58a9cf5e5bdf5e76ba0c4cca5589915164cb1f72ec8
                                        • Opcode Fuzzy Hash: 84c820525a7c17507a408e2c4c0d6a06f11918e27c5d4fe420d8a7322a77f6b0
                                        • Instruction Fuzzy Hash: 8CF1B570A08A8E8FEBA9DF28C8457E977D1FF55311F04826AE84DC7291DB34D9458B82
                                        Function 00007FFACCD282E2 Relevance: .5, Instructions: 460COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa17670e3a43b7bb51ef47f2a7c331db84076d677b992bcc51e17ba81c39d354
                                        • Instruction ID: f9de3103f364ac25a34e29a0dfa00a46b73c36a67629755f9bbd387ada47212a
                                        • Opcode Fuzzy Hash: fa17670e3a43b7bb51ef47f2a7c331db84076d677b992bcc51e17ba81c39d354
                                        • Instruction Fuzzy Hash: 5AE1D271A08A8E8FEBA9DF28CC557E937D1EF55310F04826ED84DC3291DB74E8858B81
                                        Function 00007FFACCD2E7A5 Relevance: .4, Instructions: 433COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ee4799866625043cb45f116930440f8cb6484d23859203a5c37df1e9f697c22
                                        • Instruction ID: f15c5d6c2ff835180f1ba008967bdba53f80143e8254efd5cb62726b4e969090
                                        • Opcode Fuzzy Hash: 5ee4799866625043cb45f116930440f8cb6484d23859203a5c37df1e9f697c22
                                        • Instruction Fuzzy Hash: 58F12151A0D7C30EE7E79B2488551B57F609F53216F0991FBD48DCA5E3FA0CAC0A93A2
                                        Function 00007FFACCD237B9 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc58475987fd858b7a6d387188448f0f7f0ef97f3fb468f2042d6a899f6f2337
                                        • Instruction ID: bafedfc628ae8f4786ef9dba4d7b5f4adefeecfad4b7d1673e867078b344aedb
                                        • Opcode Fuzzy Hash: dc58475987fd858b7a6d387188448f0f7f0ef97f3fb468f2042d6a899f6f2337
                                        • Instruction Fuzzy Hash: 31819121F1D2D309FBEF9B288846176BA58DF13301F54D67AC44DC62D2BA1DFC1A5292
                                        Function 00007FFACCD21679 Relevance: .2, Instructions: 170COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa7ec8f8bf41ef60435ce63576850fac08bc432ea6e4222fcb672b8f3cccd4c4
                                        • Instruction ID: 23c77a72ed68c86049515b145807780769606d3758b6f2107cd871def1099923
                                        • Opcode Fuzzy Hash: aa7ec8f8bf41ef60435ce63576850fac08bc432ea6e4222fcb672b8f3cccd4c4
                                        • Instruction Fuzzy Hash: A251AA51A0D3D24EE7A7AB7488261657F604F63255F59C5FBC0CDCB1E3E90C9C1A83A2
                                        Function 00007FFACCD2D28E Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b5800ad8e647b1fd7d729f80347ba43ed25b7958ec293e967673d6fc363b8bb
                                        • Instruction ID: 88d5908bc77e843c4f7c3c787b620201174030f71e30e114657c02968e336b0c
                                        • Opcode Fuzzy Hash: 2b5800ad8e647b1fd7d729f80347ba43ed25b7958ec293e967673d6fc363b8bb
                                        • Instruction Fuzzy Hash: 69414A61F1D2D24AFBEB5F2488152B63B508F17204F1895F5C98CD72E2F90DEC1AC2A2
                                        Function 00007FFACCD24C38 Relevance: 2.9, Strings: 2, Instructions: 437COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: c3bd6f0f69b8d0042c036c5747ee82295888dd506006735a5bde11470b1aec52
                                        • Instruction ID: 6c6287a8c223b3f7d1adcd6d38e5535bc062d9e3d8940424b5bcb283f367dda6
                                        • Opcode Fuzzy Hash: c3bd6f0f69b8d0042c036c5747ee82295888dd506006735a5bde11470b1aec52
                                        • Instruction Fuzzy Hash: 2AD12C52E0E6C64EF7E75B2458296746BA09F27311F1980FAD48CCB2E3F91DEC498352
                                        Function 00007FFACCD24CB3 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 381dca807e635ec39c4ef542ad80d838963c28ac5beb00337f8d643453863a98
                                        • Instruction ID: be0a814e9b5c64f4e4ee6edf5fdc4b6b0865b6c10a36191051d5dd48f81e6fc8
                                        • Opcode Fuzzy Hash: 381dca807e635ec39c4ef542ad80d838963c28ac5beb00337f8d643453863a98
                                        • Instruction Fuzzy Hash: C5514561F1D6C64EFBE7AF24A8155B47B909F23311F1481B6D58CC72D2F91DEC094292
                                        Function 00007FFACCD305A0 Relevance: .5, Instructions: 523COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a0b8e8b23f2805e3607f9fbe23e7e226cc050949171e9414818b786b983e248
                                        • Instruction ID: aa4f172909fc730f0afa72053554156b0c5ca35aa74dc55bbe1795ad14a5332a
                                        • Opcode Fuzzy Hash: 5a0b8e8b23f2805e3607f9fbe23e7e226cc050949171e9414818b786b983e248
                                        • Instruction Fuzzy Hash: 91315471B0DAC94FE78BAB3C885527977A1EF9621171984BAD44DC73E3ED28EC428300
                                        Function 00007FFACCD21288 Relevance: .5, Instructions: 497COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46ccdeab45a6729cad8502fda84247b77246e59d19cca5f013479e12c830a85b
                                        • Instruction ID: e3af3f42472ea34082cce1cc239aacfe87210e63da4d02e7353891bd4c96b9e2
                                        • Opcode Fuzzy Hash: 46ccdeab45a6729cad8502fda84247b77246e59d19cca5f013479e12c830a85b
                                        • Instruction Fuzzy Hash: 02F1B061E1C6C60FE7A7AB388C552B97BE19F5A211F0945F6D04CC72D7EC2CAC4A8352
                                        Function 00007FFACCD21898 Relevance: .4, Instructions: 405COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9849d390bf03e317c1f211a614ad7c79685c3cc005010b28d4dbc6b1e928214e
                                        • Instruction ID: 6b49038f775e0e2b60ba477dbf503b8f7e63be6b9ed9e381a2ff8f94d4f6e97a
                                        • Opcode Fuzzy Hash: 9849d390bf03e317c1f211a614ad7c79685c3cc005010b28d4dbc6b1e928214e
                                        • Instruction Fuzzy Hash: FFC1D1A2F1C99607F76ABB2C98462B93291AF56311F584179E44DC73C3ED1CFC47418A
                                        Function 00007FFACCD2DD5D Relevance: .4, Instructions: 375COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 453f69255dfb0498bafce9edff1e923cbd2a9489964a144c4e822cecacb5cc09
                                        • Instruction ID: 2fa5b2b8921a4594bf9838497be5553a5d15127118eb7d5ef1326586f9022fa0
                                        • Opcode Fuzzy Hash: 453f69255dfb0498bafce9edff1e923cbd2a9489964a144c4e822cecacb5cc09
                                        • Instruction Fuzzy Hash: 63B17E72F589870AF7AABB38C8462B961C1AB99311F5585B5D00DC33C6FD2CEC468295
                                        Function 00007FFACCD311E6 Relevance: .4, Instructions: 370COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3f57f8b8b8426625a7719497396adb445b7f53df238a20872fc0bbd4f7cd97b
                                        • Instruction ID: 6d8dbf23ba04a1097fc833e5c6ebfef97ee0204cd9698939b23c76df8850df71
                                        • Opcode Fuzzy Hash: b3f57f8b8b8426625a7719497396adb445b7f53df238a20872fc0bbd4f7cd97b
                                        • Instruction Fuzzy Hash: EBB17DA5F1D6DB4FEB539B6888152A97BB0EF17310F0D84B6D04DCB2E3D928E8458352
                                        Function 00007FFACCD21268 Relevance: .4, Instructions: 368COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a15eeed2706d020c09dc6db104a888776007104156fe56f69d935cca489eacf5
                                        • Instruction ID: 49a2bb2fa4738a09d835fe4ba474c5f860845dffc67d554df3660df15ca8d15d
                                        • Opcode Fuzzy Hash: a15eeed2706d020c09dc6db104a888776007104156fe56f69d935cca489eacf5
                                        • Instruction Fuzzy Hash: 44B18E72F189870AFBAABB3CD8462B961C1AF99315F5585B5D00DC33C6FC2CEC468295
                                        Function 00007FFACCD27EF6 Relevance: .3, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cf8a40bcd56f7147427e46fa765944ff506937d48d0611bac75c77613907711
                                        • Instruction ID: 8cb9251685da073ce73a9cd4c653b39b8074e96588a02a7c7dbf1583b921e3eb
                                        • Opcode Fuzzy Hash: 6cf8a40bcd56f7147427e46fa765944ff506937d48d0611bac75c77613907711
                                        • Instruction Fuzzy Hash: 48B1B57160CA8D4FEBA9DF28C8567E93BD1FF55310F04826AE44DC7292DA74D885CB82
                                        Function 00007FFACCD2EC78 Relevance: .3, Instructions: 327COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 77abda56c95ff3ad5d98a7afaa62e41840ec79c828487887f4221c6b6d3fb4c0
                                        • Instruction ID: e9f20453ae03451eeeccd5087cef5a1f9ebd424ee5dc0690ec1463e6fefedafc
                                        • Opcode Fuzzy Hash: 77abda56c95ff3ad5d98a7afaa62e41840ec79c828487887f4221c6b6d3fb4c0
                                        • Instruction Fuzzy Hash: 11A1B462E0C6D60FE79BAB7888122B97A91DF66311F0585BAD08DC72D3FD1CDC4A4352
                                        Function 00007FFACCD2D3EA Relevance: .3, Instructions: 308COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: afe6a079d97d265a77926d0c2d63bca5486b1cfeef7728cb361582cdc2dfe460
                                        • Instruction ID: 68efacd75dd2b2fb212ff04402a9f4b369275737f85f64315211660a07d3b27d
                                        • Opcode Fuzzy Hash: afe6a079d97d265a77926d0c2d63bca5486b1cfeef7728cb361582cdc2dfe460
                                        • Instruction Fuzzy Hash: 0991B171F1C9860AE79ABF38D8566B863C2EF99311F1440B9E44DC3287ED28EC478285
                                        Function 00007FFACCD2CA8B Relevance: .3, Instructions: 275COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5795e757827f9899dc5598a3151fc603d6eaa87650d95065defb76b985965e3f
                                        • Instruction ID: b1be17f60533200a9c8be504c6c9de33da571c61ad382b799435014e8c5f229b
                                        • Opcode Fuzzy Hash: 5795e757827f9899dc5598a3151fc603d6eaa87650d95065defb76b985965e3f
                                        • Instruction Fuzzy Hash: 8E918E71E08A9C8FEB95EF68D845AE9BBF0EF55311F00417AD00DD3292DA35AD86CB41
                                        Function 00007FFACCD2B2D5 Relevance: .3, Instructions: 262COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af9b9e932940b84afba42f622268ac50756df1564e06bf47cd8613036d297c7f
                                        • Instruction ID: 019b69b04c5d6056c08bbe9ff91703b57845ba11cb19686a18cf8a88fea294e0
                                        • Opcode Fuzzy Hash: af9b9e932940b84afba42f622268ac50756df1564e06bf47cd8613036d297c7f
                                        • Instruction Fuzzy Hash: 7481E670E08A8A5FEBD6EF68C8952B87BE0EF5A315F544079D04ED32D2ED58AC42C740
                                        Function 00007FFACCD2227A Relevance: .2, Instructions: 242COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 360b7bc130b3bee37ab5415c11c37a7f8ce87df08e918210ba17a4b949e4ce25
                                        • Instruction ID: 7da137e75b7f6a030a25201b79705efd9a3a1114aa880839ccabe3f0ac223f01
                                        • Opcode Fuzzy Hash: 360b7bc130b3bee37ab5415c11c37a7f8ce87df08e918210ba17a4b949e4ce25
                                        • Instruction Fuzzy Hash: 988175A2F0C9C786FBA66B74C8551B826919FE6321F554179E04ECB3C7FD2CEC064292
                                        Function 00007FFACCD30AFB Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 239bfe748d79571cb0602ba6994b72c8274c1bea4215ff2c0eb9343f257cfb13
                                        • Instruction ID: b324a967b40221d24909cc018691b63844e11b393ec9253bcaf63364a1116401
                                        • Opcode Fuzzy Hash: 239bfe748d79571cb0602ba6994b72c8274c1bea4215ff2c0eb9343f257cfb13
                                        • Instruction Fuzzy Hash: B5719430F19D994FE796EF2C88552B9B6E1EF9A301F4480B9E44DD33D2DD28AC468740
                                        Function 00007FFACCD2F616 Relevance: .2, Instructions: 226COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a9b5ba80b551601586dcf2637efc024da4ae248d14199ec057449e9728bc9a9
                                        • Instruction ID: 8e827b4b4139e8395ab8463963fad0ca53238eedc0b0a9856e44f1c69ae4a943
                                        • Opcode Fuzzy Hash: 9a9b5ba80b551601586dcf2637efc024da4ae248d14199ec057449e9728bc9a9
                                        • Instruction Fuzzy Hash: 0E61C661F0C5970AFBAABB3888163B97581DF6A311F148579E44EC33D7FD18EC4A4282
                                        Function 00007FFACCD2EDA0 Relevance: .2, Instructions: 224COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e901e17f4bc9c0bfba769b82a5ce3f04f7786f0674ad2fef5b2114462743e3b1
                                        • Instruction ID: d264720eecb60da407678a63d9da923c91e4d28e34677aef4b0d6b0a34189947
                                        • Opcode Fuzzy Hash: e901e17f4bc9c0bfba769b82a5ce3f04f7786f0674ad2fef5b2114462743e3b1
                                        • Instruction Fuzzy Hash: D251D762F0D2D60AE7AB5B2868522757791DB97720F0485BFE14DC32D3ED1CDC0B4296
                                        Function 00007FFACCD2B02E Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb9b45a85eaa789ba461bd5cdc6757ee7b601608e85e222d8f882cb292f4b636
                                        • Instruction ID: 3738de26c314c9f4149d6b58921b220f172a7905ded7183fcd07c08ae1f30244
                                        • Opcode Fuzzy Hash: eb9b45a85eaa789ba461bd5cdc6757ee7b601608e85e222d8f882cb292f4b636
                                        • Instruction Fuzzy Hash: F361B371F08BCA5FE79BAF6888552B977E1EF96310F4440BAD10ED72D2ED68AC418341
                                        Function 00007FFACCD2E295 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee1b92422232ceb6413863e9076e8090062bc15270a4e00f8af09e671e4b24f6
                                        • Instruction ID: df0e14c3ed591ccff4b298b2368f9a8a3743f9f18212d0c27ba92eae455203d0
                                        • Opcode Fuzzy Hash: ee1b92422232ceb6413863e9076e8090062bc15270a4e00f8af09e671e4b24f6
                                        • Instruction Fuzzy Hash: 0D61AD71E0C6D74AEBE7AB2494A12B96791AF56302F8481B9D44DC37C3EE18FC069281
                                        Function 00007FFACCD2CFD6 Relevance: .2, Instructions: 216COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42a848b61658f0e93d5dc68b1ffbfe4d5b641eacb1e7d3214d3559149fac23bf
                                        • Instruction ID: eece8ad7a16ea7fd97112fca0167580a5d6db389357eb8cf3b6f7fdf2bb3f48b
                                        • Opcode Fuzzy Hash: 42a848b61658f0e93d5dc68b1ffbfe4d5b641eacb1e7d3214d3559149fac23bf
                                        • Instruction Fuzzy Hash: D5511461A4C6C94FE797AF2498161F5BBE0EF96320B0941FBD04DC76E2E91CDC468391
                                        Function 00007FFACCD2C7B1 Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 559f9b0638ce5f7d1f2147e1a8c91d75d7e56464c2c39fa8a2a505b014f4b408
                                        • Instruction ID: fcbbccd3651d430432b92dd764829d4f2a9d765b8da7155464b5e34c60c385dc
                                        • Opcode Fuzzy Hash: 559f9b0638ce5f7d1f2147e1a8c91d75d7e56464c2c39fa8a2a505b014f4b408
                                        • Instruction Fuzzy Hash: 9561E971F0C5CA4AFBEA9B6868556B8B791EFD6311F14817AD00ED73C2FE18EC054282
                                        Function 00007FFACCD2CB0D Relevance: .2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32b12e13ee4ac5a0ec15e7fba27b1227bbb18f53d86d0812c7c253078a464925
                                        • Instruction ID: 4c92854e551477bf1f81a9d2fd5a7f524742e010236d19617ebebf05d7d879c7
                                        • Opcode Fuzzy Hash: 32b12e13ee4ac5a0ec15e7fba27b1227bbb18f53d86d0812c7c253078a464925
                                        • Instruction Fuzzy Hash: 4461B171E08A9C8FEB95EF68D849BE97BF0FB55311F0042ABD04DD3292DA349946CB41
                                        Function 00007FFACCD30DF5 Relevance: .2, Instructions: 206COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 551020e8e3517a33a2316a59e374f473114cb7dc857407915593af7d1b42a475
                                        • Instruction ID: 2bb480578f1d3bda9af68934eb638a1110c9b9ef2742785739275691676a06e3
                                        • Opcode Fuzzy Hash: 551020e8e3517a33a2316a59e374f473114cb7dc857407915593af7d1b42a475
                                        • Instruction Fuzzy Hash: A861E431E4DADA8FE796DF2888156A977F0EF56310F4880B9D44CD72D2D92CE8478781
                                        Function 00007FFACCD218DA Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c818658e357482138c7a14e06a9c2a7324713f1eb370ff8459feb1f876403ed4
                                        • Instruction ID: 39ff8baa3bf593df02a0db57ba3e90267b1869784fd90116f38c32d1f9943e65
                                        • Opcode Fuzzy Hash: c818658e357482138c7a14e06a9c2a7324713f1eb370ff8459feb1f876403ed4
                                        • Instruction Fuzzy Hash: E65155D1F1C68B46F7863B78541B1FE9A91AF86322BC484B5E04DD76CBEC1CAD021356
                                        Function 00007FFACCD2CFA6 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4043962585a15f28239573d1372f2c9aec817e166a75c968a537ef9e9ab7e59e
                                        • Instruction ID: db180c43e027d6299b78107f686e735a228a40e7b09c44ebf463e506abcc4c4c
                                        • Opcode Fuzzy Hash: 4043962585a15f28239573d1372f2c9aec817e166a75c968a537ef9e9ab7e59e
                                        • Instruction Fuzzy Hash: A8511472A485894FE796AF2498165F9B7D4EF86320B0941FAE00DC72E2ED1CED42C391
                                        Function 00007FFACCD24E2C Relevance: .2, Instructions: 195COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d48c3e4fa121ca04301ae397e5fc3ba4e4ad1d9a64c47bc0ef1324891127cc62
                                        • Instruction ID: 3c3de2d039989501b2b58e8133369cdaf3b6550d643067a0e779af3ec4894032
                                        • Opcode Fuzzy Hash: d48c3e4fa121ca04301ae397e5fc3ba4e4ad1d9a64c47bc0ef1324891127cc62
                                        • Instruction Fuzzy Hash: 62518071908A5C8FDB99DF68D845BE9BBF1FB59310F0082AAD40DD3252DE34AD858BC1
                                        Function 00007FFACCD2A76E Relevance: .2, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bedfae39c1e7a5594cd945b0fe23ab783905c1a41813e9a1bf8fb2d12da43bda
                                        • Instruction ID: 9145f3340d7c6788580c333c21f8ff1ebaeece182acd5b7568c1b9a5847c86bd
                                        • Opcode Fuzzy Hash: bedfae39c1e7a5594cd945b0fe23ab783905c1a41813e9a1bf8fb2d12da43bda
                                        • Instruction Fuzzy Hash: BC51E671E18A954FE79AAB78C8552B8B7E1EF5A310F4540B9D44DC33D3ED289C428741
                                        Function 00007FFACCD212D8 Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1dbfcd47823d6cc51cd30cd62a13eb2b5dbee0da0830e61f200454a8e3dd8a2
                                        • Instruction ID: 7b21950df4be42ab9571438f703817d530d874824546528886ec2a514e8f74d4
                                        • Opcode Fuzzy Hash: e1dbfcd47823d6cc51cd30cd62a13eb2b5dbee0da0830e61f200454a8e3dd8a2
                                        • Instruction Fuzzy Hash: 0941A271F289594FEB99AF28D4856B9B2D1EF99311F4140B9E40DD33D2EE28EC428741
                                        Function 00007FFACCD2C85D Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3b7e50032049f66e3257acb5783b20559392a914b8bb592f6b03a9af33a2f0c
                                        • Instruction ID: 6bdf4203440d1a407e20cc02f5b2ca3ca521f0d57fbedcc5305a1ae2b5a4f9b7
                                        • Opcode Fuzzy Hash: e3b7e50032049f66e3257acb5783b20559392a914b8bb592f6b03a9af33a2f0c
                                        • Instruction Fuzzy Hash: D7412A71E0C6CD4FFB9A9B68A8516B8BBD1EF96311F04417AC50ED73D2EE289C018281
                                        Function 00007FFACCD2FECD Relevance: .1, Instructions: 141COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f59fb5d9b32737fed16e5c29ade5407d51f8d377a1045efad8c9202c4474cf98
                                        • Instruction ID: e4eb001b565193d062b38e926b65dcbd964ced5f67df13efa1f4557b6499edbd
                                        • Opcode Fuzzy Hash: f59fb5d9b32737fed16e5c29ade5407d51f8d377a1045efad8c9202c4474cf98
                                        • Instruction Fuzzy Hash: D031DAA2B0D6D10FE35A5B28A8522757BD1DBDB760F0541BFE18EC32D3EE189C074296
                                        Function 00007FFACCD3000A Relevance: .1, Instructions: 141COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 688c67fdc5694fb006196ad46550c0ae6f0c2967cc1af2f095002aee2d5c8f94
                                        • Instruction ID: 9aed9a540eab47e6b10ba3dd0aa91d029700611869331452126adaf1a4a952f8
                                        • Opcode Fuzzy Hash: 688c67fdc5694fb006196ad46550c0ae6f0c2967cc1af2f095002aee2d5c8f94
                                        • Instruction Fuzzy Hash: 5A31E572E1C99A0EF71A6B6898466B67794DB53360F4800BAE48EC32D3FD5EA8434251
                                        Function 00007FFACCD24BD8 Relevance: .1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06a955de12e41df16f54a86e4fb394da3f769b6b43bec6be4de56bd2e63da8b6
                                        • Instruction ID: 37b04a3ed2e42c858145412d57519301bd547379e3de20cff217acd9c566a325
                                        • Opcode Fuzzy Hash: 06a955de12e41df16f54a86e4fb394da3f769b6b43bec6be4de56bd2e63da8b6
                                        • Instruction Fuzzy Hash: B231E363B1CAC50FE396AF2C5CDA1A56BD1EB9A330B548576D44CC72D2EC1DAC868381
                                        Function 00007FFACCD2DB9D Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ec5162417a40e74064dfa15a9e357c710eb5a0be98f50f3c9b9b30e0fb6138e
                                        • Instruction ID: ee372b982a829e28cc2e66aa9d497fc94c197d757abf331093ab8138f59a2672
                                        • Opcode Fuzzy Hash: 1ec5162417a40e74064dfa15a9e357c710eb5a0be98f50f3c9b9b30e0fb6138e
                                        • Instruction Fuzzy Hash: 3541E330A0CAC94FEB86AF6888655F97BE1EF9A310B0441FBE00DC7292ED28DC45C341
                                        Function 00007FFACCD2DA6C Relevance: .1, Instructions: 126COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa4e41973fb1e904fae66805f7d477f331d2e22d956ff0da21dbb45c7925620b
                                        • Instruction ID: fbc4bde18901944d47322c009f769381f147cab3739a92ea601fb4b7ceed567c
                                        • Opcode Fuzzy Hash: aa4e41973fb1e904fae66805f7d477f331d2e22d956ff0da21dbb45c7925620b
                                        • Instruction Fuzzy Hash: 3A41D131E0D6CA4FEB979F6898655B87BB0EF26315F1480F6E04CD7292EA18AC49C351
                                        Function 00007FFACCD31635 Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d367fcb52c62889b4529cc597ab208660c6927dc6866aa31e24496dc15064cc
                                        • Instruction ID: e9a8b3a89e2d7f38669739148283a4b061ff4ce303fedf6a77a3ad8ea991fc8d
                                        • Opcode Fuzzy Hash: 2d367fcb52c62889b4529cc597ab208660c6927dc6866aa31e24496dc15064cc
                                        • Instruction Fuzzy Hash: C831E7E2F1C5970BE7569B6CC8546F967A1EB96320F0D41B6E04DC32C2EE1CEC414295
                                        Function 00007FFACCD2DA37 Relevance: .1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d75e62f233aee2eb3106563742ab8528cd124f6148f8dac59caa3a053258eca6
                                        • Instruction ID: 0b5c46cd230b104e8e9b44406e19baa1da0f39eb5e4533a2926e30b4712c1861
                                        • Opcode Fuzzy Hash: d75e62f233aee2eb3106563742ab8528cd124f6148f8dac59caa3a053258eca6
                                        • Instruction Fuzzy Hash: 8C319431F0C58A4AEB96AF6894556FD77A0EF59310F5441B6D40DD3381ED28EC86C781
                                        Function 00007FFACCD2C060 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7fe5688fe059f613efbf185d9057d77770781fd70fc02775e40c92323bf0617f
                                        • Instruction ID: c10d6377976eec95aec71b47fc5f7c4d23a9752f788398e89cc9416365553ac6
                                        • Opcode Fuzzy Hash: 7fe5688fe059f613efbf185d9057d77770781fd70fc02775e40c92323bf0617f
                                        • Instruction Fuzzy Hash: AD219962F1C5550AE36D6A1CA8561B972C5DBDE760F44457EF04EC33C6EE14AC0701C9
                                        Function 00007FFACCD2A9E0 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e4c2b47c7120ebb7cefbd1ca61d9d47920aa6bd1951508e4cb08daa7c0875af
                                        • Instruction ID: c033d57b26c976af7396f27a2b6664ec6f4f6b0eca6f3a0a1fa753693c711190
                                        • Opcode Fuzzy Hash: 2e4c2b47c7120ebb7cefbd1ca61d9d47920aa6bd1951508e4cb08daa7c0875af
                                        • Instruction Fuzzy Hash: 2C311A52F0C5C30AF7AB9B34889A1793B81DF52314F5685B9D48D862C3FC18AC9B4296
                                        Function 00007FFACCD2BBB2 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c67b1501541eebad5bb6ce3fb9e9ebbda116efcf36149945e2c99aae39e3f46
                                        • Instruction ID: fd3a013572fb35edc17d04e5f369c8e63bcee707c2b3914f8e5365aa1663c076
                                        • Opcode Fuzzy Hash: 3c67b1501541eebad5bb6ce3fb9e9ebbda116efcf36149945e2c99aae39e3f46
                                        • Instruction Fuzzy Hash: 7A31146290F7C66FE3979B74487A4657FB09E2711070E44EBC08ACB5E3E94D5C0AD3A2
                                        Function 00007FFACCD2CE10 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 805c1a1a11383ff1fd598ce32d863df8600016dce8cb84aa253183ed3c83c60d
                                        • Instruction ID: aa09a727f60bdf7b1243bb33c1fb54433ab23ecc651296fea9571e1ee6889032
                                        • Opcode Fuzzy Hash: 805c1a1a11383ff1fd598ce32d863df8600016dce8cb84aa253183ed3c83c60d
                                        • Instruction Fuzzy Hash: 1531ED61F188898EFAD6EF6894556BCB2E1FF8A311B90447AD00ED3392ED28EC418741
                                        Function 00007FFACCD24C40 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9db02a7e138c832f7e5f7450c99d708cdcbaa0e4de7c0765885272d556855630
                                        • Instruction ID: 8c2c5883420c90ef2ef4c4a42d9e5479b491955345215ed98b4ff9cd3127306e
                                        • Opcode Fuzzy Hash: 9db02a7e138c832f7e5f7450c99d708cdcbaa0e4de7c0765885272d556855630
                                        • Instruction Fuzzy Hash: 2F21D122F1D8DA0BE7DA6B6C68596B836C1DB96250F48857AE40DC23C6FD0DEC424295
                                        Function 00007FFACCD31551 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa05af64614f3ad0d8bc3f6bc9805abea4939b5a8f5c68c2a232ffc74de8a4fe
                                        • Instruction ID: 0de877b2b111354d6ad9556b73a18128cd25279aacbdcfeecb4833d7ef86cc44
                                        • Opcode Fuzzy Hash: aa05af64614f3ad0d8bc3f6bc9805abea4939b5a8f5c68c2a232ffc74de8a4fe
                                        • Instruction Fuzzy Hash: 0421F7A2F1D5C30AFB57575C98515F837B1AF96320F0D8176D00EC72C2DF1CA9824261
                                        Function 00007FFACCD2DDA0 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d0a85cc1a3dd43d218f82aff0962795d949998f1bf1c98e24bf3f451a442ade
                                        • Instruction ID: 2cc25a82eda0382a36b3775ff8b7190d0c40426f90b8348824bcab008d53f3bd
                                        • Opcode Fuzzy Hash: 2d0a85cc1a3dd43d218f82aff0962795d949998f1bf1c98e24bf3f451a442ade
                                        • Instruction Fuzzy Hash: 4F213222F2889749F7EA7F78C88527C5192ABAA351F458875D00DC32C5ED2CBC818255
                                        Function 00007FFACCD2FE25 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfbcebff854390e862943d34a6599b9056901432e4dda8393700d312181b0a54
                                        • Instruction ID: b56a71f2804998f4b52d7b3f0cfa92fed6724fcae12f69c1d90c8989ca5e64a6
                                        • Opcode Fuzzy Hash: cfbcebff854390e862943d34a6599b9056901432e4dda8393700d312181b0a54
                                        • Instruction Fuzzy Hash: 6E117962F1D2E74AEBEB9A2854111797A848B67305F148DBAD48C827C3F90DEC1A4293
                                        Function 00007FFACCD2BB8F Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b3e444dfd433266bbc029f2eb9e89c1518fe5d196eabbac25c5cf48b704ac9b
                                        • Instruction ID: 49febcc17d676eaf30c37795fd07e428245c0f09fc4b9444a0627ef59b6d1d90
                                        • Opcode Fuzzy Hash: 7b3e444dfd433266bbc029f2eb9e89c1518fe5d196eabbac25c5cf48b704ac9b
                                        • Instruction Fuzzy Hash: 9611847190E7C75EE7AB9B3848650747FA0AF57210B0845FAC48ECB6E3EA485D09D391
                                        Function 00007FFACCD30FC0 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d9e5d7205e7109276b466ff1c50fa3c79d966d61add5dafac655e9e2868fd32
                                        • Instruction ID: f092d7c298704a2626fb2e115198eb7a94c1ff22b3c5bc54d4a9545219833a79
                                        • Opcode Fuzzy Hash: 3d9e5d7205e7109276b466ff1c50fa3c79d966d61add5dafac655e9e2868fd32
                                        • Instruction Fuzzy Hash: 38F02832A4DACE8BEB459A996C556E877F1FF4E344F090179D00CC3281D6699983C344
                                        Function 00007FFACCD2DB5E Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4d7bf9ca94c4e88156f8d282fb473a709764df4ca972f861319eb942bb5bae9
                                        • Instruction ID: 3458e0cfb9816a94a6e77f976b22f753544f0c6d96800ac96ab9c0a497fe102e
                                        • Opcode Fuzzy Hash: a4d7bf9ca94c4e88156f8d282fb473a709764df4ca972f861319eb942bb5bae9
                                        • Instruction Fuzzy Hash: 37F05932A0D98C4BDB50AE9AAC544D97BB4FB89334F040276E40CC3280E6659996C740
                                        Function 00007FFACCD2DCFD Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9498f830562b4f6b9f1703c88f44493ed2664cd973d4e9f1925d0443f4bf202
                                        • Instruction ID: 08684c03411d362696910c7dbd2e0737a3dacc1fed1e8048daf20589fc18f7a5
                                        • Opcode Fuzzy Hash: f9498f830562b4f6b9f1703c88f44493ed2664cd973d4e9f1925d0443f4bf202
                                        • Instruction Fuzzy Hash: EEE0D83191CF8D4BDF81AF59A819AA9BBA0FB4A304F4001AAE54CC3195D6649941C381
                                        Function 00007FFACCD2AA57 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12685c3d7a9fa63c5c4ceaec4cdaa66f818879564247c83f42b94a4d16bf216c
                                        • Instruction ID: fe4b332ba995d1cf1e9314c599b431675363dd4928bb06576e83f0fdd4d7bfa4
                                        • Opcode Fuzzy Hash: 12685c3d7a9fa63c5c4ceaec4cdaa66f818879564247c83f42b94a4d16bf216c
                                        • Instruction Fuzzy Hash: A9E0D892B6885605A35AB77C5C872FD7381DB99111B4458B4D48DD1386FC1868C3528B
                                        Function 00007FFACCD30D5C Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c1a6b8e2e348a033487eb797ad41226b9d4d5ed24a6b027826149034f2993f5a
                                        • Instruction ID: 622f86ca5b975ce3a0b58ba678e8cef7f0f27909bf95ab468c7aa6d79e36ecab
                                        • Opcode Fuzzy Hash: c1a6b8e2e348a033487eb797ad41226b9d4d5ed24a6b027826149034f2993f5a
                                        • Instruction Fuzzy Hash: 4CE0263194CE8C8FDB46ABA9B8166E57BF0FF0D308F09016AE00CC3681D635A996C785
                                        Function 00007FFACCD29F4F Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 504e5fe5b35714982708073ac3cc35f0b9a758e58581efddddf4177d1579d065
                                        • Instruction ID: 72c38ec724e5d62460295bdc12f215107cdf8b8262ba9a9278a19590bb0fad84
                                        • Opcode Fuzzy Hash: 504e5fe5b35714982708073ac3cc35f0b9a758e58581efddddf4177d1579d065
                                        • Instruction Fuzzy Hash: 21D01774D5885F05EB5ABFB0C8816FCA6E0EF58220F5880BC800CD3556DE6C658AA740

                                        Non-executed Functions

                                        Function 00007FFACCD20918 Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.165041147795.00007FFACCD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaccd20000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c;$!k;$"s;$#{;
                                        • API String ID: 0-1310196493
                                        • Opcode ID: 34c3ad618451a39c8105adfbde94eef2cf84d305be747c01f1f22344099377d3
                                        • Instruction ID: e491c29eddb4f29188cba18423e833685c15a52467e1b159c5277845e21c8723
                                        • Opcode Fuzzy Hash: 34c3ad618451a39c8105adfbde94eef2cf84d305be747c01f1f22344099377d3
                                        • Instruction Fuzzy Hash: AFD05E5B73682F0246046B5EB8510FCA344E7C61737908BB3F941DA28259516847C2E0

                                        Executed Functions

                                        Function 00007FFACCD025B4 Relevance: 3.0, Strings: 1, Instructions: 1749COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: jq
                                        • API String ID: 0-3102666281
                                        • Opcode ID: b6c2279a8ef3f77cefabe7dcd252b3e21c30ddef2e6effe33b40e415e89e269f
                                        • Instruction ID: eddf6df796d59f842de29491ee924b39653dd249141c9dda2414a113b611f6da
                                        • Opcode Fuzzy Hash: b6c2279a8ef3f77cefabe7dcd252b3e21c30ddef2e6effe33b40e415e89e269f
                                        • Instruction Fuzzy Hash: B6D29150E1E7C61EE75BAB3C88661793FA1AF57201F5445BAC08EC72E7DD1CE80A8352
                                        Function 00007FFACCD0BA20 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 5b6f95b41f24ff8309af4b27ba5e58bbe8d24e152e1ecee63603b83ac1f5b841
                                        • Instruction ID: 4efeccb056b3ae9780352f4ab76df446dd173de2abc0ca3107049a979bd6e159
                                        • Opcode Fuzzy Hash: 5b6f95b41f24ff8309af4b27ba5e58bbe8d24e152e1ecee63603b83ac1f5b841
                                        • Instruction Fuzzy Hash: A3B17451E0D7C67FE7679B3898666B53F609F17210F0845FAD48DCB2E3E91CA8098392
                                        Function 00007FFACCD0AEA0 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: uN_H
                                        • API String ID: 0-1116055361
                                        • Opcode ID: b3e204f8de557d5dccd69b3b8bb7ef033a565cd61f5be4219195535881185821
                                        • Instruction ID: 5e1bb823b56e52ae6c15ea544cb7482bf7e0e44f91a6a40c303421de73353b4e
                                        • Opcode Fuzzy Hash: b3e204f8de557d5dccd69b3b8bb7ef033a565cd61f5be4219195535881185821
                                        • Instruction Fuzzy Hash: 96C1C371F0CACA6FE79AEF2C88552B97BD1EF56300F4441BAE04DC7292DD28E8458391
                                        Function 00007FFACCD0C055 Relevance: 1.1, Instructions: 1072COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53d9fe612b0e68fcd936629c0b14ef73d4dc43ade8c08d4a9854c4ed8ec374e1
                                        • Instruction ID: 77fbd1bd81583e37b6627b6d8e8e8c8a3691d290a84a55fefb26b50f05810bc2
                                        • Opcode Fuzzy Hash: 53d9fe612b0e68fcd936629c0b14ef73d4dc43ade8c08d4a9854c4ed8ec374e1
                                        • Instruction Fuzzy Hash: B972D921E0D7C61FE7679B68A8552B97B90EF97310F5881BAD44DC72D3DA0CD80A8393
                                        Function 00007FFACCD0EEDA Relevance: .7, Instructions: 661COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ae917e134d564b4125096a3bf50a9e68f884dd8d3ca992a8e00b86e7dc2eb96
                                        • Instruction ID: 118e80aa6437406799561cb978da1ac83ee13737503fe13fa83b652770a1d301
                                        • Opcode Fuzzy Hash: 5ae917e134d564b4125096a3bf50a9e68f884dd8d3ca992a8e00b86e7dc2eb96
                                        • Instruction Fuzzy Hash: D7F19031F1C9AA6BEB96EF6CC5516BD6291FF5A700B604479D40ED33C3DE18EC028296
                                        Function 00007FFACCD08A6C Relevance: .5, Instructions: 543COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c9415d7794b33431aebf6d2f1b8493dfea0703b039fdfad55c99a912dbfc6fc4
                                        • Instruction ID: 07cddf4000af31cc7ca2ef1f8b47617379f995e23cc8257bd8f8b11c6f7ef33c
                                        • Opcode Fuzzy Hash: c9415d7794b33431aebf6d2f1b8493dfea0703b039fdfad55c99a912dbfc6fc4
                                        • Instruction Fuzzy Hash: 4002D261A0D7C25FE75B9B3C9C562B57BA09F57310F0885BAD08CC72D3DD1CA88A8392
                                        Function 00007FFACCD07536 Relevance: .5, Instructions: 477COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c7a9277f511c638691e171648d06e74b459c1c5eaccb9ff1d527b0417fa7b13e
                                        • Instruction ID: 74640ee4cbce0318e3eeecb4bbd872767fcbbb6f3553cfb0169e934e636bc452
                                        • Opcode Fuzzy Hash: c7a9277f511c638691e171648d06e74b459c1c5eaccb9ff1d527b0417fa7b13e
                                        • Instruction Fuzzy Hash: 81F1A470A08A8E8FEBA9DF2CC8457E97BD1FF55311F04826AE84DC7291DB34D9458B81
                                        Function 00007FFACCD082E2 Relevance: .5, Instructions: 466COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a530e4324ad177d207804f380aee9eed4629d14de457a121f66b74ba148abe5f
                                        • Instruction ID: ec9175b7d5939cd07bb7bca8a0bd27f022f559edd4335c70a2447ae91321c8ae
                                        • Opcode Fuzzy Hash: a530e4324ad177d207804f380aee9eed4629d14de457a121f66b74ba148abe5f
                                        • Instruction Fuzzy Hash: 23F1B370A08A8E8FEBA9DF28CC557E977D1EB55310F04826ED84DC7291DF74D9848B81
                                        Function 00007FFACCD0E855 Relevance: .4, Instructions: 441COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70adb09cd58fd8046a5cda5c2c8c309de2c20c663c4193bdae4a1451ad46dbdd
                                        • Instruction ID: 45cbbd6b74cc2e8601253f4bf02a4e1568691a8fe6ebf9d6729fcb7ec59ef938
                                        • Opcode Fuzzy Hash: 70adb09cd58fd8046a5cda5c2c8c309de2c20c663c4193bdae4a1451ad46dbdd
                                        • Instruction Fuzzy Hash: 27F15050A0D7D32EE7679B6898561B53FA06F57314F4981FBD0CDC75E3DA0CA80A83A2
                                        Function 00007FFACCD0E4C4 Relevance: .3, Instructions: 342COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bc62f2efaa43bc34bca041bff67ccb661dfd2f1a4ebf35b11fe6a20681fe7af6
                                        • Instruction ID: c419b41628b7c4b5bee2aea3b55ba3bd33d5c197b820874b233647d25701a5eb
                                        • Opcode Fuzzy Hash: bc62f2efaa43bc34bca041bff67ccb661dfd2f1a4ebf35b11fe6a20681fe7af6
                                        • Instruction Fuzzy Hash: 29C1A561E0D2D35BF757AB2C98152B53B909F53301F5989BAD4CCCBAD3E91CE8098392
                                        Function 00007FFACCD037B9 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0dab7a1d0f7b7cf2ed82177bc3459137c2371d5a89ec9f9be7fdbd3678017a6
                                        • Instruction ID: 545be78b327acd84f0532aec1729c50dafc6a1f1aaf098c71c54ed7e98d35550
                                        • Opcode Fuzzy Hash: a0dab7a1d0f7b7cf2ed82177bc3459137c2371d5a89ec9f9be7fdbd3678017a6
                                        • Instruction Fuzzy Hash: F581A131F1D5D329FB6F9B2C98C607A7A50AF13301F54D6BAC44DC22D2AA1DF81A42D2
                                        Function 00007FFACCD01670 Relevance: .2, Instructions: 182COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a999617dbd92cb32ba9f76c5dc993cf78a9cc05c5fca0fed69b4191b0fe7e9ba
                                        • Instruction ID: 4875e2692cad46cd1fde7d4831ae96e8cf97f7c0330eb703bb9dfaa91db36ec9
                                        • Opcode Fuzzy Hash: a999617dbd92cb32ba9f76c5dc993cf78a9cc05c5fca0fed69b4191b0fe7e9ba
                                        • Instruction Fuzzy Hash: 03610151A0D3D25FE757AB784C251657F705F63245F5981FBC08ACB1E3E90C981A83A2
                                        Function 00007FFACCD0D28E Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db924baf5dd714cb3ff40f6e3a5a6003addad6bbd85a2ddda42f54016499098f
                                        • Instruction ID: 1be7f294ec5494145ee15df6d4a567f24b5488ff3fba479b9a396abd45bbf237
                                        • Opcode Fuzzy Hash: db924baf5dd714cb3ff40f6e3a5a6003addad6bbd85a2ddda42f54016499098f
                                        • Instruction Fuzzy Hash: D8414F51F1D2D36AFBAB5F2848152B63B508F17314F1495FBC98CC72E2E90DF81A4292
                                        Function 00007FFACCD10168 Relevance: 2.0, Strings: 1, Instructions: 709COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N_L
                                        • API String ID: 0-3107691720
                                        • Opcode ID: 50fa581f7b10c0290819bb77170af2d1b9bb59e1dd9c40873c3042896298ac32
                                        • Instruction ID: 154651014551a2fe2f0d740078df92b119b01abdc13c2216a96ab4c708c9b025
                                        • Opcode Fuzzy Hash: 50fa581f7b10c0290819bb77170af2d1b9bb59e1dd9c40873c3042896298ac32
                                        • Instruction Fuzzy Hash: 2BB1C5A1F1C9960AF72ABB3C984A2B92281AF56325F544179E44DC33C7EE1CFC4752C6
                                        Function 00007FFACCD1056A Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N_L
                                        • API String ID: 0-3107691720
                                        • Opcode ID: 6e49f1d58de98cf440672b7569874952cf23c3ef8f3186c80ee8d2f7ea6dad7a
                                        • Instruction ID: 1f70a5c911a5c7b3cedc156279ddc3949825afada618285713bbe9b5a25efbee
                                        • Opcode Fuzzy Hash: 6e49f1d58de98cf440672b7569874952cf23c3ef8f3186c80ee8d2f7ea6dad7a
                                        • Instruction Fuzzy Hash: 639184A1F0CA864BF71ABB7898471B93681AF56321F144179E40DC33C7EE1CF84B9686
                                        Function 00007FFACCD110D6 Relevance: 1.3, Instructions: 1270COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2aa24c7db49702d68b3fb1aee54b7efa3459e761573007f74ac8d6aaf5e9f967
                                        • Instruction ID: bf62a319b433483cb3a693a3a88563b9e1e6d307f9c30d95d6dafe26946e8598
                                        • Opcode Fuzzy Hash: 2aa24c7db49702d68b3fb1aee54b7efa3459e761573007f74ac8d6aaf5e9f967
                                        • Instruction Fuzzy Hash: 4E919221E4E3D64FE7175B7088256A53FB09F57220F0981FBD48DCB2D3E91DA84A8392
                                        Function 00007FFACCD0DD5D Relevance: .6, Instructions: 556COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3a19e7bbc9771a271d210bdf2e6f07ff4564c639f6d4feb0b78e7e442836826
                                        • Instruction ID: aec8c41d6541d7fcb5568aaf7cdb0c8c97c7fcd7d0dd156b2c2331626ddbe5b4
                                        • Opcode Fuzzy Hash: f3a19e7bbc9771a271d210bdf2e6f07ff4564c639f6d4feb0b78e7e442836826
                                        • Instruction Fuzzy Hash: 31029E62E1C6C61FE757AB7C8C552B83BA1AF5A210F0945F7D04CC7297ED2CA84A8352
                                        Function 00007FFACCD0DDA0 Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 22adde2ab8d35a95e805cc2e1a42a8e1058128ba1698e296b411222a92da5547
                                        • Instruction ID: a26cd56bd668e535393d59a53e8358318fbbf8f0e4b754082098d320471704dc
                                        • Opcode Fuzzy Hash: 22adde2ab8d35a95e805cc2e1a42a8e1058128ba1698e296b411222a92da5547
                                        • Instruction Fuzzy Hash: D4A17471F288871AF7AABB7CCC462B961C2AF99311F5585B6D00DC33C6ED2CE8464395
                                        Function 00007FFACCD07EF6 Relevance: .3, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13989810f0c6cccc600fcf7f4172dcd7b88a05ed0a90411ca5a4d93ba1ae586c
                                        • Instruction ID: f14ceb5607666225982fcc80a895a6e6b1aaa60b3a26590890ad7babfedafc2d
                                        • Opcode Fuzzy Hash: 13989810f0c6cccc600fcf7f4172dcd7b88a05ed0a90411ca5a4d93ba1ae586c
                                        • Instruction Fuzzy Hash: 31B1A570A08A8D4FEB99DF28C8557E93BD1EF55350F04826AE84DC7292CF74D9858B82
                                        Function 00007FFACCD0ED28 Relevance: .3, Instructions: 331COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed9d629dc9cba1036d5cb4b31c468e1f66e0b99aaef73559356be866177524f0
                                        • Instruction ID: 22e65e3f4a3dd7e2a9680edfa0d347729c473f5c5b776cc9b64301b0739399a7
                                        • Opcode Fuzzy Hash: ed9d629dc9cba1036d5cb4b31c468e1f66e0b99aaef73559356be866177524f0
                                        • Instruction Fuzzy Hash: 04A1A361E0C6C61FE75BAB7C88162B93A919F57310F1841BAD44DC72D3ED1CD84A8393
                                        Function 00007FFACCD0D3EA Relevance: .3, Instructions: 309COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b586d80536495281279beb3b73a12b248214079a7ea1bf07f4fa50409c3e81f4
                                        • Instruction ID: 33cfc05f97fdb9ac7c65c6afce80672f682b1acb5b779ad649084d9cc4a8df7e
                                        • Opcode Fuzzy Hash: b586d80536495281279beb3b73a12b248214079a7ea1bf07f4fa50409c3e81f4
                                        • Instruction Fuzzy Hash: 31919271F1C98A1BE756BF3CD8562B863C2EF99311F5444B9E44DC3287ED28EC464285
                                        Function 00007FFACCD0CA8B Relevance: .3, Instructions: 277COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b974b902a530bd10a6139424dbfd788cae31bd16e48c67007497c03164539db2
                                        • Instruction ID: 5decf700eca541e2996a21640dd4371b150109cae409ae4f52af4e6cf7a1f11f
                                        • Opcode Fuzzy Hash: b974b902a530bd10a6139424dbfd788cae31bd16e48c67007497c03164539db2
                                        • Instruction Fuzzy Hash: EF919E71E08A9C8FEB95EF68D845AEDBBF0EF55310F10417AD00DD3292DA35A986CB41
                                        Function 00007FFACCD0F4EA Relevance: .3, Instructions: 277COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a21a5cd16a2a54c70e12692bfe77fc4954d2c83fe60e8671fcc7661f05397e44
                                        • Instruction ID: 094564d9dd360acb56d29c37ff81ea5ff7019880dc683e12427647a8661ac88e
                                        • Opcode Fuzzy Hash: a21a5cd16a2a54c70e12692bfe77fc4954d2c83fe60e8671fcc7661f05397e44
                                        • Instruction Fuzzy Hash: E881F761B0C58B1BEB5BBB7C98062B936C1DF96311F24417AE44DC32D7ED18D85A8393
                                        Function 00007FFACCD0F512 Relevance: .3, Instructions: 276COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c2eb7625211aa051d9656562f3a1f6e75678d18664dd2b9ede4889823c46b33
                                        • Instruction ID: afbcb8d9c83bbf7ec1e5556040c8b34aac0392e949155c00b099d35b5e481096
                                        • Opcode Fuzzy Hash: 0c2eb7625211aa051d9656562f3a1f6e75678d18664dd2b9ede4889823c46b33
                                        • Instruction Fuzzy Hash: 3981D661B0C6C71AE75BBB7C98162B53AD1DF96310F2841BAE44DC32D7ED18D81A8393
                                        Function 00007FFACCD0ECB3 Relevance: .3, Instructions: 272COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e35596471ea5c25e3b33f5dd94e2c3d92fede8ae137b983024d8a170da22a1c
                                        • Instruction ID: a6a8e93f89ba7501774bf9152a8c294c465b4813f8b0200b07d4afb83f684452
                                        • Opcode Fuzzy Hash: 9e35596471ea5c25e3b33f5dd94e2c3d92fede8ae137b983024d8a170da22a1c
                                        • Instruction Fuzzy Hash: 8071C662F0C5972AE76ABF2CD8463F93281DF95321F648179E04DC32D7ED18E84642D2
                                        Function 00007FFACCD0B2D5 Relevance: .3, Instructions: 261COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69025fe88a421fc8e59c062113cd30c590fa65cc3204c531bb84989fa9297d78
                                        • Instruction ID: e20933e0a5751e8c7a21c87944ba6381c40b70d9c3d8312328c8df80ae6ec607
                                        • Opcode Fuzzy Hash: 69025fe88a421fc8e59c062113cd30c590fa65cc3204c531bb84989fa9297d78
                                        • Instruction Fuzzy Hash: 6B81C371E1C689AFEB96EF6CC8592B87BE0EF5A315F1440B9D00DD3392DD28A841C741
                                        Function 00007FFACCD0227A Relevance: .2, Instructions: 241COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b11e7cc207842f8a75e4b45646dab8b055cd4ea5bbd97c6c72068db1e457057d
                                        • Instruction ID: 91c2c861ba5810f391a974b3ba87087c18ee4ffa8dcbd7d240f2f885380bb622
                                        • Opcode Fuzzy Hash: b11e7cc207842f8a75e4b45646dab8b055cd4ea5bbd97c6c72068db1e457057d
                                        • Instruction Fuzzy Hash: 718185A2F0D9C796FB666B7CC8951B926829FE6311F594179D04FCB3C3DD2CE8064281
                                        Function 00007FFACCD10B9B Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 88feec981ca25e261802f633e505bee86a0397a6b6c08bf4e936f1f92cd5115a
                                        • Instruction ID: 5f6dc99aeda87610358b1327901fc8de1ade28907f682ff85bd30effd9df42b0
                                        • Opcode Fuzzy Hash: 88feec981ca25e261802f633e505bee86a0397a6b6c08bf4e936f1f92cd5115a
                                        • Instruction Fuzzy Hash: 05718331B1999D5FE796FF28C8592B976D2FF9A310F4480B9E40DC3392DD28A8428745
                                        Function 00007FFACCD0EE50 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a567c05e0f2b941c16e661fbc439b12934b5362461ef66832a71fde7c40c9c2
                                        • Instruction ID: 1fb98c99d57df4460f4b008b786b4b90aa9d4716fb695ae7bd3e8df545254fa2
                                        • Opcode Fuzzy Hash: 9a567c05e0f2b941c16e661fbc439b12934b5362461ef66832a71fde7c40c9c2
                                        • Instruction Fuzzy Hash: 1751F562F0D2C61FE76B5A2C68562B57B91DB97320F2441BFE14DC32C3ED1CA80B4286
                                        Function 00007FFACCD0B02E Relevance: .2, Instructions: 221COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcb865fcd1f2ff3cff1d513e7ea0907778164562618afe9fa476b2bfc66a158c
                                        • Instruction ID: 706339d9ef0fa6165ad42fb8c0505bc22f0ba612871cf1766637d63c7caff0eb
                                        • Opcode Fuzzy Hash: fcb865fcd1f2ff3cff1d513e7ea0907778164562618afe9fa476b2bfc66a158c
                                        • Instruction Fuzzy Hash: EF61A171F0CB996FE796AF6C88552B877E1EF9A310F4440BAD10DD7293DE28AC418341
                                        Function 00007FFACCD0CFD6 Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 758746e5061cb3aa94bdfbe1f985aaeba0a6cbfcf5bab16d003cc146fca4a69e
                                        • Instruction ID: f02ce423b7295cf1502e0490898cfbb2cfbb5248d6f86be818c4e703926a72df
                                        • Opcode Fuzzy Hash: 758746e5061cb3aa94bdfbe1f985aaeba0a6cbfcf5bab16d003cc146fca4a69e
                                        • Instruction Fuzzy Hash: 42510062A4C6C96FE356AF2898161F57BE1EF96320B0981FBD40DC72D3DD1CD8468392
                                        Function 00007FFACCD0C7B1 Relevance: .2, Instructions: 215COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc788181cb4a023f95a93e465dd25f43c43122d19b3c06c01c97c70f4a58e66d
                                        • Instruction ID: 5df0e6e85b06f203dee5f2b556e4d28e06ed05f80637051d35b0ae6f6ab316fa
                                        • Opcode Fuzzy Hash: fc788181cb4a023f95a93e465dd25f43c43122d19b3c06c01c97c70f4a58e66d
                                        • Instruction Fuzzy Hash: BA61F771F0C5CA5AFB6A9B6CA4566B87791EFD6311F04817ED00ED72C2DE18E8068383
                                        Function 00007FFACCD0CB0D Relevance: .2, Instructions: 213COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b383c440c6731098b1083e5114c7b9d9dca7d016f24af91759206bdfc23ab71c
                                        • Instruction ID: 868fa8f25b742a6d2f9db99f1b64017f544b4e4bed9e35bd05e83bd12da85270
                                        • Opcode Fuzzy Hash: b383c440c6731098b1083e5114c7b9d9dca7d016f24af91759206bdfc23ab71c
                                        • Instruction Fuzzy Hash: 0E61C171E08A9C4FDB95EF68D849BE9BBF0FB55310F0042ABD04DD3292DA749946CB41
                                        Function 00007FFACCD0E295 Relevance: .2, Instructions: 212COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 739c2d0fed6fc985043e8cb66ec3e7e9b25c902d8f5fcfc75ff229adc8df6a89
                                        • Instruction ID: f07aae0694f775d967f5fe1d40b786bb49a369eb284e44a78013104fdc42592c
                                        • Opcode Fuzzy Hash: 739c2d0fed6fc985043e8cb66ec3e7e9b25c902d8f5fcfc75ff229adc8df6a89
                                        • Instruction Fuzzy Hash: C7619E61E0C6EB6AEBA7AB2C94952B96791BF56301F44817DE48DC37C3DE1CE8058281
                                        Function 00007FFACCD10E95 Relevance: .2, Instructions: 207COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c194f28a1a77eb1e453002271fe314d046e5bc4eecee3be2d0b02fece5181147
                                        • Instruction ID: 017b17211a0977fa66d4bc615b556e6abefc9fed678f82cd5e7d9fbdf9882420
                                        • Opcode Fuzzy Hash: c194f28a1a77eb1e453002271fe314d046e5bc4eecee3be2d0b02fece5181147
                                        • Instruction Fuzzy Hash: 8361F371E4D6DA4FE796EF68C8166B937E0EF47320F4580B6D04CC7292DA2CE8469781
                                        Function 00007FFACCD10996 Relevance: .2, Instructions: 207COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba57f0f330ab8f38423d6c6a2c6c063e1b9419c9bc2414dd9919397e1bc396aa
                                        • Instruction ID: c61a97e503bc5f200e0ee7d03317791708480bc66ca073388b7bd17cf9c41fb1
                                        • Opcode Fuzzy Hash: ba57f0f330ab8f38423d6c6a2c6c063e1b9419c9bc2414dd9919397e1bc396aa
                                        • Instruction Fuzzy Hash: C4518371B189899FE796FF2C889527972D2EF9A311B54847AE40DC33D2DD28EC828344
                                        Function 00007FFACCD0CFA6 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fadc3c909ae345787825ecf48e19a20bf881723343f16e709e3506e34c2dddca
                                        • Instruction ID: 599105658ce67fea3c075c2f409d0c2eaa800f05ea3aa5d56b37979a997b74fe
                                        • Opcode Fuzzy Hash: fadc3c909ae345787825ecf48e19a20bf881723343f16e709e3506e34c2dddca
                                        • Instruction Fuzzy Hash: 5F512272E485896FE356AF2898165F577E4EF46320B1841FBE40CC7292DD2CE9438392
                                        Function 00007FFACCD018DA Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40482c243a999c9a1a796c3a6507603296775d458fa84963aff2e434096bdf93
                                        • Instruction ID: b611e68567a420de0a77e64e2ef54bc8239962579488ad642f751be91ca74935
                                        • Opcode Fuzzy Hash: 40482c243a999c9a1a796c3a6507603296775d458fa84963aff2e434096bdf93
                                        • Instruction Fuzzy Hash: 12516F81F1C79B26F746377C641B1FD5A95AF82322BC084B9E04DDB68BDC2CAD020396
                                        Function 00007FFACCD04E2C Relevance: .2, Instructions: 195COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a682858f546784ceb2282d0c4013b5bbcd3d298a34f16546053f4d5c5a71e78
                                        • Instruction ID: 537462c2c52878614b65d6d06cdb4e88fd681ede7ef66856a2b2e2202403ff6b
                                        • Opcode Fuzzy Hash: 8a682858f546784ceb2282d0c4013b5bbcd3d298a34f16546053f4d5c5a71e78
                                        • Instruction Fuzzy Hash: 7F518F71908A5C8FDB59DF68D845BE9BBF1FB59310F0082AAD00DE3252DE34A9858FC1
                                        Function 00007FFACCD0A76E Relevance: .2, Instructions: 188COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f59c9dcd95c2764396138be4ddd5dae1e387d7800b20feef3f8c7fea10ada144
                                        • Instruction ID: 8d475e41b1360246925bd0d7f42a5dcacb6f72ec11c748ea3441913462bd4225
                                        • Opcode Fuzzy Hash: f59c9dcd95c2764396138be4ddd5dae1e387d7800b20feef3f8c7fea10ada144
                                        • Instruction Fuzzy Hash: AD51E431F1CA995FE75AAB7CD8852B8B7A1EF9A311F4440BAD44DC32D3DD289C428741
                                        Function 00007FFACCD0C85D Relevance: .2, Instructions: 161COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef3aa9c1c31f6fc8be4f00ccd852ea60b9ba83d85814c9eb6affe028fc87123d
                                        • Instruction ID: b7406a04a098961053447b50b7cd7fccddaa757bc5f941fe3e2cc8a23204aa4a
                                        • Opcode Fuzzy Hash: ef3aa9c1c31f6fc8be4f00ccd852ea60b9ba83d85814c9eb6affe028fc87123d
                                        • Instruction Fuzzy Hash: 95410571E0CACD5FFB5A9B6CA8526B87BD1EF96311F04417AD50ED72D2DE2898018382
                                        Function 00007FFACCD0FE5D Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57195a7e0f06e40809c00aa0146703eef6b9f3ceaa3730a6336556eaa77dda0b
                                        • Instruction ID: 7cde66e021a764d0e3ecaba78c805a35236c2815ae38bfd5c11161d7f7f9a86d
                                        • Opcode Fuzzy Hash: 57195a7e0f06e40809c00aa0146703eef6b9f3ceaa3730a6336556eaa77dda0b
                                        • Instruction Fuzzy Hash: A141F7A2B0C6C51FE35A5A2CA8662B57BD1DBDB360F1441BFE18EC32D3DD189C074286
                                        Function 00007FFACCD04BD8 Relevance: .1, Instructions: 135COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1dbbec337f3f4245bfb020732c17d439a5c75c3c73f1aa67e69c70f23afc125a
                                        • Instruction ID: 791d911d13272b07e05c01c3042ea1a102c6366f287eedb1be2b21e4f6ed8e39
                                        • Opcode Fuzzy Hash: 1dbbec337f3f4245bfb020732c17d439a5c75c3c73f1aa67e69c70f23afc125a
                                        • Instruction Fuzzy Hash: F3412352B1CAC51FE352AF3C9CDA2B56BD1EB9A320F1485B6D54CC72D2CC1DA8868381
                                        Function 00007FFACCD0DB9D Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 275936d6f6d580fa6370cabd09912b622e4db03393b49cba79702804407ab004
                                        • Instruction ID: e89f4eefc8b12e5cc3840167b01c2ba87f594deb483e465aa70cca797f475360
                                        • Opcode Fuzzy Hash: 275936d6f6d580fa6370cabd09912b622e4db03393b49cba79702804407ab004
                                        • Instruction Fuzzy Hash: DB41F231A0CACD5FEB46AF6C88655F97BE1EF9A310B0541FBE40DC7292DE28D8458341
                                        Function 00007FFACCD0DA6C Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 234242d1b3382a9eaf3f0026071a4de2606eb58f3ce7abc38052674c1fc7ed12
                                        • Instruction ID: ecec50e3e8550a70145771c10e5a155c350365879e46445b088a6c151800ca13
                                        • Opcode Fuzzy Hash: 234242d1b3382a9eaf3f0026071a4de2606eb58f3ce7abc38052674c1fc7ed12
                                        • Instruction Fuzzy Hash: 2241D131E0D6CA6FEB539F6888562B87BB0EF6A315F1440F7E04CD7292DA18E8498351
                                        Function 00007FFACCD0C060 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86436303475f590105664bcbf3f5e80c56d6762c27d347ea7fc5bf706dd1fd3d
                                        • Instruction ID: fb64da0ef7f4f408db0b3589d5dbe46f467cfd23fc988a6d78653a92b3437315
                                        • Opcode Fuzzy Hash: 86436303475f590105664bcbf3f5e80c56d6762c27d347ea7fc5bf706dd1fd3d
                                        • Instruction Fuzzy Hash: 1821C3B2B0C9451BE36D6A6CA8562B976C5EBCE760F14427FF14EC3383DD14A80301CA
                                        Function 00007FFACCD0DA37 Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1f65655c4db2c0f982507e62fc7059b9e209320fdf4c3157dd4af3fc639424d3
                                        • Instruction ID: 36384f00f44e885feef5cd7ca405044c89b5526e4fed493df746e3c58bc4a7f2
                                        • Opcode Fuzzy Hash: 1f65655c4db2c0f982507e62fc7059b9e209320fdf4c3157dd4af3fc639424d3
                                        • Instruction Fuzzy Hash: BC31D031F0C58A5AEB66EFAC98562FC77A0EF69314F1440B7D00CD3381DE28E84A8785
                                        Function 00007FFACCD0BBB2 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e2fbd9a9c42a47e8d4376a89ae91240afe74507c084b8be616c7532b4f497fc
                                        • Instruction ID: 20699c03d8afbd445f3e6439cdb1a10c8cf742c3e1de6e77ad87b270287ee9e7
                                        • Opcode Fuzzy Hash: 2e2fbd9a9c42a47e8d4376a89ae91240afe74507c084b8be616c7532b4f497fc
                                        • Instruction Fuzzy Hash: A631D26294F7C56FE3579B7848794657FB0AF2721070E44EBC089CB5E3D90D680AC3A6
                                        Function 00007FFACCD0CE10 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f85e22904b76c8dee4d50e09cfe085408248c896ec4a9b86d1c293a7d7d81a5
                                        • Instruction ID: c95228a7c7075382daf7c1eb53473de6b473a4d68cd2d0d6f04d5ebd5c031ae2
                                        • Opcode Fuzzy Hash: 8f85e22904b76c8dee4d50e09cfe085408248c896ec4a9b86d1c293a7d7d81a5
                                        • Instruction Fuzzy Hash: F7312371F1884DAFEA86FF6C94956BD76E1FF89311B504076D40ED3392CD28E8418746
                                        Function 00007FFACCD11106 Relevance: .1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: acdce9675fe8be45680048024d0fffa4aa305720190975d1819dcf4ea48b8fce
                                        • Instruction ID: b3703171be4013d189037f5e98e332c5c76d6c083a014fd9d5568828213bde89
                                        • Opcode Fuzzy Hash: acdce9675fe8be45680048024d0fffa4aa305720190975d1819dcf4ea48b8fce
                                        • Instruction Fuzzy Hash: BC21F51198E3D65FD3131BB08C249967FB49E87220B0E41EBD0DACB5E3C55D589BC7A2
                                        Function 00007FFACCD0FF9A Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6749f243191047ac34d0c1588b70faeb45386aac8fa3f70f2203b2bc2f9398e9
                                        • Instruction ID: a7643ff03759a4eaa3d022ab049daea9911cb5aaabc38e0cbc5f5e55be308fe3
                                        • Opcode Fuzzy Hash: 6749f243191047ac34d0c1588b70faeb45386aac8fa3f70f2203b2bc2f9398e9
                                        • Instruction Fuzzy Hash: 821184B290D3C62EE7176A759C166B53FA8CF13170F1801FFD089C6193F559A45B8362
                                        Function 00007FFACCD11236 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef5cfc26574f45c8204b15c1c29d703303917d624e234f0b3b975e85d302e05e
                                        • Instruction ID: 606630ccc0d01cf5669ebe043dced9f92556a59618cdc35963b8982dfd889c80
                                        • Opcode Fuzzy Hash: ef5cfc26574f45c8204b15c1c29d703303917d624e234f0b3b975e85d302e05e
                                        • Instruction Fuzzy Hash: 62217C20F1D2D34EFB6B9B2488067763B615F13325F1495BAD04CC76E2AA1DF41A8296
                                        Function 00007FFACCD0FDB5 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3224470c424e72811867f52ead987ebff3768de4ee4b70bde8b05be43cd36d29
                                        • Instruction ID: 56dedccc4c50db01fe58f2f13f02517569b0b1464ee046f461a658f68dbf9c29
                                        • Opcode Fuzzy Hash: 3224470c424e72811867f52ead987ebff3768de4ee4b70bde8b05be43cd36d29
                                        • Instruction Fuzzy Hash: 56118E62F1D1C726EBAB9B3C59192757A808F57345F3495BED58C832C3E90DE80A8293
                                        Function 00007FFACCD11060 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aca140c6648d424f1df28d2be37851e7b4378c915dc153bb6ca0dc96c0fdbcaa
                                        • Instruction ID: 6e6ae43b28f8f3feb971b049574975ff8ced661988adfbad57862ce9ae525d9f
                                        • Opcode Fuzzy Hash: aca140c6648d424f1df28d2be37851e7b4378c915dc153bb6ca0dc96c0fdbcaa
                                        • Instruction Fuzzy Hash: 62F04C31E0DADD8FEB459B956C156E47BE0FF4E358F060179E00CC32C1DA699882C781
                                        Function 00007FFACCD0DB5E Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 699e5d583f88f32fa31a74d2c44b4371045fd5d3b023fe7913392b1541ccb11c
                                        • Instruction ID: 5f88448e96024119614c124b1f12f9d5e0c4c5b45d0f25a3d8067d92a860bf43
                                        • Opcode Fuzzy Hash: 699e5d583f88f32fa31a74d2c44b4371045fd5d3b023fe7913392b1541ccb11c
                                        • Instruction Fuzzy Hash: D7F0593364998C5BDB10AE9AAC444E97BB8FB89339F050277E00CC3280D665959AC350
                                        Function 00007FFACCD0DCFD Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b4cf77f09eeaf4e039f49558c68d52d37832b8b63941711f083fae81397e3fb
                                        • Instruction ID: 5af2408d012ff8f41c135a2213cbb10dd34d28bfe8a40826593f313a5df32264
                                        • Opcode Fuzzy Hash: 0b4cf77f09eeaf4e039f49558c68d52d37832b8b63941711f083fae81397e3fb
                                        • Instruction Fuzzy Hash: 89E0683190CB8C4BDF41AF9DA805AB97BA0FB9A308F0000AAE00CC3180C2208541C380
                                        Function 00007FFACCD0AA57 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 147d12fd006984214c949f12a0b75c4d3a0e3bc6756edaca7976965d1323e797
                                        • Instruction ID: ae28d3dc271d048c2baffec88ad9581d479fac0866fd2f22e6e3eee85b3f37f0
                                        • Opcode Fuzzy Hash: 147d12fd006984214c949f12a0b75c4d3a0e3bc6756edaca7976965d1323e797
                                        • Instruction Fuzzy Hash: 95E0D892B6885A15A356B77C5CC72FD7381DB99111B4054B5D44DD1386EC1864C3429B
                                        Function 00007FFACCD10DFC Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD0A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd0a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bdb431def1fafe7228dd3c5c31383b97f20b36c31250cc3133a34889ac85a53f
                                        • Instruction ID: 336817f32f4b81a53fa4f78fbc9b7888f437df5612fee54922f574daaaba8ee3
                                        • Opcode Fuzzy Hash: bdb431def1fafe7228dd3c5c31383b97f20b36c31250cc3133a34889ac85a53f
                                        • Instruction Fuzzy Hash: 0BE0203194CA8C8FCB45BBA698556D53B94FF4D308F010059D00CC3141D765D596C7C1
                                        Function 00007FFACCD01EB8 Relevance: .0, Instructions: 1COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5684d4dc42c32943ac28ca0ccfca66a3c37c349b99193dd89adc92f965fc49c0
                                        • Instruction ID: 549a9b9080d263c490d4f5605653302dc4ca93fc9274d200e93a9267fa62dfbb
                                        • Opcode Fuzzy Hash: 5684d4dc42c32943ac28ca0ccfca66a3c37c349b99193dd89adc92f965fc49c0
                                        • Instruction Fuzzy Hash:

                                        Non-executed Functions

                                        Function 00007FFACCD00918 Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.165118564240.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_7ffaccd00000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c;$!k;$"s;$#{;
                                        • API String ID: 0-1310196493
                                        • Opcode ID: cb314e450b79b4137e5507ee82133f0730e508c9decea8e7975f90288c959765
                                        • Instruction ID: 0e36da546598a911330ea11b7aa689a01710bf0a3cbc93160ce0df7b93fb0620
                                        • Opcode Fuzzy Hash: cb314e450b79b4137e5507ee82133f0730e508c9decea8e7975f90288c959765
                                        • Instruction Fuzzy Hash: A9D05E5F734C2B024604671FB0511D85344E7C40733908D73E641DE28252506CDFC2F0

                                        Executed Functions

                                        Function 00007FFACCD09048 Relevance: 4.4, Strings: 3, Instructions: 606COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@$@
                                        • API String ID: 0-1177533131
                                        • Opcode ID: 5e9b8e8c4ba1d616591ff79f40034e3ead909fde354854b717de27ddeebccc14
                                        • Instruction ID: 6487f618ec3c71f74bffd8e14b4318efdef8b0b639708f8472fef59dbe55faea
                                        • Opcode Fuzzy Hash: 5e9b8e8c4ba1d616591ff79f40034e3ead909fde354854b717de27ddeebccc14
                                        • Instruction Fuzzy Hash: B0029372E0D7C66FF7A79B2D58292746BA0AF57311F1980BAD04CC72E3E91DD8098352
                                        Function 00007FFACCD025B4 Relevance: 3.0, Strings: 1, Instructions: 1749COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: jq
                                        • API String ID: 0-3102666281
                                        • Opcode ID: 90d92c6bdd6f7ffa1c9866d28423b4402375d7cabb48f0f6da4d985d16d4c815
                                        • Instruction ID: 7f61e6c4607d9781e4fde5c60b4433fe08550863d05ff576ea7732deaef05538
                                        • Opcode Fuzzy Hash: 90d92c6bdd6f7ffa1c9866d28423b4402375d7cabb48f0f6da4d985d16d4c815
                                        • Instruction Fuzzy Hash: 00D2A460E1E7C61EE757AB3888A61B93FA19F57305F4455BAC08EC72D3DD1CE80A8352
                                        Function 00007FFACCD0BA20 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 459d2b7fd547537a4fa792eaf6f288ab2bf07576e6a3cb56de82ad584dc27f7a
                                        • Instruction ID: 27254bcb1bfbeafcf3b334eec1306e1b1dd8ffef905319c0b1b8be2ec9ebc52b
                                        • Opcode Fuzzy Hash: 459d2b7fd547537a4fa792eaf6f288ab2bf07576e6a3cb56de82ad584dc27f7a
                                        • Instruction Fuzzy Hash: B4B17351E0D7C67FE7579B3898666B53F609F17214F0845FAD48DCB2E3E90CA8098392
                                        Function 00007FFACCD0AD85 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: uN_H
                                        • API String ID: 0-1116055361
                                        • Opcode ID: 6cd5d396cd7ffcd07ee9596135db21862038c58764e2280ceed65e690a6f5a5f
                                        • Instruction ID: 355ea393613b5ced4fed938eb0957cabf5bd8b59c590eacb4d20132672a15b7f
                                        • Opcode Fuzzy Hash: 6cd5d396cd7ffcd07ee9596135db21862038c58764e2280ceed65e690a6f5a5f
                                        • Instruction Fuzzy Hash: B9C1C471B0CACA6FE796EF6C88552B97BD1EF56300F4441BBD04DC7292ED28E8458391
                                        Function 00007FFACCD0BFB0 Relevance: 1.3, Instructions: 1254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f5bce5a570cfd15b82bf10ac03dcc22e38b7a47266329960d75f747dc756afc
                                        • Instruction ID: 41a27b8a218abdc3e9177a5b66ea777cc9309cc80a92ac6960354bf57113776c
                                        • Opcode Fuzzy Hash: 0f5bce5a570cfd15b82bf10ac03dcc22e38b7a47266329960d75f747dc756afc
                                        • Instruction Fuzzy Hash: 0B82E921E0D7C61FE7679B28A8551B97BA0EF97310F5981BAD44DC72D3DA0CD80A8393
                                        Function 00007FFACCD0E648 Relevance: 1.1, Instructions: 1143COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d8b4fc66b2ed27b7b464da95758830d1bb8fea8311ea5a77440c00ff5c3e9a9
                                        • Instruction ID: 50b74aa168c81d6f29e9ae9164fc7385e40f0597d9a4f865c3b3fbaa2d4c1c88
                                        • Opcode Fuzzy Hash: 6d8b4fc66b2ed27b7b464da95758830d1bb8fea8311ea5a77440c00ff5c3e9a9
                                        • Instruction Fuzzy Hash: 0F028321E0D7D32EE7679B3898651653F609F53311F4985FAC0CDCB6E3D94DA80A83A2
                                        Function 00007FFACCD015F0 Relevance: .9, Instructions: 901COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64d9343ae5cae338cc29305a3ccb6224739de40966e9f81380afc0f07c9e99f9
                                        • Instruction ID: c707742d4c19c6cec3250bed5afa803522f1db63ee69f2f22c51e604848a3568
                                        • Opcode Fuzzy Hash: 64d9343ae5cae338cc29305a3ccb6224739de40966e9f81380afc0f07c9e99f9
                                        • Instruction Fuzzy Hash: A352C772E1D6C65AF717AB688C561F53F90DF13311F1980BAD48DC72D3E91CA84A8392
                                        Function 00007FFACCD03810 Relevance: .6, Instructions: 584COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b9588f64171ea7f0ad32fb625c3ee0230049496ee536adcab998721bde53095
                                        • Instruction ID: 39db4403a4a01c7206c62ecfed541c8d500a2c9535a879e17dae17e455bd465a
                                        • Opcode Fuzzy Hash: 0b9588f64171ea7f0ad32fb625c3ee0230049496ee536adcab998721bde53095
                                        • Instruction Fuzzy Hash: 11226421A0D7C22EE7579B3898961757F609F13314F0985FBC58DCB2E3D91CE85A83A2
                                        Function 00007FFACCD08A6C Relevance: .5, Instructions: 543COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4499a3e93f3355ce8d89250cfdf4fed28c75fc6c8afa2f60971dc75a3aa3cc3c
                                        • Instruction ID: 166126a29c0f0b2aa1c946527e5a4560e00652e8e6041f2b38498b34e3e86485
                                        • Opcode Fuzzy Hash: 4499a3e93f3355ce8d89250cfdf4fed28c75fc6c8afa2f60971dc75a3aa3cc3c
                                        • Instruction Fuzzy Hash: 2E02D261A0D7C26FE7579B3C9C562B57BA09F57310F0985BAD08CC72D3DD1CA88A8392
                                        Function 00007FFACCD07536 Relevance: .5, Instructions: 470COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e020863a8ea567d1b2d05bbf913a0967bbcd2839bca9dd79c4122f9db1fe9ea
                                        • Instruction ID: 84ec5e2fbdbcb94c1c87dc76c9365c4ecab8ef25247b2c75bc3c42312de0541a
                                        • Opcode Fuzzy Hash: 8e020863a8ea567d1b2d05bbf913a0967bbcd2839bca9dd79c4122f9db1fe9ea
                                        • Instruction Fuzzy Hash: 14F1B470A08A8D8FEBA9DF2CC8457E97BD1FF55311F04826AE84DC7291DB34D9458B82
                                        Function 00007FFACCD082E2 Relevance: .5, Instructions: 456COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa3dc8e20499e34bf9055a073a31ad8eec2d9a67bbab476ad61ffb4fe59108bb
                                        • Instruction ID: 8049f6e67f605d55d8283dd3ce739631915dd2e39cba045f106b129c1d7a5a88
                                        • Opcode Fuzzy Hash: aa3dc8e20499e34bf9055a073a31ad8eec2d9a67bbab476ad61ffb4fe59108bb
                                        • Instruction Fuzzy Hash: 3DE1B170A08A8E8FEBA9DF28CC557E977D1EB55310F04826ED84DC7291DF74D8848B82
                                        Function 00007FFACCD037B9 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f012594919e383a3c7d98f12c9c7bdd7f2c11c8d33c479981c7d3a6f0d48e0e
                                        • Instruction ID: e1c6b45055b032d580c2a1aeb75832b50680a3e3b76d0f2c15bf6c1163b0bcc7
                                        • Opcode Fuzzy Hash: 8f012594919e383a3c7d98f12c9c7bdd7f2c11c8d33c479981c7d3a6f0d48e0e
                                        • Instruction Fuzzy Hash: 9281A231F1D5D329FB6F9B2C98C60757A50AF13305F54D6BAC44DC22D2AA1DF81A42D1
                                        Function 00007FFACCD04C38 Relevance: 2.9, Strings: 2, Instructions: 437COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 1ad572db15726fc89eef81f72b54335399eb4632ce566299138dc498ce92d25d
                                        • Instruction ID: aea5e27cce4e4b136a4d32c0cc5de6cee20ff14552fea3e667a0f99472a136e9
                                        • Opcode Fuzzy Hash: 1ad572db15726fc89eef81f72b54335399eb4632ce566299138dc498ce92d25d
                                        • Instruction Fuzzy Hash: 0DD16172E0E7C26EF7679B2D58292742BA09F63311F5980F6D44CCB2E3E90DD8098352
                                        Function 00007FFACCD04CB3 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @$@
                                        • API String ID: 0-149943524
                                        • Opcode ID: 2df54ef68e093d109c6288c789a8d12f424179b8ad253bee6d6716c2db6b65f0
                                        • Instruction ID: 7c696d2446f7f3bcca91f28b5089acd7e1f638f1eceeaf2ebd3f007316418d50
                                        • Opcode Fuzzy Hash: 2df54ef68e093d109c6288c789a8d12f424179b8ad253bee6d6716c2db6b65f0
                                        • Instruction Fuzzy Hash: 90515972F1D6C65EFB67AF2CA8151B47B909F53312F5480B6D44CC62D2E91DE8094392
                                        Function 00007FFACCD01288 Relevance: .5, Instructions: 501COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1fd0a758639c4ddadd9272d0efe40d64cb6ba4f1b554c17f3c013449dbf1798
                                        • Instruction ID: e39f44029059330c90a018b087efa90db83b9994c58a9b11503cc1ce93f9db9a
                                        • Opcode Fuzzy Hash: f1fd0a758639c4ddadd9272d0efe40d64cb6ba4f1b554c17f3c013449dbf1798
                                        • Instruction Fuzzy Hash: A0F1A172E1D6C61FE757AB7C8C552B83BA1AF56210F4944F7D04CC7293EC2CA84A8792
                                        Function 00007FFACCD0DD5D Relevance: .4, Instructions: 375COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4eafb2b3e70eae38379b6600d6b8a041c0ae0d15b4901425dbb63f463a4072d
                                        • Instruction ID: b92c1e9d9ccea785fe8a5f178652a7c7dc39c0b67332858198501212c15cc422
                                        • Opcode Fuzzy Hash: c4eafb2b3e70eae38379b6600d6b8a041c0ae0d15b4901425dbb63f463a4072d
                                        • Instruction Fuzzy Hash: C5B17172F589872AE7AABF3CDC462B861D1AF99311F5585B6D00DC33C7EC2CE8464291
                                        Function 00007FFACCD01268 Relevance: .4, Instructions: 368COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84ffcd846f55eb7f2d203ce687abeea3019fb0935488842f922b27a1675c897a
                                        • Instruction ID: 31d5ee882c2170f4bdfc0dc1a2f6e48ad106e24128216048d252d0b47c31d716
                                        • Opcode Fuzzy Hash: 84ffcd846f55eb7f2d203ce687abeea3019fb0935488842f922b27a1675c897a
                                        • Instruction Fuzzy Hash: EBB18272F189871AF79ABF3CD8862B962C1AF99315F5585B6D00DC33C7EC2CE8464291
                                        Function 00007FFACCD07EF6 Relevance: .3, Instructions: 329COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8248f59fa65f8ca1fe7277179f5f8b0234b556f1a119765f8a64f8856e598d0
                                        • Instruction ID: 298fdaab146f4346f5ea2b1855e2495b87c90e886bc947d59fa7f9fddc784f30
                                        • Opcode Fuzzy Hash: f8248f59fa65f8ca1fe7277179f5f8b0234b556f1a119765f8a64f8856e598d0
                                        • Instruction Fuzzy Hash: E0B1B570608A8D4FDB99DF28D8557E97BD1FF59310F04826AE44DC7292CF74D8858B82
                                        Function 00007FFACCD0D3EA Relevance: .3, Instructions: 309COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af5684098e4bafda3c8b50d687ee0453b4a5a7a838134918a5b74fef7e39c5ef
                                        • Instruction ID: 5a8450025f4373d7fdc0b875b4e4b5386d8ba61b79ae96955a37414674a53868
                                        • Opcode Fuzzy Hash: af5684098e4bafda3c8b50d687ee0453b4a5a7a838134918a5b74fef7e39c5ef
                                        • Instruction Fuzzy Hash: 78918061F1C9861BE75ABF3CD8962B863C2EF9A315F5444B9E44DC3387ED28EC464281
                                        Function 00007FFACCD0CA8B Relevance: .3, Instructions: 275COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b54c0c51a9735a913b54078f40f4a54ae2b27f7d8dd69846b07552ec55b6914d
                                        • Instruction ID: f8a01b75928dce58db59bedadddf1ef5a1b123e490dc294b6b0070ed9be0a1ff
                                        • Opcode Fuzzy Hash: b54c0c51a9735a913b54078f40f4a54ae2b27f7d8dd69846b07552ec55b6914d
                                        • Instruction Fuzzy Hash: FE918E71E08A9C8FDB95EF68D845AEDBBF0EF55310F10417AD00DD3292DA74A986CB41
                                        Function 00007FFACCD0B2D5 Relevance: .3, Instructions: 259COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 28d5fb40495a4c9fa3273c3b687787a2ed71443a57bad9fceec8eaff68244b28
                                        • Instruction ID: 6566ab345b5f2cf8784e8186742def16a14ff3beae8fa4a9d358a88d4dac73da
                                        • Opcode Fuzzy Hash: 28d5fb40495a4c9fa3273c3b687787a2ed71443a57bad9fceec8eaff68244b28
                                        • Instruction Fuzzy Hash: C981B270E1C689AFEB96EF6CD8952B87BE0EF5A315F5440B9D00DD3392DD28A841C741
                                        Function 00007FFACCD0227A Relevance: .2, Instructions: 241COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07d73593fd1d4b43391897c16ee1e4dce96e82226ba79dd86585363b497c4cab
                                        • Instruction ID: 569ce48379cdb0d62b9c2b3d63f4b13cc1db037d00d67fc9f3caf4d585f1c759
                                        • Opcode Fuzzy Hash: 07d73593fd1d4b43391897c16ee1e4dce96e82226ba79dd86585363b497c4cab
                                        • Instruction Fuzzy Hash: EA8196A2F0D9C796FB666B7CC8951B926829FE6311F554179D04FCB3C3DD2CE8064281
                                        Function 00007FFACCD0B02E Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 563184548e91c016ad1b4ef0578daf08d110456e20c7604dcf0d13dacac2f8d4
                                        • Instruction ID: 1cff711d49d5d716c56d37a3d8f9ec1e4ee78993a920d06834bbfcd0634c6049
                                        • Opcode Fuzzy Hash: 563184548e91c016ad1b4ef0578daf08d110456e20c7604dcf0d13dacac2f8d4
                                        • Instruction Fuzzy Hash: 43619E71B0CB996FE796AF6C88552B877A1EF9A310F4440BAD10DD7393DE28A8458381
                                        Function 00007FFACCD0CFD6 Relevance: .2, Instructions: 216COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e1f9007660bfb648c607d761374d729579c12eda51edd2dc0bbf8a0c7dbe398
                                        • Instruction ID: 77a5835c97b486c2ccf841d202be8ee7fb8c1e16891ba0aef93e6bc4f8445dc9
                                        • Opcode Fuzzy Hash: 1e1f9007660bfb648c607d761374d729579c12eda51edd2dc0bbf8a0c7dbe398
                                        • Instruction Fuzzy Hash: BD510062A4D6C96FE396AF2898161F57BE1EF96320B0941FBD00DC72D3DD1CD8468392
                                        Function 00007FFACCD0C7B1 Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf6d5d3a1d860c6d1768c1379022246faba87de386970f7df63185c558581bca
                                        • Instruction ID: 44ffd152b4ba1280aa40d3b43a1f8418bf93135dfda198a202f1ab85201ceb1d
                                        • Opcode Fuzzy Hash: cf6d5d3a1d860c6d1768c1379022246faba87de386970f7df63185c558581bca
                                        • Instruction Fuzzy Hash: 8561E771F0C5CA5AFB6A9B6CA4566B97791EFD6311F04817ED00ED72C2DE18E8068383
                                        Function 00007FFACCD0CB0D Relevance: .2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b758de9560ed853fea9982e19bdbf0eb8929e229da8d0da8519c3d1a3afaa5d
                                        • Instruction ID: 2f078b620ad2ecd21f884ae788d5850cdfd9d147db52a27113e4876ebde008b0
                                        • Opcode Fuzzy Hash: 5b758de9560ed853fea9982e19bdbf0eb8929e229da8d0da8519c3d1a3afaa5d
                                        • Instruction Fuzzy Hash: 0E61CF71E08A9C8FDB95EF68D849BE9BBF0FB55310F0042ABD04DD3292DA749946CB41
                                        Function 00007FFACCD0E295 Relevance: .2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca9f8e81c58762769770842b7b58bbe9e2ce8713df329da3b61514373de942c2
                                        • Instruction ID: e65b3edeffde94f9523f69e250e0d0fee76dff35122c540dad43ba85cf1762ec
                                        • Opcode Fuzzy Hash: ca9f8e81c58762769770842b7b58bbe9e2ce8713df329da3b61514373de942c2
                                        • Instruction Fuzzy Hash: 0E61E371E0C6DB6BEAA7AF2C94A12B96791EF5A304F849179D48DC37C3CE1CE8054681
                                        Function 00007FFACCD0CFA6 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70f9c59ca0e84c2da03383c372746c9ef2734a3645315401f9607c190e515ea2
                                        • Instruction ID: b7c92874b3487b6dfe3a0138c289922417f3187f0edd9ebc220c0af52d99e44d
                                        • Opcode Fuzzy Hash: 70f9c59ca0e84c2da03383c372746c9ef2734a3645315401f9607c190e515ea2
                                        • Instruction Fuzzy Hash: 2F510272E485896FE396AF2898565F577D0EF46320B1941BBE00DC7293DD2CE9438392
                                        Function 00007FFACCD018DA Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 286f8df50d89030d80bdcaf9ba7c1de9e2f5c748c16acd1ce042f81d71465371
                                        • Instruction ID: caf6f4dfe5a5018a2de5fa81ac4b36be83428c5a2929a2c169cc7e9a7e77b81e
                                        • Opcode Fuzzy Hash: 286f8df50d89030d80bdcaf9ba7c1de9e2f5c748c16acd1ce042f81d71465371
                                        • Instruction Fuzzy Hash: E1516091F1C68B26F64737BC645B1ED5B91AF8632ABC4A4B1E04DD768BDC2CAD020352
                                        Function 00007FFACCD04E2C Relevance: .2, Instructions: 195COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5c783823475bf2504940d4811261ddbd66887a955db1178bcb091bc878022b6
                                        • Instruction ID: 537462c2c52878614b65d6d06cdb4e88fd681ede7ef66856a2b2e2202403ff6b
                                        • Opcode Fuzzy Hash: f5c783823475bf2504940d4811261ddbd66887a955db1178bcb091bc878022b6
                                        • Instruction Fuzzy Hash: 7F518F71908A5C8FDB59DF68D845BE9BBF1FB59310F0082AAD00DE3252DE34A9858FC1
                                        Function 00007FFACCD0A76E Relevance: .2, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 696cb7d15f8e53441c29eb03546146b8de7eecf04c45811ac4dad8e673e9cab9
                                        • Instruction ID: 0e87b70c43f214c542f71e27bee33fe9555b2721922fe28c82e41825e7e50912
                                        • Opcode Fuzzy Hash: 696cb7d15f8e53441c29eb03546146b8de7eecf04c45811ac4dad8e673e9cab9
                                        • Instruction Fuzzy Hash: 9851F331F18A995FE75AAB7CD8852A8B7A1EF9A311F4480BAD40DC33D3DD28DC428741
                                        Function 00007FFACCD012D8 Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3072ef2332489be4c3b3c98b9a9ba00c543a3f8e704035f9449c76d5829fc773
                                        • Instruction ID: 34188e7086f366802cfc5b955bb42d1b9773e4cab82b430ecca0800d2edbe167
                                        • Opcode Fuzzy Hash: 3072ef2332489be4c3b3c98b9a9ba00c543a3f8e704035f9449c76d5829fc773
                                        • Instruction Fuzzy Hash: 79419F71F189595FEB99AF2CD4856B9B2E1EF99311F4080BAE40DD3392DD28EC428741
                                        Function 00007FFACCD0C85D Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 24768f360d6ed5d692068962935e8246844182337fbfea3e15ddaa547ece7298
                                        • Instruction ID: d196953754ad07622def2f218ef4762456117773bd40d7c387a3ef728e639a95
                                        • Opcode Fuzzy Hash: 24768f360d6ed5d692068962935e8246844182337fbfea3e15ddaa547ece7298
                                        • Instruction Fuzzy Hash: 56410671E0CAC95FFB5A9B6CA8516B87BD1EF96311F04417AD50ED72D2DE2898018382
                                        Function 00007FFACCD01727 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ace854b03377bf685fcbebf4f69b5fc65bbd7f8a4c2df677dc5210a6cf49c01
                                        • Instruction ID: 66318ba6db8470e3d10fff4c3c9433d2c51212f2d769c502553372614ce2de5f
                                        • Opcode Fuzzy Hash: 9ace854b03377bf685fcbebf4f69b5fc65bbd7f8a4c2df677dc5210a6cf49c01
                                        • Instruction Fuzzy Hash: F9510E51A0E3D25EE757AB788C261657F605F63245F5981FBC08ACB1E3E90C981A83A3
                                        Function 00007FFACCD04BD8 Relevance: .1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ebdfadb3ca3a71988a07735e6be94f42e91ea79cb41fe923008d276976eea02
                                        • Instruction ID: 2aaea48164bfe6a109deb59cb73f8b303232771d7c2651b9712f27348667c3e0
                                        • Opcode Fuzzy Hash: 5ebdfadb3ca3a71988a07735e6be94f42e91ea79cb41fe923008d276976eea02
                                        • Instruction Fuzzy Hash: 5731E352B1CAC52FE356AF3C5CDA1B46BD1EB9A320B5485B6D54CC72D3CC1DA8868381
                                        Function 00007FFACCD0DB9D Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9cd47a22c1a7f473eb7c9fdbc32c41eacad942fb584c8a99c41ab37bba33932e
                                        • Instruction ID: 2373754c900b8b793e1a40a0b31114cc14aabcf06fc9ef57b9d4ecb2bf626ac8
                                        • Opcode Fuzzy Hash: 9cd47a22c1a7f473eb7c9fdbc32c41eacad942fb584c8a99c41ab37bba33932e
                                        • Instruction Fuzzy Hash: 8341E130A0DACD5FEB86AF6C98655F97BE1EF8A310B0541FBE40DC7292DE28D8458741
                                        Function 00007FFACCD0E805 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7a0a90761b7064f9e051b79f01692753d90965c467049518daa4f02b44dac050
                                        • Instruction ID: 2e9ff3b5238580faa8940feac37263e246ce609d61b41f26cc83c9c705e7f520
                                        • Opcode Fuzzy Hash: 7a0a90761b7064f9e051b79f01692753d90965c467049518daa4f02b44dac050
                                        • Instruction Fuzzy Hash: D6412251A8E7D65FD3135BB81D380987FB09E83120B0A44EBD0E9CB1E3D58D588AC7A3
                                        Function 00007FFACCD0DA6C Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 884a34b7d2d02e939e1c135dff2acbdc94adc3d604486797a2cff75d6b8ce1da
                                        • Instruction ID: 9c9afc98bd03dfd2a8bb4cc7110e37d277869cb7b939d5229c5ff0f4e6d5aef7
                                        • Opcode Fuzzy Hash: 884a34b7d2d02e939e1c135dff2acbdc94adc3d604486797a2cff75d6b8ce1da
                                        • Instruction Fuzzy Hash: B341E131E0D6CA6FEB539F6C98952B93BB0EF2A315F1440F7E00CD7292DA18E8498351
                                        Function 00007FFACCD0DA37 Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1681a102552ff44264736997ce35f9035b87f501896388e8850834612f6cfe4f
                                        • Instruction ID: 09a838fe28c95c7d0406ebc217b3470e6d6c6ce45cfb660a4e00251b07d1b5b8
                                        • Opcode Fuzzy Hash: 1681a102552ff44264736997ce35f9035b87f501896388e8850834612f6cfe4f
                                        • Instruction Fuzzy Hash: 4531D231F0C58A5AEB66EF6C98962FC77A0EF69314F4441B7D40DD3381DE28E8898781
                                        Function 00007FFACCD0BBB2 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9e4591303d38fc7230b9b1d85174856aa210e8151af3392f00f8b57eae727be
                                        • Instruction ID: f373ff7e1b5691816729f044d328ff81e313b0d9b456888ef29677ea335ad9b0
                                        • Opcode Fuzzy Hash: a9e4591303d38fc7230b9b1d85174856aa210e8151af3392f00f8b57eae727be
                                        • Instruction Fuzzy Hash: 7A31F26290E7C56FE3579B7848794657FB09E2721170E44EFC489CB2E3D90D5809C3A6
                                        Function 00007FFACCD0CE10 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 542474bdfcaba9d2ae61242de48f09819ef674f49e0fd2fb665ad00929581ad2
                                        • Instruction ID: b4799cac986922f0339254583e0a5a17aa2e900b641c357c56ccb765f4a8bd8e
                                        • Opcode Fuzzy Hash: 542474bdfcaba9d2ae61242de48f09819ef674f49e0fd2fb665ad00929581ad2
                                        • Instruction Fuzzy Hash: 2F312370F18849AFEA86FF6C94956BCB6E1FF89311B904476D00ED3392CD28E8418742
                                        Function 00007FFACCD04C40 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c1546e7c7109693e93594bdf4fcc0c9e0580a9536a95a360e68ca5053ed03a4
                                        • Instruction ID: 6243aa9b616c3c0cda3a6f7948eb3883360971400be66737778ff101154540e0
                                        • Opcode Fuzzy Hash: 4c1546e7c7109693e93594bdf4fcc0c9e0580a9536a95a360e68ca5053ed03a4
                                        • Instruction Fuzzy Hash: 2921F332F1DD9A2BE79B6B7C68696B826C1DFD6250F58847AE40DC23C6DD0DEC424381
                                        Function 00007FFACCD012B0 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54d06a1bbafda17068095c914dd7806040ee1d6767efedc8efc5cad6c1067a81
                                        • Instruction ID: 1b0e2c46f30e81da1ed01f8c09439e536a1bc0e8c76ed3f3d3f0cbba66cf00b1
                                        • Opcode Fuzzy Hash: 54d06a1bbafda17068095c914dd7806040ee1d6767efedc8efc5cad6c1067a81
                                        • Instruction Fuzzy Hash: 7821F422F2889769F6AA7F7CD88567C5192AFAA360F45C876D04DC33C6DD3CF8814261
                                        Function 00007FFACCD0DB5E Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8bee7026017748c32d806d06af2f2796bd7f7453dc64d6370800d7484040b0a3
                                        • Instruction ID: 73640124e4170fe64912b196ec349495e6b92364d71810f5d97e937044bb73fe
                                        • Opcode Fuzzy Hash: 8bee7026017748c32d806d06af2f2796bd7f7453dc64d6370800d7484040b0a3
                                        • Instruction Fuzzy Hash: A1F0593260D98C5BDB10AE9EAC444D97BB4FB89338F050277E00CC3280D6659596C340
                                        Function 00007FFACCD0DCFD Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46ba0b3d201925f4f50168cca33d2543ce2ca3e127028db3454628dcf52ffe6b
                                        • Instruction ID: cc6aad0bc1e363b42395caa2ec77052a0130ef26dd6faf179a613b2d590cd27e
                                        • Opcode Fuzzy Hash: 46ba0b3d201925f4f50168cca33d2543ce2ca3e127028db3454628dcf52ffe6b
                                        • Instruction Fuzzy Hash: 45E0D83191CB8D5BDF41AF5DA805AA97BA0FB5A308F4101AAE44CC3195D6649541C381
                                        Function 00007FFACCD09F4F Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27d5386bdaf3c4785ede382c458b75e9859c95d0ee10f6e43d92aa14607e46b8
                                        • Instruction ID: d565b746fcaca312f4a30adcfe1fa9c2fb65ac1dc12c511c6e6bd0fd569705aa
                                        • Opcode Fuzzy Hash: 27d5386bdaf3c4785ede382c458b75e9859c95d0ee10f6e43d92aa14607e46b8
                                        • Instruction Fuzzy Hash: A8D017B4D5885F15EB0ABFB0C8816FCAAE0EF58220F58807C800CD3556CE6C618AA740

                                        Non-executed Functions

                                        Function 00007FFACCD00918 Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001A.00000002.165076344134.00007FFACCD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_26_2_7ffaccd00000_xdwdInkscape.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c;$!k;$"s;$#{;
                                        • API String ID: 0-1310196493
                                        • Opcode ID: cb314e450b79b4137e5507ee82133f0730e508c9decea8e7975f90288c959765
                                        • Instruction ID: 0e36da546598a911330ea11b7aa689a01710bf0a3cbc93160ce0df7b93fb0620
                                        • Opcode Fuzzy Hash: cb314e450b79b4137e5507ee82133f0730e508c9decea8e7975f90288c959765
                                        • Instruction Fuzzy Hash: A9D05E5F734C2B024604671FB0511D85344E7C40733908D73E641DE28252506CDFC2F0

                                        Executed Functions

                                        Function 00007FFACCD2AEA0 Relevance: 2.9, Strings: 2, Instructions: 386COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H$uL_H
                                        • API String ID: 0-114101333
                                        • Opcode ID: 4218f8e524d8270740ed9330a8deb28bb3af58254f39816801dbb734c077b957
                                        • Instruction ID: 6abd4da727dbd6affb90b77dec95178340ad57fcf802db54710228b60697f8c7
                                        • Opcode Fuzzy Hash: 4218f8e524d8270740ed9330a8deb28bb3af58254f39816801dbb734c077b957
                                        • Instruction Fuzzy Hash: 48C1D271B0CACA4EE7ABAF2888552B977D1EF96300F4541BAD04DC72D2ED68EC458391
                                        Function 00007FFACCD2DDA0 Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbf794c2f307d4be1de91045b001249bf7edb59984f086786e3a67a06d6a3e58
                                        • Instruction ID: ed525c202f4579936a07c0a2cc1df94fddcbe7c00bd5281dd79dd975256b309b
                                        • Opcode Fuzzy Hash: fbf794c2f307d4be1de91045b001249bf7edb59984f086786e3a67a06d6a3e58
                                        • Instruction Fuzzy Hash: F2A14172F188870AF7AABB78C8462B961C2AB99315F5585B5D00DC33C6FD2CEC468395
                                        Function 00007FFACCD2CA8B Relevance: .3, Instructions: 277COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbe0fe02171d986f3d1a3761fe51f75dde83cdf072e587fbfeb797f96ed726c5
                                        • Instruction ID: 03268089af7a8a688fc5faadf45342c4eb8a3c8e7a8e8c788c4093520a805d33
                                        • Opcode Fuzzy Hash: fbe0fe02171d986f3d1a3761fe51f75dde83cdf072e587fbfeb797f96ed726c5
                                        • Instruction Fuzzy Hash: B5919E71E08A9C8FEB95EF68D845AE9BBF0EF55310F00417AD00DD3292DA35AD86CB41
                                        Function 00007FFACCD2ECB3 Relevance: .3, Instructions: 272COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 364bd2827daa73d25f148efe4794fb977d8daab136281bad175e3ed224e8fd2a
                                        • Instruction ID: 55e328a87f2d14438e277ba958227bddce8d1697f663b00d4cae3a111b1d70e0
                                        • Opcode Fuzzy Hash: 364bd2827daa73d25f148efe4794fb977d8daab136281bad175e3ed224e8fd2a
                                        • Instruction Fuzzy Hash: 2371A862F0C5570AE7AABF6CD8066F97281DFA5311F148579D04DC23D7FD19EC064292
                                        Function 00007FFACCD2C7B1 Relevance: .2, Instructions: 215COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f22477682cc43e6e0e3069d0205a50d4975c449e0df409c0444f57e8cebf7a5
                                        • Instruction ID: 28a39e825960b98feab0bb7f8e0dac5a8af747100babc3f24ee7de24e78b14d3
                                        • Opcode Fuzzy Hash: 7f22477682cc43e6e0e3069d0205a50d4975c449e0df409c0444f57e8cebf7a5
                                        • Instruction Fuzzy Hash: 5061E971F0C5CA4AFBEA9B6868556B8B791EFD6311F14817AD00ED73C2FE18EC054282
                                        Function 00007FFACCD2CFA6 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ce4bbcff671ac151590720df20d11f5a71f48204a2f1fbb34c6426b704281d9
                                        • Instruction ID: 6b203cb117dd8a6243638b6672ad15572983a597185e06ece181f4426ffb053b
                                        • Opcode Fuzzy Hash: 9ce4bbcff671ac151590720df20d11f5a71f48204a2f1fbb34c6426b704281d9
                                        • Instruction Fuzzy Hash: 96510472A485894FE796AF2498165F5B7D0EF86320F1941FAE00DC76E2ED1CED42C391
                                        Function 00007FFACCD2DB9D Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e20a3d921933d234d8b2332e5736acd2f5585982ff274e02233bfb7a412e84ef
                                        • Instruction ID: f1db6ecf7eebfcf2f857db5cbfff011811e3ca77dd196eabfe410da1ac149bb7
                                        • Opcode Fuzzy Hash: e20a3d921933d234d8b2332e5736acd2f5585982ff274e02233bfb7a412e84ef
                                        • Instruction Fuzzy Hash: 0041C331A0CA8D4FEB96AF6888655F97BE1EF9A310B0541FBE44DC7292ED28DC45C341
                                        Function 00007FFACCD2BBB2 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c24c3cab5c71e5c4667bc246e4dd1e2eb085d36bae87b0054dea5f7e956bd4c6
                                        • Instruction ID: 5769b1b3a5549849637da6699c7a7f01e5610e629b9153dfd17c569d5ad87c6d
                                        • Opcode Fuzzy Hash: c24c3cab5c71e5c4667bc246e4dd1e2eb085d36bae87b0054dea5f7e956bd4c6
                                        • Instruction Fuzzy Hash: A931166290E7C66FE3979B7448794617FB0AE1711170E44EBC48ACB2E3E94D5C09D3A2
                                        Function 00007FFACCD2FF9A Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc9cec079f52fb8f7970752f3cadef1107580d6169ba311998c1fa4bd5897aa7
                                        • Instruction ID: ca144f8838a4289415cdbedb9f5080377eee18b904acbbf138f196a0acd2de9d
                                        • Opcode Fuzzy Hash: dc9cec079f52fb8f7970752f3cadef1107580d6169ba311998c1fa4bd5897aa7
                                        • Instruction Fuzzy Hash: 321196A190D3C61EE7176A349C166B57FA8CF03170F1801FFD089C61D3F559A45B8362
                                        Function 00007FFACCD2FDB5 Relevance: .1, Instructions: 65COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000024.00000002.165103677139.00007FFACCD2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFACCD2A000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_36_2_7ffaccd2a000_xdwdMicrosoft Paint.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff3223787981b5f06077ac42bc75485ff16e3a11eb3fc93dee61952455c251c4
                                        • Instruction ID: bc0590e2a5d538b5f0fb24ab6ef93eee0f59cf6057b109cff2b1010ce7cbda87
                                        • Opcode Fuzzy Hash: ff3223787981b5f06077ac42bc75485ff16e3a11eb3fc93dee61952455c251c4
                                        • Instruction Fuzzy Hash: 81117962F1D1E706FBEB9B3858161757A808F57305F1499BAD48C822C3F909EC1A4293