Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
evilnominatuscrypto

Overview

General Information

Sample Name:evilnominatuscrypto (renamed file extension from none to exe)
Analysis ID:572441
MD5:7cdf50ee4f3d0febc70dd36298ed07da
SHA1:0170c2deae4486a43894c202ea92d43556218e1c
SHA256:69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef
Tags:evilnominatuscryptoexefilecodermsilransomwarescreenlocker
Infos:

Detection

Voidcrypt
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Yara detected Voidcrypt Ransomware
Sigma detected: Copying Sensitive Files with Credential Data
Creates files in the recycle bin to hide itself
Obfuscated command line found
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
Deletes files inside the Windows folder
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • evilnominatuscrypto.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\evilnominatuscrypto.exe" MD5: 7CDF50EE4F3D0FEBC70DD36298ED07DA)
    • cmd.exe (PID: 6832 cmdline: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6956 cmdline: "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7004 cmdline: "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7052 cmdline: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 7092 cmdline: vssadmin delete shadows /all /quiet MD5: 7E30B94672107D3381A1D175CF18C147)
  • OpenWith.exe (PID: 5772 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
evilnominatuscrypto.exeDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
  • 0x492a:$x2: delete shadows /all /quiet

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VoidcryptYara detected Voidcrypt RansomwareJoe Security
    Process Memory Space: evilnominatuscrypto.exe PID: 6516JoeSecurity_VoidcryptYara detected Voidcrypt RansomwareJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.evilnominatuscrypto.exe.170000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
      • 0x492a:$x2: delete shadows /all /quiet
      1.0.evilnominatuscrypto.exe.170000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
      • 0x492a:$x2: delete shadows /all /quiet

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
      Source: Process startedAuthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin delete shadows /all /quiet , CommandLine: vssadmin delete shadows /all /quiet , CommandLine|base64offset|contains: vh, Image: C:\Windows\SysWOW64\vssadmin.exe, NewProcessName: C:\Windows\SysWOW64\vssadmin.exe, OriginalFileName: C:\Windows\SysWOW64\vssadmin.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7052, ProcessCommandLine: vssadmin delete shadows /all /quiet , ProcessId: 7092
      Sigma detected: Copying Sensitive Files with Credential Data
      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, CommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\evilnominatuscrypto.exe" , ParentImage: C:\Users\user\Desktop\evilnominatuscrypto.exe, ParentProcessId: 6516, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, ProcessId: 7052
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf, CommandLine: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\evilnominatuscrypto.exe" , ParentImage: C:\Users\user\Desktop\evilnominatuscrypto.exe, ParentProcessId: 6516, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf, ProcessId: 6832

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: evilnominatuscrypto.exeVirustotal: Detection: 51%Perma Link
      Source: evilnominatuscrypto.exeMetadefender: Detection: 29%Perma Link
      Source: evilnominatuscrypto.exeReversingLabs: Detection: 44%
      Source: evilnominatuscrypto.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: evilnominatuscrypto.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: d:\again\SharpDevelop Projects\RInjector\TRS\obj\Debug\EvilNominatusCrypto.pdb source: evilnominatuscrypto.exe, evilnominatuscrypto.exe, 00000001.00000000.344369361.0000000000172000.00000002.00000001.01000000.00000003.sdmp
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ExplorerJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: evilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comld
      Source: evilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: evilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comv
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358231059.0000000005396000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn-%
      Source: evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/_$
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.361520866.000000000538D000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: evilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krim
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.358343551.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358456672.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358185463.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358058935.00000000053B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com8
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Yara detected Voidcrypt Ransomware
      Source: Yara matchFile source: 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: evilnominatuscrypto.exe PID: 6516, type: MEMORYSTR
      Deletes shadow drive data (may be related to ransomware)
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy deleteJump to behavior
      Source: evilnominatuscrypto.exeBinary or memory string: vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: evilnominatuscrypto.exe, 00000001.00000002.893504133.0000000007120000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: evilnominatuscrypto.exe, 00000001.00000000.344369361.0000000000172000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf{vssadmin delete shadows /all /quiet && wmic shadowcopy deletegLoading please wait.... don't turn on the antivirus
      Source: evilnominatuscrypto.exe, 00000001.00000002.879977207.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy deleteSC:\Windows\System32\cmd.exeWinsta0\DefaultLLU=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Inputs\CurrentVersion\Policies\ExplorerommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program File\\REGISTRY\MACHINE\Software\WOW6432N\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Inputrogram Filesc
      Source: evilnominatuscrypto.exe, 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: m=vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
      Source: cmd.exe, 0000000B.00000002.398098474.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy deleteC:\Windows\System32\cmd.exeWinsta0\Default:
      Source: cmd.exe, 0000000B.00000002.398098474.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exexevssadmin delete shadows /all /quiet ffvssadmin delete shadows /all /quiet Winsta0\DefaultROF=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommon\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideierss\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\Modules;C:\g

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: evilnominatuscrypto.exe, type: SAMPLEMatched rule: Detects destructive malware Author: Florian Roth
      Source: 1.2.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
      Source: 1.0.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
      Source: evilnominatuscrypto.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: evilnominatuscrypto.exe, type: SAMPLEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.0.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: evilnominatuscrypto.exe, 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs evilnominatuscrypto.exe
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile deleted: C:\Windows\crx\getPagesSource.js.bakJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D38801_2_023D3880
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D69EA1_2_023D69EA
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D707D1_2_023D707D
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023DD07C1_2_023DD07C
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D712A1_2_023D712A
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_069720111_2_06972011
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess Stats: CPU usage > 98%
      Source: evilnominatuscrypto.exeVirustotal: Detection: 51%
      Source: evilnominatuscrypto.exeMetadefender: Detection: 29%
      Source: evilnominatuscrypto.exeReversingLabs: Detection: 44%
      Source: evilnominatuscrypto.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\evilnominatuscrypto.exe "C:\Users\user\Desktop\evilnominatuscrypto.exe"
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet
      Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy deleteJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_01
      Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\autorun.infJump to behavior
      Source: classification engineClassification label: mal88.rans.evad.winEXE@16/4@0/0
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: evilnominatuscrypto.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: evilnominatuscrypto.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: evilnominatuscrypto.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: d:\again\SharpDevelop Projects\RInjector\TRS\obj\Debug\EvilNominatusCrypto.pdb source: evilnominatuscrypto.exe, evilnominatuscrypto.exe, 00000001.00000000.344369361.0000000000172000.00000002.00000001.01000000.00000003.sdmp

      Data Obfuscation

      barindex
      Obfuscated command line found
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Google Chrome.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\05 - Music.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\06 - Pictures.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\07 - Videos.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\09 - Network.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Quick Assist.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Check For Updates.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x64).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x86).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\SciTE Script Editor.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Computer Management.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Configuration.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help File.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBScript Examples.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Database Compare 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Upload Center.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Spreadsheet Compare 2016.lnk-LockedJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Creates files in the recycle bin to hide itself
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\$Recycle.Bin\S-1-5-18\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ExplorerJump to behavior
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mxC:\\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\vfpext.sys
      Source: evilnominatuscrypto.exe, 00000001.00000003.684484684.000000000DF4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: m\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mpC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\*.*
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: myC:\\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\vfpctrl.exe
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mxC:\\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\vfpapi.dll
      Source: evilnominatuscrypto.exe, 00000001.00000003.684484684.000000000DF4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mnC:\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mnC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\.
      Source: evilnominatuscrypto.exe, 00000001.00000003.684484684.000000000DF4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: moC:\\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3P#
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mnC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\*
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.infJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy deleteJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Users\user\Desktop\evilnominatuscrypto.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11712.1001.23.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Command and Scripting Interpreter      		1
      Registry Run Keys / Startup Folder      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Query Registry      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Registry Run Keys / Startup Folder      		1
      Disable or Modify Tools      		LSASS Memory1
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Deobfuscate/Decode Files or Information      		NTDS12
      System Information Discovery      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Hidden Files and Directories      		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common11
      File Deletion      		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 572441 Sample: evilnominatuscrypto Startdate: 15/02/2022 Architecture: WINDOWS Score: 88 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Voidcrypt Ransomware 2->35 37 3 other signatures 2->37 7 evilnominatuscrypto.exe 502 2->7         started        10 OpenWith.exe 27 17 2->10         started        process3 signatures4 39 Obfuscated command line found 7->39 41 Creates files in the recycle bin to hide itself 7->41 43 Deletes shadow drive data (may be related to ransomware) 7->43 12 cmd.exe 1 7->12         started        15 cmd.exe 2 7->15         started        17 cmd.exe 1 7->17         started        19 cmd.exe 1 7->19         started        process5 signatures6 45 Deletes shadow drive data (may be related to ransomware) 12->45 21 conhost.exe 12->21         started        23 vssadmin.exe 1 12->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        process7

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      evilnominatuscrypto.exe51%VirustotalBrowse
      evilnominatuscrypto.exe29%MetadefenderBrowse
      evilnominatuscrypto.exe44%ReversingLabsByteCode-MSIL.Ransomware.WannaCry

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com80%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.zhongyicts.com.cnva0%URL Reputationsafe
      http://www.fontbureau.comld0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.sandoll.co.krim0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.fontbureau.comv0%URL Reputationsafe
      http://www.founder.com.cn/cn-%0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/_$0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designersGevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.tiro.com8evilnominatuscrypto.exe, 00000001.00000003.358343551.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358456672.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358185463.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358058935.00000000053B6000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.tiro.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.goodfont.co.krevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comlevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/cTheevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnevilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-jones.htmlevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.zhongyicts.com.cnvaevilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comldevilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.commevilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sandoll.co.krimevilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers8evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comvevilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn-%evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358231059.0000000005396000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/_$evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sandoll.co.krevilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnevilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comevilnominatuscrypto.exe, 00000001.00000003.361520866.000000000538D000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:572441
                          Start date:15.02.2022
                          Start time:10:00:59
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 12m 50s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:evilnominatuscrypto (renamed file extension from none to exe)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:33
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal88.rans.evad.winEXE@16/4@0/0
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 0.1% (good quality ratio 0%)
                          • Quality average: 56%
                          • Quality standard deviation: 39.6%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 122
                          • Number of non-executed functions: 3
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for sample files taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, VSSVC.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                          • Execution Graph export aborted for target evilnominatuscrypto.exe, PID 6516 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateFile calls found.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:05:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini-Locked
                          10:05:35API Interceptor1x Sleep call for process: OpenWith.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm6B05.tmp (copy)

                          Download File
                          Process:C:\Windows\System32\OpenWith.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):0.020297149862451055
                          Encrypted:false
                          SSDEEP:3:tn1lIlF:y
                          MD5:B710BC2FE0046515794A3E2977E9A15E
                          SHA1:833EF452338434B5EB757F488DC7E993F9391C82
                          SHA-256:2B79AF0DD12B22F34483108837981FBBADBB604367FCDA8B0A41807E8049A62E
                          SHA-512:33C446E80358AFDACE96A393E13B5A76FDE58B7D60B17FF74FD6B2E8D1C69C685C9893295D57376F57D4BA4DFF2824DED5D23638CB26A160AAA4A429557E0093
                          Malicious:false
                          Reputation:low
                          Preview:..0 IMMM ...............e...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

                          Download File
                          Process:C:\Windows\System32\OpenWith.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):24
                          Entropy (8bit):1.408222675578688
                          Encrypted:false
                          SSDEEP:3:d:d
                          MD5:419A089E66B9E18ADA06C459B000CB4D
                          SHA1:ED2108A58BA73AC18C3D2BF0D8C1890C2632B05A
                          SHA-256:C48E42E9AB4E25B92C43A7B0416D463B9FF7C69541E4623A39513BC98085F424
                          SHA-512:BBD57BEA7159748E1B13B3E459E2C8691A46BDC9323AFDB9DBF9D8F09511750D46A1D98C717C7ADCA07D79EDC859E925476DD03231507F37F45775C0A79A593C
                          Malicious:false
                          Preview:CMMM ...................

                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

                          Download File
                          Process:C:\Windows\System32\OpenWith.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):0.020297149862451055
                          Encrypted:false
                          SSDEEP:3:tn1lIlF:y
                          MD5:B710BC2FE0046515794A3E2977E9A15E
                          SHA1:833EF452338434B5EB757F488DC7E993F9391C82
                          SHA-256:2B79AF0DD12B22F34483108837981FBBADBB604367FCDA8B0A41807E8049A62E
                          SHA-512:33C446E80358AFDACE96A393E13B5A76FDE58B7D60B17FF74FD6B2E8D1C69C685C9893295D57376F57D4BA4DFF2824DED5D23638CB26A160AAA4A429557E0093
                          Malicious:false
                          Preview:..0 IMMM ...............e...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\Desktop\autorun.inf

                          Download File
                          Process:C:\Windows\SysWOW64\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):65
                          Entropy (8bit):4.255167483172791
                          Encrypted:false
                          SSDEEP:3:ItI6dFOcNt1HjWVFOcNtv:eIG1KVFv
                          MD5:FBEFA88E6B51C05DD63D97DFDBEB3589
                          SHA1:67E09918D878C6615BEFAB5DC9194439027F268D
                          SHA-256:3861ACEDFFD29452D2FDB96728F7347652BDE9353915D3873A7414843F49B8B1
                          SHA-512:58F8C1A64F2EB21BE7B96DB335D1ADE0CE0878566A8386B3689B650132CA28E14761B20FDFE50F2AF9915DFF2BDD3A5B07F6F3ED082E4E6998EC5F0CD052F12F
                          Malicious:false
                          Preview:[autorun] ..open=KasperskyScan.exe ..execute=KasperskyScan.exe ..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):4.218587302420799
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:evilnominatuscrypto.exe
                          File size:32768
                          MD5:7cdf50ee4f3d0febc70dd36298ed07da
                          SHA1:0170c2deae4486a43894c202ea92d43556218e1c
                          SHA256:69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef
                          SHA512:370023f24390173044b2b32546b5ff68bc8786edfcd8784d0adfb9cede550d40a744df184303ccd16f277595d319671445e5f1c070f0e453d1b94b1dc70d7a28
                          SSDEEP:384:AjdXpgpMf76oJgkB4nokwFwA4Ep/0VUx/Nx9DPxmB++6iCjGnLBs0Rr:adZgpCOagkBRp/0ut9Y++6iCjs2wr
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<..b.................P... ......>i... ........... ....................................`................................

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x693e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x0
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                          Time Stamp:0x6209133C [Sun Feb 13 14:18:36 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00002000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x68ec0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x820.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x67b40x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x49440x5000False0.504150390625data5.53179387013IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x80000x8200x1000False0.229248046875data3.05099161152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xa0000xc0x1000False0.0087890625data0.0131269437212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0x80a00x2ecdata
                          RT_MANIFEST0x83900x489XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright 2022
                          Assembly Version1.0.8079.11358
                          InternalNameEvilNominatusCrypto.exe
                          FileVersion1.0.8079.11358
                          ProductNameTRS
                          ProductVersion1.0.8079.11358
                          FileDescriptionTRS
                          OriginalFilenameEvilNominatusCrypto.exe

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:10:01:56
                          Start date:15/02/2022
                          Path:C:\Users\user\Desktop\evilnominatuscrypto.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\evilnominatuscrypto.exe"
                          Imagebase:0x170000
                          File size:32768 bytes
                          MD5 hash:7CDF50EE4F3D0FEBC70DD36298ED07DA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:5
                          Start time:10:02:12
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:6
                          Start time:10:02:14
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:7
                          Start time:10:02:15
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:8
                          Start time:10:02:16
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:9
                          Start time:10:02:17
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:10
                          Start time:10:02:18
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:11
                          Start time:10:02:19
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:12
                          Start time:10:02:19
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:13
                          Start time:10:02:20
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\vssadmin.exe
                          Wow64 process (32bit):true
                          Commandline:vssadmin delete shadows /all /quiet
                          Imagebase:0xca0000
                          File size:110592 bytes
                          MD5 hash:7E30B94672107D3381A1D175CF18C147
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:30
                          Start time:10:05:34
                          Start date:15/02/2022
                          Path:C:\Windows\System32\OpenWith.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                          Imagebase:0x7ff730d40000
                          File size:111120 bytes
                          MD5 hash:D179D03728E95E040A889F760C1FC402
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 023D3880 Relevance: .4, Instructions: 405COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 508296322052d09c6cbad9a6fb0040402bf0d577e5d3d008784685b34b1c215d
                            • Instruction ID: 47408070d1bd9999c427eb853672b247fcd7f2bf3a01696c836e2254b9eeb050
                            • Opcode Fuzzy Hash: 508296322052d09c6cbad9a6fb0040402bf0d577e5d3d008784685b34b1c215d
                            • Instruction Fuzzy Hash: F9020375E052288FDB64DF29D850BAAB7B6FF8A300F5095E9C509BB255DB309E81CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D69EA Relevance: .2, Instructions: 241COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e35a84eb70e138b8176f3135d1d9d5a551629b9eaf10d605c8b86b1a210518a7
                            • Instruction ID: 7e1bb81e98b83819537ba8cac39346d0b5c38072376a61b38712ca3fa7a892ad
                            • Opcode Fuzzy Hash: e35a84eb70e138b8176f3135d1d9d5a551629b9eaf10d605c8b86b1a210518a7
                            • Instruction Fuzzy Hash: 3AA1E271E052288FDB68DF26D854B9ABBF2FB8A301F54D5A9D409BB255DB304E81CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06972011 Relevance: .2, Instructions: 182COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b42643fc5af32d3c680fb70b0e51330a6fb8891817f428b69e23b2c70c48878
                            • Instruction ID: a654db4398ecaffe144d59149eeae428285e1066bd1cbf907dee4a41dbe4902e
                            • Opcode Fuzzy Hash: 7b42643fc5af32d3c680fb70b0e51330a6fb8891817f428b69e23b2c70c48878
                            • Instruction Fuzzy Hash: B771D474E11208CFDB08DFA5D894A9DBBF2FF89314F209169E815AB365DB30A942CF54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D857C Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID: U
                            • API String ID: 0-3372436214
                            • Opcode ID: bf84619943dd87cfcc70aaafb190c2f9777a864cefda39222fd8531c5abda3f9
                            • Instruction ID: b47a95eb873ec47b343b18da492c0ca485d4e110d74cf60ae281eab3656d8903
                            • Opcode Fuzzy Hash: bf84619943dd87cfcc70aaafb190c2f9777a864cefda39222fd8531c5abda3f9
                            • Instruction Fuzzy Hash: 18A1A631A10605CFCB04DF68D48499DBBB6FF89314F1586A9E909AB365EB70E985CF80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D42D9 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID: l(w
                            • API String ID: 0-766550371
                            • Opcode ID: 22f30ba52f1989f1e7a51b29506bb2e547e05de76dffaac4dd386c4e59bc8a05
                            • Instruction ID: 8566a0955fba000626385260e2b8a08aca3c01b0a7a370334269836ff959ff4a
                            • Opcode Fuzzy Hash: 22f30ba52f1989f1e7a51b29506bb2e547e05de76dffaac4dd386c4e59bc8a05
                            • Instruction Fuzzy Hash: C631DF71E002458FD710DFB6E8446AA7BF6FF89304B548569D111BB386DB30A942CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D42E8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID: l(w
                            • API String ID: 0-766550371
                            • Opcode ID: 3afddd1f6bcd2d851662c64cff440c2732d25a3e966cc5c351a07380056e8636
                            • Instruction ID: d4d9b194cd3c3214cb1681477410f54555ea30c7e5e6b9a2cac4d0ff72a9b921
                            • Opcode Fuzzy Hash: 3afddd1f6bcd2d851662c64cff440c2732d25a3e966cc5c351a07380056e8636
                            • Instruction Fuzzy Hash: 8D310271E002448FDB10DFBAF4406AA7BF6EF89304F548569C211BB395DB30A941CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5B70 Relevance: .7, Instructions: 689COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8509a37f5ee055a421245a844462b5a98bcb1970d3a1efb6edabaeefe76512c9
                            • Instruction ID: edcca3c54165c158c8fda07399ffb7c2be6516a090d099523eef028755000716
                            • Opcode Fuzzy Hash: 8509a37f5ee055a421245a844462b5a98bcb1970d3a1efb6edabaeefe76512c9
                            • Instruction Fuzzy Hash: 2D72E570A042198FCB54FFA8F94069D77F5EB81304F848C68E50AAF258EB346E54DFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5B80 Relevance: .7, Instructions: 685COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48ea3a12f89a36adc5bf34d0988d590f77d264487fb00ce64c55a8bd5ef351f4
                            • Instruction ID: 793a8a5a024aa1d869ede3f6af319933910be8e32dfe6df61be3466a25b267e9
                            • Opcode Fuzzy Hash: 48ea3a12f89a36adc5bf34d0988d590f77d264487fb00ce64c55a8bd5ef351f4
                            • Instruction Fuzzy Hash: 6872E570A042198FCB54FFA8F94069D77F5EB81304F848C68E50AAF258EB346E54DFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9F10 Relevance: .6, Instructions: 649COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: edd574d671563c267750c8aba9684e19e725f66af71e959db11fad24b0b4b2d4
                            • Instruction ID: 1e09ee5b7740354ab7422640ef8b44e3384a1eb2637d70f086c9bb2c7c7c4cac
                            • Opcode Fuzzy Hash: edd574d671563c267750c8aba9684e19e725f66af71e959db11fad24b0b4b2d4
                            • Instruction Fuzzy Hash: 0C42CE32A006068FCB14CF28D980BAEB7F6FF44314F558969D852DB291E734F995CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DA028 Relevance: .5, Instructions: 484COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b1892f480a4165b488ed6746661d72a413fa8cc3ceb0bd0a6c9d7701d68af06
                            • Instruction ID: 1b257ba99fc644cc773db86ee66f917196536f1a8e1f24ba9ea152eaa59e2577
                            • Opcode Fuzzy Hash: 3b1892f480a4165b488ed6746661d72a413fa8cc3ceb0bd0a6c9d7701d68af06
                            • Instruction Fuzzy Hash: 3512CE32A00A068FCB25DF28E980BAAB3F6FF44304F444929D856DB791E734F955CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0697028F Relevance: .3, Instructions: 334COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ceb06c7ad165f4edc2310973ccd4c816ad0134842db80e2e58020af8d5140b2a
                            • Instruction ID: 78aad864da3a27cb76229bf75a0f04297163556197edd49462e03de1f508c1d3
                            • Opcode Fuzzy Hash: ceb06c7ad165f4edc2310973ccd4c816ad0134842db80e2e58020af8d5140b2a
                            • Instruction Fuzzy Hash: 9DC1B374F042149FDB54ABB5D4517AE7AEAEFC4304F248828D506EB784DF389C428BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD880 Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8d0cdaccd956a01bb6130c02c04020e11f5712f4ad468ce7ef6ce35cba523ecf
                            • Instruction ID: 3fe80dda47a72b55353f69f79aaebb66c5e6e84ec9e4ff4a4984f61e0d8ffd5e
                            • Opcode Fuzzy Hash: 8d0cdaccd956a01bb6130c02c04020e11f5712f4ad468ce7ef6ce35cba523ecf
                            • Instruction Fuzzy Hash: 75E13F72A00219CFDB24DF64D884B9EB7B6FF85308F1184A9E909BB261DB71AD45CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5950 Relevance: .2, Instructions: 230COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 66f74a56a10a00405e84c0e1ca261e41a7725eb5cc9bc0988096e7c30b011481
                            • Instruction ID: 0665446c2d536ad6309787281e4d26ce9beccd025730258a0ccb399cdff80e4d
                            • Opcode Fuzzy Hash: 66f74a56a10a00405e84c0e1ca261e41a7725eb5cc9bc0988096e7c30b011481
                            • Instruction Fuzzy Hash: C2A1A831A10605CFCB14DF69D48499DFBB6FF89304B1186A9E909AB325EB70ED85CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DA450 Relevance: .2, Instructions: 222COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de88eff6b7ac1659a196fea1b2f350a5c4dcbf5442b80e33225a84af3e558970
                            • Instruction ID: b25aa97c2e52d77cf0b719e5dd6607fb59b99de4bba377fdfedafa7c7559d25a
                            • Opcode Fuzzy Hash: de88eff6b7ac1659a196fea1b2f350a5c4dcbf5442b80e33225a84af3e558970
                            • Instruction Fuzzy Hash: B98169367006019FDB25EF28E694B6A77F6FF44308F040929D442CB7A4EB35E956CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DA460 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a81da5dd857e4e0d072599095443b8679598d9a583013de06890d40ba783fe00
                            • Instruction ID: 879c18fb3f0b062e54454a27def3384f669a871417e945b742d62987203a67bf
                            • Opcode Fuzzy Hash: a81da5dd857e4e0d072599095443b8679598d9a583013de06890d40ba783fe00
                            • Instruction Fuzzy Hash: C1817A367006019FDB25EF28E650B6A73F6FF84308F040928E442CB7A4EB35E955CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DA888 Relevance: .2, Instructions: 193COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 30c9db76bcb130d935030cbe668ac4052997a8ca8a3714baca53e17cbf3c7d42
                            • Instruction ID: f45e92ada61f68e66d36df0151b8d4cfac96720c26bc52a1a14f0c0677d585af
                            • Opcode Fuzzy Hash: 30c9db76bcb130d935030cbe668ac4052997a8ca8a3714baca53e17cbf3c7d42
                            • Instruction Fuzzy Hash: 12714271A00B058FDB24DF6AE1407AABBF5FF88214F108A2DD48ADBA40D775E805CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06972020 Relevance: .2, Instructions: 183COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a4ff7c0ba50299ee7ea8bbe762db9e963c79529c854776746dd5bfefe702a28
                            • Instruction ID: 386da25409021a2aa8a6e5518bd06bc160cf1523b0d537c520e98d05b1f09f7e
                            • Opcode Fuzzy Hash: 8a4ff7c0ba50299ee7ea8bbe762db9e963c79529c854776746dd5bfefe702a28
                            • Instruction Fuzzy Hash: C981D274E10208CFDB08DFA9D994A9DBBF2BF89310F209169E815AB365DB31AD41CF54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970B7C Relevance: .2, Instructions: 179COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f4a31bbedad35a0bc8a875c645c267a485c2f3524f15ac7bc568e4545c262f3
                            • Instruction ID: 6c130916b8b5ffda4d1774c5d838bfed833fa54c78942ce0aa8454499899bf89
                            • Opcode Fuzzy Hash: 6f4a31bbedad35a0bc8a875c645c267a485c2f3524f15ac7bc568e4545c262f3
                            • Instruction Fuzzy Hash: B3613731E003098FDB54DFA9D894AEEBBBAFF89314F184469D405AB764DB30A945CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD05C Relevance: .2, Instructions: 165COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dac6d9a0e9723562d69fa84febed06126b8e748fa51fb5561e067bdaf84efd20
                            • Instruction ID: 6884163e4a586da310a36fc4a7384117bbf6d4152f71941c668ebed586ec7d96
                            • Opcode Fuzzy Hash: dac6d9a0e9723562d69fa84febed06126b8e748fa51fb5561e067bdaf84efd20
                            • Instruction Fuzzy Hash: E1519B363006118FC724AB79E855B6E77EBBFC4614B148869E006CB3A1CB34EC028B95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D54E8 Relevance: .2, Instructions: 165COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f06bd47aed7c14c250379b46521bf4a7cac5a434261ae807dcbb48f193f29c5
                            • Instruction ID: e54c170c4aa7966fc7c9b0a9d11493f340364233adac82ce3744c214594c984d
                            • Opcode Fuzzy Hash: 7f06bd47aed7c14c250379b46521bf4a7cac5a434261ae807dcbb48f193f29c5
                            • Instruction Fuzzy Hash: E5619D74E00259CFCB00EFA4F494AEE7BB6EF85304F508869D105AB3A5DB349D15CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D6D7F Relevance: .2, Instructions: 153COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35ae04d8dc1e9bb2267e884f53255f51e9adea7a2fed270a88b0493e1aeae9ad
                            • Instruction ID: 3d515a756c03610a6f3c8089d15c3c07c50a22b08bb67a4d1db69aff61388a37
                            • Opcode Fuzzy Hash: 35ae04d8dc1e9bb2267e884f53255f51e9adea7a2fed270a88b0493e1aeae9ad
                            • Instruction Fuzzy Hash: 04614430E01219CFCB64DF24E855BAABBB5FB8A301F5054A9D40ABB255DB709EC0CF00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8878 Relevance: .2, Instructions: 151COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff5c591e62a0b703347427e9a6e3d046cbbd9153422d1669892a62727d1e506e
                            • Instruction ID: 98ab57ce8c9e3e34ca8b8379fb2db1ab3f3871c7cf2ee9714e64c882c0fdbdc7
                            • Opcode Fuzzy Hash: ff5c591e62a0b703347427e9a6e3d046cbbd9153422d1669892a62727d1e506e
                            • Instruction Fuzzy Hash: 5551B470B043999FEF119FB1F4187AE7FF9AF44309F004528D541AB285EB79A906CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DF590 Relevance: .1, Instructions: 147COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 58f0649d601f1f9111ffd7878dae5a20ba750cad123c7153c04b3fc3240024f2
                            • Instruction ID: 38c3a4b9a9545591270928113af40d58bc2ef755834e177dd86c567366775ef0
                            • Opcode Fuzzy Hash: 58f0649d601f1f9111ffd7878dae5a20ba750cad123c7153c04b3fc3240024f2
                            • Instruction Fuzzy Hash: 6E514835A003058FDB24DFA8E584B9EBBF5BF48318F204569D40AAB7A1CB75AD45CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5588 Relevance: .1, Instructions: 145COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a70853cf1396158e23ee0747828177f7e236189880b8fd11a78c1ae3e052d516
                            • Instruction ID: b338b15ff484d61eb3ca171e3e81f621a8e75d5d659a0931043ac7a2f8d25f02
                            • Opcode Fuzzy Hash: a70853cf1396158e23ee0747828177f7e236189880b8fd11a78c1ae3e052d516
                            • Instruction Fuzzy Hash: 4F517C70E00249DFCB00EFA4E490AEEBBF6EF85304F508969D501AB365DB34AD15CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD870 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab211ed07260ebbc698dad42724ee4ee5d17d592dd6a90c8d635aed4874a3cf0
                            • Instruction ID: d65a7356531d6001900c8e5c502261a23f8274ffbcc528561174017c62d02729
                            • Opcode Fuzzy Hash: ab211ed07260ebbc698dad42724ee4ee5d17d592dd6a90c8d635aed4874a3cf0
                            • Instruction Fuzzy Hash: 52515172A00259CFDB24DF74D884B9AB7B2FF84308F1484A9D509AB366CB71AD85CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCB60 Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1e292c012a2e83d8b04cffcc74ccc15fc069a737aad8747911a3f013072b3ea
                            • Instruction ID: 845815809bd8ce55e9330689fe156288a10f6a5f95bc3699ffe49c62e764644b
                            • Opcode Fuzzy Hash: e1e292c012a2e83d8b04cffcc74ccc15fc069a737aad8747911a3f013072b3ea
                            • Instruction Fuzzy Hash: 295187B09017498FDB00DFA9D948BDEBFF4EF49314F20886AE419A7360C7389945CB66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D6C71 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea0fd623fbdfd5c5d214ebbb1f91d8bbdf0ce93240e809c236123b06dbf77f23
                            • Instruction ID: 316b4227fd0a984be647b22cfb20d46da4dec7bea0dd9186e2bd71283e32f36c
                            • Opcode Fuzzy Hash: ea0fd623fbdfd5c5d214ebbb1f91d8bbdf0ce93240e809c236123b06dbf77f23
                            • Instruction Fuzzy Hash: 95511530A05219CFCBA4EF34E855BAABBB5FB8A311F5025A9D10AB7255DB745EC0CF04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCB70 Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f721b3248d2bbade31a7817a90a7584c830e3172de141372a56d529497f7aed
                            • Instruction ID: c346dcf46138852ff70d1ebe1aeff26f10da08b2bd58bd6b0fedb82f368c66e4
                            • Opcode Fuzzy Hash: 6f721b3248d2bbade31a7817a90a7584c830e3172de141372a56d529497f7aed
                            • Instruction Fuzzy Hash: D65167B09017098FDB10DFAAD548BDEBBF4EF49314F20886AE419A7360C7786944CF65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DA878 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 304716b0be8c71ad7bfc89ca49e4ae921ca736a6fca3a4f890c29441236abbe3
                            • Instruction ID: 4682c6fbe6b2c19cb96d19c0dc5a8d77b7595367f0fb4255fd2b78c016a01f15
                            • Opcode Fuzzy Hash: 304716b0be8c71ad7bfc89ca49e4ae921ca736a6fca3a4f890c29441236abbe3
                            • Instruction Fuzzy Hash: 9F41EE71600B068FD774DF2AE291B26B7F5BF48208B018A2DE486CBA50D775F859CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8AE0 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1c25da02f0f9cc6da3174f371f3bd3070d372921c28d132278596e66052e9030
                            • Instruction ID: e47f361a3a59090fbc02a515c6bfe3e32167cd58744c641121499ab4411b741e
                            • Opcode Fuzzy Hash: 1c25da02f0f9cc6da3174f371f3bd3070d372921c28d132278596e66052e9030
                            • Instruction Fuzzy Hash: 403179B5A082509FD740AF69F8447AB7BA9EF85358F008064E305DB385DB39EC12CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DC899 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a75c0bd33d1239ffb3d35d2aefaf2cd1a8ed622b6bc52d462f432fc5acb90d79
                            • Instruction ID: f9a87197fc63aa4cd4555b04ab3904f4cb543de93000e11f0d916589b318c22a
                            • Opcode Fuzzy Hash: a75c0bd33d1239ffb3d35d2aefaf2cd1a8ed622b6bc52d462f432fc5acb90d79
                            • Instruction Fuzzy Hash: 31315532B042558BE720EBB4F4143EF77A6CBC1258F104C29D61A9B381EF34495AC7E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D3E08 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9bfca1d471b5f3135ca85994827988a7a086eba111a57dc92bd637e6526eb1d5
                            • Instruction ID: 659d047a52abd687dcdb92a55d03b8939c1b3926c2a1913c9022e77d58fa4fb8
                            • Opcode Fuzzy Hash: 9bfca1d471b5f3135ca85994827988a7a086eba111a57dc92bd637e6526eb1d5
                            • Instruction Fuzzy Hash: 5B410FB1D00618CFDB20CFA9C884BDEBBB5BF48308F64846AD409BB251DB716945CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5374 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 792a6cfab39be6a7417ab8955b989a5c6ff2d907ebf2dc154458ec6143edfe12
                            • Instruction ID: 03424c5249fe8283ae062ed99cbdd4613d47ed7cf688b3e8fa83fd236f91508e
                            • Opcode Fuzzy Hash: 792a6cfab39be6a7417ab8955b989a5c6ff2d907ebf2dc154458ec6143edfe12
                            • Instruction Fuzzy Hash: 5C4110B1D00219CFDB24CFA9C884BCEBBB5BF48308F24846AD408BB250DB716946CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCDBC Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cffbe639a523bad9dd0c770d783b9ebbfb5f56ebd44d8210116fd1dc65751d6f
                            • Instruction ID: accfbe4af7e3444b075a7be75d865b8bfbff4484a3b610f67a103fd97dc35771
                            • Opcode Fuzzy Hash: cffbe639a523bad9dd0c770d783b9ebbfb5f56ebd44d8210116fd1dc65751d6f
                            • Instruction Fuzzy Hash: 7F213762B0E3954FC751677568205AD3FAADFC2208B1509BED805CB393DF6C4803C762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DAE62 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 184a9965a97df7169d87624a86e9d30734685758bb38aa167d8782823e5c7f9f
                            • Instruction ID: a1b4dc5b37132ba9287698b64a8c2081f7d3d68acb955535f45a2a823038f59a
                            • Opcode Fuzzy Hash: 184a9965a97df7169d87624a86e9d30734685758bb38aa167d8782823e5c7f9f
                            • Instruction Fuzzy Hash: 86319E726042168FC710CF14DA80AAAB7FAFF84310B5ACAA5D4159B282D370FD46CB84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970168 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d36fd5d125b20120c6c393ca240f84ca5886b686d96cd59b6f1a15b20630d5c6
                            • Instruction ID: 371535b54c1e41852b422277daad766bf6abeb22582abca5f21f07c4cd8e03eb
                            • Opcode Fuzzy Hash: d36fd5d125b20120c6c393ca240f84ca5886b686d96cd59b6f1a15b20630d5c6
                            • Instruction Fuzzy Hash: 22312474E012098FCB18DFB4D490AEEBBB2EF89304F208569C505B7794DB359946CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DAE70 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6294598489727084965efc1b607e63922c61a65c1d96b824cfe5ab5c5ed669df
                            • Instruction ID: 503e28b2fbcde8750c1d7bdbebb5b0ff6754963e7e9e5527888e1231162495e5
                            • Opcode Fuzzy Hash: 6294598489727084965efc1b607e63922c61a65c1d96b824cfe5ab5c5ed669df
                            • Instruction Fuzzy Hash: 2B318272604216CFCB14CF14DA809AAB7FAFF84310B5AC9A5D4159B281D370FD45CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06971690 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aabe2849a1bd3f3df7d0fd5f3704d4f441560e93176d06def30651d825f0e450
                            • Instruction ID: e99093b48421bfec1066bffade85e333abf0edc1776abd063b8a7487b3856297
                            • Opcode Fuzzy Hash: aabe2849a1bd3f3df7d0fd5f3704d4f441560e93176d06def30651d825f0e450
                            • Instruction Fuzzy Hash: 383178B19042498FDB00DFA9D484A9EBFF4FF49314F28886AD419AB351C739A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 069707D1 Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 37ec98101335ff23ae47f252f7f0b82f6d354a2f93cf4972df05f5435045d690
                            • Instruction ID: 77f3b35e3762c9f122927118f9e689d33cc4c32a4894bb28745cb486b173dfa0
                            • Opcode Fuzzy Hash: 37ec98101335ff23ae47f252f7f0b82f6d354a2f93cf4972df05f5435045d690
                            • Instruction Fuzzy Hash: 3D31DCB0D043499FDB40CFA9D5447EEBBF8EB08314F24846AD114A3641D779AA48CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8CB9 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48089dcb011fc4f96a89a648037de163c1c2c700c807401c6ffddc61f8b5f914
                            • Instruction ID: c73884a1dffcb8d376f40dc77f474b0d73db05d8fecd92a938af97cda8eaf744
                            • Opcode Fuzzy Hash: 48089dcb011fc4f96a89a648037de163c1c2c700c807401c6ffddc61f8b5f914
                            • Instruction Fuzzy Hash: BB21A5356052098FCB61EF75F840BAE77F5AFA4248B508526C904EB389F774EA03CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970178 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b3da5a8ddbadd390002660f7156245a07d5ac5c76f7747abc5712dd8274253e
                            • Instruction ID: 5c45dc837a75c94a03df42a59903701873ae57260f9c27b7f63d10fa5a87e479
                            • Opcode Fuzzy Hash: 1b3da5a8ddbadd390002660f7156245a07d5ac5c76f7747abc5712dd8274253e
                            • Instruction Fuzzy Hash: BB310074E012098FCB18DFB9D490AEEBBF2AF89304F209529C505B7394DB359945CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0092D210 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880699414.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_92d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 87629f50222121292e982133d63b1cf1f9c4cb15e3372d63da53e2033c9e030f
                            • Instruction ID: 3faf03ae522445cfc711f62637068789df2d25d21e0b4989c524f383609fb866
                            • Opcode Fuzzy Hash: 87629f50222121292e982133d63b1cf1f9c4cb15e3372d63da53e2033c9e030f
                            • Instruction Fuzzy Hash: D6210472505240DFDF05DF54E9C4B2ABB69FB88324F348969E8150B24AC33AD856DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9E50 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbf248071df69cae7fdabe837808a3606fd49d9b144a337225eecdc74bca3a88
                            • Instruction ID: 3616e791b41f6e6a329ac23243307eaa85a7957088d7eabe86e80c732696ad0a
                            • Opcode Fuzzy Hash: fbf248071df69cae7fdabe837808a3606fd49d9b144a337225eecdc74bca3a88
                            • Instruction Fuzzy Hash: 502160767052159FA705DF69E540AAABBEAFBC9229324C17AE80CC7341EB32D906C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0092D3EC Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880699414.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_92d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8356d47f824006ed6e3775071d74762274b35f1708496055e670c667d4997091
                            • Instruction ID: 7fd77a2f44bff4bb27aee2309aed8a18b44d00446551796a5e4483e0c174893e
                            • Opcode Fuzzy Hash: 8356d47f824006ed6e3775071d74762274b35f1708496055e670c667d4997091
                            • Instruction Fuzzy Hash: 28213A71505240DFDF05EF54E9C0B66BB6AFB94324F34C96DD8090B29AC33AE856C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DDA84 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21df1be79d4fe6d9c50338fc40d28657ff13d9a8e219bd6ae897f54e3856b1f1
                            • Instruction ID: 0cc047dcc47a6e144b22576139491a01bf7edf1ee3f3257e4364c79e4eddac14
                            • Opcode Fuzzy Hash: 21df1be79d4fe6d9c50338fc40d28657ff13d9a8e219bd6ae897f54e3856b1f1
                            • Instruction Fuzzy Hash: FD316131600214CFD724EF74E484BAAB7B6FF84309F5048A8D40A6B7A6CB75AD85CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 069707E0 Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 298efb00d1dc4f35fffb1f82c2c50e005f8f107c7c4de582c5782cbc8852f09f
                            • Instruction ID: 74b6ae70a3ec58689b0bbbb0aa48084aaab46f4891a90f78eb08080010fef1a5
                            • Opcode Fuzzy Hash: 298efb00d1dc4f35fffb1f82c2c50e005f8f107c7c4de582c5782cbc8852f09f
                            • Instruction Fuzzy Hash: B821D0B0D047499FDB40CFA9D5447EEBBF8EB08318F248469D114A3700DB7AA554CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D7E90 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8f4d3320b22caba841879fdfb31f9f8d50c0ebe4cffe3d9e8d2cca49e2da29e9
                            • Instruction ID: c54de8f61f71117faade83cfcb13f2887d2094f448ea484d38bec6719247a7a6
                            • Opcode Fuzzy Hash: 8f4d3320b22caba841879fdfb31f9f8d50c0ebe4cffe3d9e8d2cca49e2da29e9
                            • Instruction Fuzzy Hash: 7021A1716002014BD751AF2CD4803C6F7E2EF89320F54C6B9D509EF396DA75984ACB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D51D8 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae24a7b8c2d5df055eef9245ddd2a263e9762abe11cba1d6a38e03677b859473
                            • Instruction ID: 5b99a041122c060f2d5300c3e681ef6dbb3dd0a9f69be7849e38e863dbf5d43c
                            • Opcode Fuzzy Hash: ae24a7b8c2d5df055eef9245ddd2a263e9762abe11cba1d6a38e03677b859473
                            • Instruction Fuzzy Hash: 7D213871F542189FDB20EBB4A81136DB6A6AB85718F804069E300FB3C8DBB5580587E6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00A4D1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880727249.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a4d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ab01a1f0b787128223a4215a0a834a1df61c955824d6572a7f1c57a90ac6ac5
                            • Instruction ID: 0be352217665f4d4f50ad36b6f41bb0482cc142e578fc3d250951ad346e20d89
                            • Opcode Fuzzy Hash: 1ab01a1f0b787128223a4215a0a834a1df61c955824d6572a7f1c57a90ac6ac5
                            • Instruction Fuzzy Hash: E121F579604200EFDB05DF54D9C0B56BBA5FBC4318F24CA6DE8095B341C3BAD846CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00A4D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880727249.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a4d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f0294b15a0ef1044ce2402ead604c544207964b2ee2be7d980ed5c03251c3584
                            • Instruction ID: 9c1deaeef314b4cbe2619c3c1c857b8102a0041c4b9c755d779236ca6b1f05dd
                            • Opcode Fuzzy Hash: f0294b15a0ef1044ce2402ead604c544207964b2ee2be7d980ed5c03251c3584
                            • Instruction Fuzzy Hash: 9821C279604240DFDB14DF54D9C4B16BB65FBC8328F34C96DD80A4B346C37AD846CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5880 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69ef65462a721a0061ddad4a89f518271f8baefdc3df6b2a22b7cb2506f6795c
                            • Instruction ID: 8d67e1845f62d7dd4b7476dd7e5d40407be1b4e481c09e35b9cb2e5f80c8f00f
                            • Opcode Fuzzy Hash: 69ef65462a721a0061ddad4a89f518271f8baefdc3df6b2a22b7cb2506f6795c
                            • Instruction Fuzzy Hash: 2E219F716002058BC750AF2CD440786F7E6EF89324F54CA79E909EF396DA74A849CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970CDF Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71c8733b5118d0f2f8b43ca7742fef9ec58c53ed313ca4a56b4dc6a57d8ed8c0
                            • Instruction ID: 4a420a578570593b07074799d8a40d18975fb3fbe473fa5649f75e5552a63230
                            • Opcode Fuzzy Hash: 71c8733b5118d0f2f8b43ca7742fef9ec58c53ed313ca4a56b4dc6a57d8ed8c0
                            • Instruction Fuzzy Hash: B8213971D042098FDB54CF9AC884BEEFBF8EB58320F14842AD465A7640D778A945CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DA780 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d35a1495afd519dbbe7d6ef0b5dadb6d952ec5a6c99259140c18cd0333d6a772
                            • Instruction ID: 4b9b6a60d699589e3cf0438fb98e5da94b3b8e30794292d9e3143b7684af719d
                            • Opcode Fuzzy Hash: d35a1495afd519dbbe7d6ef0b5dadb6d952ec5a6c99259140c18cd0333d6a772
                            • Instruction Fuzzy Hash: 99219C316007409FE726CF28E0557957BE2FB81308F188E5DD0828F292C7B6E997CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DA790 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43820dac25ef5c4d76384265fae36af6f0d89e6b225676a5ca49df9236144c93
                            • Instruction ID: b1656e427ae6a5e5f825d79ae31ac052a09561acb1014f810ecb1f879a1645ed
                            • Opcode Fuzzy Hash: 43820dac25ef5c4d76384265fae36af6f0d89e6b225676a5ca49df9236144c93
                            • Instruction Fuzzy Hash: 89215A32600B409FE725CF28D045745BBE6FB41308F188E6CD4628F691C7B6E996CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DEA30 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eadcbe323e41b84efb027d6d0c6604056fd56eddea3f4e07c4a04afe779ef20f
                            • Instruction ID: 567f79161a9b5ec8f4693424b3ec0f2420805d09b9f533843630e92058e22c36
                            • Opcode Fuzzy Hash: eadcbe323e41b84efb027d6d0c6604056fd56eddea3f4e07c4a04afe779ef20f
                            • Instruction Fuzzy Hash: 521193363106118FC7259B29E494A6A7BF6BFC4B15B1544AEE442CB761CF71DC06CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD198 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b5780daf527b987390f9d560866c6825a8c5d0f3f2525b52e0a3e6d497401e08
                            • Instruction ID: fbade040c7b053e855054070bed1e3481b927ff0c53f41b29bad8655a09695a4
                            • Opcode Fuzzy Hash: b5780daf527b987390f9d560866c6825a8c5d0f3f2525b52e0a3e6d497401e08
                            • Instruction Fuzzy Hash: 3821E6B59002489FDB10CF99D984ADEFFF8EB48324F14841AE914A7350C379A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06971788 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1af7db924d3e751df07fb60dea56b7f1d53c04ef021c83c6f2645160cc2c52c
                            • Instruction ID: 4490ceb69f9a49f8e97e4b6cc6c7edba16c30316fa0ae916fdf7bb8a4fd53627
                            • Opcode Fuzzy Hash: c1af7db924d3e751df07fb60dea56b7f1d53c04ef021c83c6f2645160cc2c52c
                            • Instruction Fuzzy Hash: 44212971D002098FDB14CF9AC844BEEFBF9EB48324F14842AD565A3650D778A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 069716A0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4b8c671117fc33e4c0143d23a7b2b915f7b9ae7cd75a80ba43dfa934b2b6264
                            • Instruction ID: 3dc12df641375b83975b9a7ffa5d022a228853cff20e7b2ad2924bfef889bd85
                            • Opcode Fuzzy Hash: f4b8c671117fc33e4c0143d23a7b2b915f7b9ae7cd75a80ba43dfa934b2b6264
                            • Instruction Fuzzy Hash: 142124B09002498FDB50DF99D484ADEFBF4FB48314F288969D429AB311C334A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD1A0 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1222464f8c87cf74d0a3458e5de316771bbf5fb23902df3680a41328a815a6f6
                            • Instruction ID: e49aa1fe742ed75c37a0decf8fc44dc920e810dae30e193994b14e5ecb9180af
                            • Opcode Fuzzy Hash: 1222464f8c87cf74d0a3458e5de316771bbf5fb23902df3680a41328a815a6f6
                            • Instruction Fuzzy Hash: B221D5B5D002089FDB10CF9AD984ADEFBF8FB48324F14841AE914A3310D379A954CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970CEC Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 598da7d30a3846b2fb2edf689df94f602630500a11a2d8f675b329d6abcf8252
                            • Instruction ID: 36fb125d429ec6a39b6d2e1ec78a2877a9f091ed3275b0b2e808f72d0449f957
                            • Opcode Fuzzy Hash: 598da7d30a3846b2fb2edf689df94f602630500a11a2d8f675b329d6abcf8252
                            • Instruction Fuzzy Hash: C4212971D042098FDB54CF9AC844BEEFBF8EB48324F14842AD465A3750D778A945CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5920 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad83161f63a4d93c4d742f7133bcbc35344e9a1181aa98dee49a1dfd01e664b7
                            • Instruction ID: 02726b12e910fa7e15b52ceec97852760961fddd7fa495cde15e5d6e7bf47a87
                            • Opcode Fuzzy Hash: ad83161f63a4d93c4d742f7133bcbc35344e9a1181aa98dee49a1dfd01e664b7
                            • Instruction Fuzzy Hash: 9F21B132A107068BDB10AF68D440392B3B1FFD5320F51867AEE587B246EBB5B941CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06971BD0 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b03368e66f6b433c4dec99721b887c3ea3437c05a14936e20f638f9d0477d6c9
                            • Instruction ID: 88b867aa58a0377886b05d4b99d0a699590ac2c4c6884322f2793badb663b9b9
                            • Opcode Fuzzy Hash: b03368e66f6b433c4dec99721b887c3ea3437c05a14936e20f638f9d0477d6c9
                            • Instruction Fuzzy Hash: C52104B5D007498FCB10CF99D984ADEFBB9FB48314F28852ED419B7600C375A645CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D805E Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8cc4a9f0b000bf12d07257ee9bceef9cd34baab3b66d17d3059b51b67215846
                            • Instruction ID: 7c5f19065d206f03758e9bd07c5aec1f1148f977c169dc885a1dbcb2201be74d
                            • Opcode Fuzzy Hash: d8cc4a9f0b000bf12d07257ee9bceef9cd34baab3b66d17d3059b51b67215846
                            • Instruction Fuzzy Hash: 8F119032A107168BDB10AF68D440395B3B2FFD5320F61867ADD5C7B246EBB1B941CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06971BD8 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1fb621fbd4b90ace193f2420d24e18a9fc8972b0dd0237809895693b7f5ea7e
                            • Instruction ID: 3b986a9883b7a634ef53eca3941d1a1c9758654ee919c73fe54fe7e82eb3dfee
                            • Opcode Fuzzy Hash: f1fb621fbd4b90ace193f2420d24e18a9fc8972b0dd0237809895693b7f5ea7e
                            • Instruction Fuzzy Hash: 1721E3B5D017099FCB10CF9AD884ADEFBB9FB48314F28852EE419A7600C375A544CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0092D20B Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880699414.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_92d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cca429fee19de6ed1d83563857a1fefa71b3c310032c09e3fab54d5aa195439
                            • Instruction ID: 4d8e62e7761887474f9eea91fdb3e8ab636434b62000e52f9ddad411201a3f2c
                            • Opcode Fuzzy Hash: 8cca429fee19de6ed1d83563857a1fefa71b3c310032c09e3fab54d5aa195439
                            • Instruction Fuzzy Hash: 36217F76505280DFCB16CF54E9C4B16BF76FB88324F24C6A9D8044B65AC33AD866CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0092D3E7 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880699414.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_92d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0e1e07ed24e1f7e0dc01cd76cc8f696104099d568f658845597617a31113109
                            • Instruction ID: a8b75f3392d8b9efbdca569d53903e7db395173af11cb87e27172aea2126a4a9
                            • Opcode Fuzzy Hash: b0e1e07ed24e1f7e0dc01cd76cc8f696104099d568f658845597617a31113109
                            • Instruction Fuzzy Hash: 9511E676405280DFCF02DF10D9C4B56BF72FB94324F24C6A9D8080B66AC33AE856CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DACE8 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f7b773ddc4bc909c2aa153859580cc92af1932ac8a43f77d3ad5bfa416222c9e
                            • Instruction ID: 9bacaa9a5f71fd60cafa0547e1df1984bfeba88bf93684d1d7dbd186363ce61a
                            • Opcode Fuzzy Hash: f7b773ddc4bc909c2aa153859580cc92af1932ac8a43f77d3ad5bfa416222c9e
                            • Instruction Fuzzy Hash: 421114B69002498FCB10CFAAD544BDEFBF8EB49324F14842ED429A7300C779A545CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9C18 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 307eb1cf336df3a7b83e0c3545795e7fcf35d69ea1a56d6745db658cd9ee6010
                            • Instruction ID: 1eb84e5bc6237f355aed5460ec6ea24ba231fe297568f92757e5be56759b1f8b
                            • Opcode Fuzzy Hash: 307eb1cf336df3a7b83e0c3545795e7fcf35d69ea1a56d6745db658cd9ee6010
                            • Instruction Fuzzy Hash: DC1114B69002099FDB10CF9AD544BDEFBF8EB49324F14842AE825B7200C779A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00A4D017 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880727249.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a4d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a28f70e0b8abd1698fd54b0f17f1e09a11caa5586c1eb1cad1bc8549653fc72
                            • Instruction ID: 4b4f0ce761763e6ee61242866edb0ccc79e701d831f65992c53b6912ff337354
                            • Opcode Fuzzy Hash: 6a28f70e0b8abd1698fd54b0f17f1e09a11caa5586c1eb1cad1bc8549653fc72
                            • Instruction Fuzzy Hash: 3F119D79504280DFCB15CF14D5C4B15FBA2FB85324F28C6AED84A4B756C33AD85ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00A4D1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880727249.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_a4d000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a28f70e0b8abd1698fd54b0f17f1e09a11caa5586c1eb1cad1bc8549653fc72
                            • Instruction ID: 91f1c0e25749fcc11d535243a890dfb915ef41aee6daa22fb621afb99fe8000b
                            • Opcode Fuzzy Hash: 6a28f70e0b8abd1698fd54b0f17f1e09a11caa5586c1eb1cad1bc8549653fc72
                            • Instruction Fuzzy Hash: 1F118B79504280DFCB12CF10D5C4B55BBA1FB84324F28C6ADD8494B756C37AD85ACB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06971608 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b8f03d2a6c4fceb14d4027fd7f593b93da9a26afc68f9520389b4f5863af9ff
                            • Instruction ID: 96ebe61ccaaf5956de2a756dd2970e5baf1f78f38864654f68f0a61bd922f9a1
                            • Opcode Fuzzy Hash: 5b8f03d2a6c4fceb14d4027fd7f593b93da9a26afc68f9520389b4f5863af9ff
                            • Instruction Fuzzy Hash: B001F1316042059FE714DB64E8809ABBBFAFFC9204708882BE805C7785DA75EC06C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D4128 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3fe7b38ee8effa96e2f20303124a7c20e344d2dbcc5c2fbbaa14b5691acbfb4f
                            • Instruction ID: 2273aff4f21fad4656ee2d350270118b203d9eca4562ddeb540e030b489eb400
                            • Opcode Fuzzy Hash: 3fe7b38ee8effa96e2f20303124a7c20e344d2dbcc5c2fbbaa14b5691acbfb4f
                            • Instruction Fuzzy Hash: FA01C0307040199FD748EBA8D855A9F77E6AFC8308F018468E205EB3A5EF308D018BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD734 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7cb22ab28647b323ffb033d9f0e407ae3fb7cca292e7c249ef0af1db7adb97ea
                            • Instruction ID: c3b0ce2760604511862ed1a5cc57c7534c286fa71f2e2f4d307d90f931e24139
                            • Opcode Fuzzy Hash: 7cb22ab28647b323ffb033d9f0e407ae3fb7cca292e7c249ef0af1db7adb97ea
                            • Instruction Fuzzy Hash: 5001C4329002189BEF25DFA4D8447EEBBF6BF88314F04096DC485BB280EB745906C7E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9E40 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5349c2344ab0d2a214bdc08353a506b52e44dc93e95a4900e69ea9bf05d62219
                            • Instruction ID: 1a2683f15e1b46cdeb54626e643dab72536f5709505219ae60f2196232a76117
                            • Opcode Fuzzy Hash: 5349c2344ab0d2a214bdc08353a506b52e44dc93e95a4900e69ea9bf05d62219
                            • Instruction Fuzzy Hash: CE0181B17042159FA752CA68AC949EF7FF9EBC9214715806AE408D7282EB35CD07C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DAA68 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0bcd67a22e1700b296bf5cb4ac7c607e2df920f61313c6b247be7ac0c7efd05
                            • Instruction ID: 9ec93f5a5fe2814b7fb6f255df6d43df011bcbb55f816abf189ed23d05fe9e32
                            • Opcode Fuzzy Hash: b0bcd67a22e1700b296bf5cb4ac7c607e2df920f61313c6b247be7ac0c7efd05
                            • Instruction Fuzzy Hash: 5C1110B6D006098FCB10CF9AD644BDEFBF8EF88224F14852AD429A7300C379A545CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DB59C Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 178c146d79467d51aebb2bfd4cf598805f38c97c15e7d16620c72aab6d3691aa
                            • Instruction ID: 1a78e900d442b0f320d2876d61ef463eb158ad4b9e5493e3f85c588478b8f1e3
                            • Opcode Fuzzy Hash: 178c146d79467d51aebb2bfd4cf598805f38c97c15e7d16620c72aab6d3691aa
                            • Instruction Fuzzy Hash: CF01803290021C9BEF15DFA4D8547EEBAF6BF88314F184D69D446B7280EB745905CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9E11 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb3af1536d44f3571131f7ede354ae02e8fd54338d7704591375096a812b6ac2
                            • Instruction ID: c97be206fa377db6881825bfebd921d85ae05544fcec132003b8c7dd79656b2b
                            • Opcode Fuzzy Hash: eb3af1536d44f3571131f7ede354ae02e8fd54338d7704591375096a812b6ac2
                            • Instruction Fuzzy Hash: A401A2B27042449FE341CB2494915EEBFF5EBC9214725C06EE489CB242EB36C807C791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DE928 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32662146fdb59199a10d331731fc1b550febad304eaf811f5570fdc3694d7a38
                            • Instruction ID: e67b83529d5ee6a7f163f9cfe8f2ea478cc492aa7a0572dfd814b525a132f3b9
                            • Opcode Fuzzy Hash: 32662146fdb59199a10d331731fc1b550febad304eaf811f5570fdc3694d7a38
                            • Instruction Fuzzy Hash: 92F022B3F052158BC7A5127638A45FE2FAA9EC5218B18443AD809DB391EF388C03C762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970C80 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8dd9d5003ec81c1f14b558e9130f38ae23debd2e1c7160968b4d5fe82daa2bf
                            • Instruction ID: 810ae0f0abcebbae36f807a309c6773f06ec954c23b190c3d39e854255fa1c0b
                            • Opcode Fuzzy Hash: f8dd9d5003ec81c1f14b558e9130f38ae23debd2e1c7160968b4d5fe82daa2bf
                            • Instruction Fuzzy Hash: 791142B09007488FCB20DF9AD548BDEBBF8EB49324F248859E519B3700D378A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970B8C Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 573885fb19e6f4916dd0ba89c7b940d66c445bee0077903b5f014072293ab392
                            • Instruction ID: 7c15a5826f5dd966378820b8abfc0338567bf5e2757b783db524d7782002012e
                            • Opcode Fuzzy Hash: 573885fb19e6f4916dd0ba89c7b940d66c445bee0077903b5f014072293ab392
                            • Instruction Fuzzy Hash: 8F018F316042158FE764DB69E8449ABBBFAFFC82187588C2AE80593744DE75EC01C7B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06971258 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c6b5f48476b5b8a8ae5c0e27e3e26fde455cc13d101c12930044206f34c52fb
                            • Instruction ID: e8624b8c1908c8618da3b2d094aa4439863578eb6820333f0195735e97fde53b
                            • Opcode Fuzzy Hash: 5c6b5f48476b5b8a8ae5c0e27e3e26fde455cc13d101c12930044206f34c52fb
                            • Instruction Fuzzy Hash: 311112B59006498FCB10DFDAD584BDEBBF8EB49328F24841AD529A7700D378A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8E21 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd2e9355f26230f1acb00ff2ef9d24aa7c1796fe512fbb18919866b5d42e4cbd
                            • Instruction ID: 03f0880edba7f41faf98628edda2260d246533be6f13291c645ec9f86ee87eba
                            • Opcode Fuzzy Hash: bd2e9355f26230f1acb00ff2ef9d24aa7c1796fe512fbb18919866b5d42e4cbd
                            • Instruction Fuzzy Hash: B3115270A04208AFD754FFB4D44476DB7FAEB84308F508878D504AB358EA355A058BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8E30 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c496629f28f5851a73263bf9cf72df12dca400ed019c8dd59a8845dd59286b0c
                            • Instruction ID: 74a264cf46bb8e3ff2e187053514356652ac54360e702136f5174e8f75e85f40
                            • Opcode Fuzzy Hash: c496629f28f5851a73263bf9cf72df12dca400ed019c8dd59a8845dd59286b0c
                            • Instruction Fuzzy Hash: C1017570A00208EFD754FFB5D44175DB7FADB8430CF508868D505BF368EA356A059BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DADF8 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a7d110a4d737f8cde4174b845f6968effee8245bfac4e9cb7a330d7b188dafc
                            • Instruction ID: c45667a7157b574930c459e6286a42180902ba984d52c8288c371f192cef1723
                            • Opcode Fuzzy Hash: 8a7d110a4d737f8cde4174b845f6968effee8245bfac4e9cb7a330d7b188dafc
                            • Instruction Fuzzy Hash: 840181717042558FDB14CB39E454AAA7BF5EF49A11B2484EAE049CB362E631DC02CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D58F0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b24becde5bca6414d0cbf5d0d498d3639525ec3547359ede44da13048bc205a
                            • Instruction ID: 37d875bc8635f230c5c6ea82343f222cc049b4806966c74a7e3d6522b64a17e9
                            • Opcode Fuzzy Hash: 8b24becde5bca6414d0cbf5d0d498d3639525ec3547359ede44da13048bc205a
                            • Instruction Fuzzy Hash: 19F0C83230431187EB106F6DE850B46B3A6FF94325F904679EA087F3C5DB7568008BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8030 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e38af2a212718db830c9cbadd3fa5aa8896fa5569410f02b57779a7f5a70aea
                            • Instruction ID: c9891f053b7874622366a3cf4faa9c1209cfcaa3d32f3cb63a62764448fdaaa1
                            • Opcode Fuzzy Hash: 2e38af2a212718db830c9cbadd3fa5aa8896fa5569410f02b57779a7f5a70aea
                            • Instruction Fuzzy Hash: 20F08173A082C147FF205B74A8913D8B772EF90325F54437BC44D6F182DA7748468B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCA15 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 084634c7f552e445c97ed6d87a3c8a2b254f75d8d373c607fbe154290794af5d
                            • Instruction ID: 2f7872685613a6d7bcab5a2e52d0cda405d1dba61744a2cd0c1d88f2e4d37236
                            • Opcode Fuzzy Hash: 084634c7f552e445c97ed6d87a3c8a2b254f75d8d373c607fbe154290794af5d
                            • Instruction Fuzzy Hash: 21F02B317142425FEF029FB0B814BED7BA99B80149F5889BAC004CB1D2DB34960B8BD5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCA48 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 75f3f5ba0f6f2fb48ad4aa6cb79d4647066a4631ecb33b189af9a02f3ca76504
                            • Instruction ID: 6820f11ae60552d6e0b48bc5c87d647bc926dca7a385298bbf0183b53f1edfdd
                            • Opcode Fuzzy Hash: 75f3f5ba0f6f2fb48ad4aa6cb79d4647066a4631ecb33b189af9a02f3ca76504
                            • Instruction Fuzzy Hash: C0F02432A186005FDB10ABB0B814AEE7BAADFC02587084C7AD404CF285EF24D90587E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD7E0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ad8b7b5cd426be8bd4c83a798269ecff813018f11397c753fb3493b571a7cac
                            • Instruction ID: 7ac7b03f948ce5932fbaf6f45d3103b3e897f3a08b7daf4b3700bbf07ad4ac50
                            • Opcode Fuzzy Hash: 6ad8b7b5cd426be8bd4c83a798269ecff813018f11397c753fb3493b571a7cac
                            • Instruction Fuzzy Hash: B9F0FF313586A04FC706AB38D8646593F77AFCA611F0540EBD045CF6A3CE65DC0687D6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D40C0 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b497ed451605a54cbe7ef298e9640cbfdfaa2fd8bcd86de98511a6acb9ece7cc
                            • Instruction ID: 8d66505d808357367eadb1be253181a7ed2af6e89a64339c24775acb40db9579
                            • Opcode Fuzzy Hash: b497ed451605a54cbe7ef298e9640cbfdfaa2fd8bcd86de98511a6acb9ece7cc
                            • Instruction Fuzzy Hash: C7F0F0B0C512449FCB58EBB4A85AA9E7FB8EB46301F1005ACC805E3141DB300416CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DAE08 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a9419d892e7429cd7da9332dd0817d264d61f26a10910a941d47589061d0fd3
                            • Instruction ID: 03e0f15e1d9087bf585470ec6f75a78770131c13779ac7c49f32cf42a16d946c
                            • Opcode Fuzzy Hash: 3a9419d892e7429cd7da9332dd0817d264d61f26a10910a941d47589061d0fd3
                            • Instruction Fuzzy Hash: F7F090317042049FDB54CE3AE844A6A7BEAEF89A15B2084B9E00AC7761EB31DC02CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D4517 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32a78c5e69596b170fe0e5411d0a060481c5e581dd0594d791828deb97706439
                            • Instruction ID: 6fc62fe48272f94a5ec5d4bb91bb07c288e95f4ff463492f184dc399c2da41ea
                            • Opcode Fuzzy Hash: 32a78c5e69596b170fe0e5411d0a060481c5e581dd0594d791828deb97706439
                            • Instruction Fuzzy Hash: B6F0E5313851202FD314561A6C8AFABBBA9EBCA664F01007AF208EF3A3DD519C0742E5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970E10 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0475821ce393f7e8c3b8156c5017451e2de7fe3cb919c30222e602817df41052
                            • Instruction ID: 6e15ec930bf69578c04804e7d5fc4620a1c03cc9835db3d8845e013a209ba060
                            • Opcode Fuzzy Hash: 0475821ce393f7e8c3b8156c5017451e2de7fe3cb919c30222e602817df41052
                            • Instruction Fuzzy Hash: CF0104B4E4431E9FDB94DBA9C841BAEBBF0BF49300F104459E514BB391D3B4AA008BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD128 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3aa947ccf0af0b9c807b95ddebb2b323e614e694ce068403ec2f7834558bc9a4
                            • Instruction ID: 3eeba158e70a267058c7dd14a07875d12cbc61a8dc763eed98ad1d23ba49638e
                            • Opcode Fuzzy Hash: 3aa947ccf0af0b9c807b95ddebb2b323e614e694ce068403ec2f7834558bc9a4
                            • Instruction Fuzzy Hash: 01F0AF37200159AFCB029F94D804C9A7F76FFC931070980A6F7448B2A6D635D925DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9319 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b5768b916fd2d0a52a89e83cbdba393a609abb116c4e6eb9d7e3ca589c64c41b
                            • Instruction ID: aaa5b773e9d5874258a4bfe51298a255d2e06ab32abff68b894f09c68912f8fa
                            • Opcode Fuzzy Hash: b5768b916fd2d0a52a89e83cbdba393a609abb116c4e6eb9d7e3ca589c64c41b
                            • Instruction Fuzzy Hash: 27F024717442818FD3A3DA74BD947D83FEA9B12306F48085AC540EB1C3DB64C087CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DAB01 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef2436f3b8a4f67e5ee8ef9861a566bf1cf0a8586e546da2de7c911d89527073
                            • Instruction ID: 78756f36d078fb60403501f77cb1514684a128c3a11bbfcad9dc7548d818e412
                            • Opcode Fuzzy Hash: ef2436f3b8a4f67e5ee8ef9861a566bf1cf0a8586e546da2de7c911d89527073
                            • Instruction Fuzzy Hash: 23F065337041045BE368A726FE50E6673AF9BC1654B0884399509D7596DEA09C0787A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8ED1 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 278df9a0ee22e3ddf755e5a41f40a884a473c784cd4d760429742c607a3a293b
                            • Instruction ID: 69b34e6456f7abdad902f2093a107a7aa0da22498165573f357a94af1a2b1b62
                            • Opcode Fuzzy Hash: 278df9a0ee22e3ddf755e5a41f40a884a473c784cd4d760429742c607a3a293b
                            • Instruction Fuzzy Hash: 88F09C30A053188F8794FFB8E45429E77F9EBC8204B508579D509DB358EF349907CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DFA48 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b9372128a398e1b4bc34e5281fe2f6dc996db0efdea3cd5486202240605186bd
                            • Instruction ID: c0a2d9df42954483dbfa07a751a31ef76a2a656bc09a960d40bd74af058d782b
                            • Opcode Fuzzy Hash: b9372128a398e1b4bc34e5281fe2f6dc996db0efdea3cd5486202240605186bd
                            • Instruction Fuzzy Hash: 9BF02763B092D08FD725AFF9B8811567BA4DF0328830944DBE241DFA62D228D907CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 069709B1 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cdda22d8f56da65a1a7c40899bca6765f91c9e4273633572595e2ce2f69e8562
                            • Instruction ID: de74f853025c533bf59610ab0e28746968519290dc2dc6c12c90e81bf12d1fe2
                            • Opcode Fuzzy Hash: cdda22d8f56da65a1a7c40899bca6765f91c9e4273633572595e2ce2f69e8562
                            • Instruction Fuzzy Hash: 7CF0ED5544E3D29FE30342345CB11A97F72AD5310930F84DBC5C1DB2A3D5199A5BC372
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D4561 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a4be38dde8938babbbefd9ed832dfc3abfbc3fb181daecc095f50dc0415bd8e
                            • Instruction ID: bc8d766a39321e89a093c24150f26c993d8eb783e69b0bbc492bc3b1f4cc5108
                            • Opcode Fuzzy Hash: 1a4be38dde8938babbbefd9ed832dfc3abfbc3fb181daecc095f50dc0415bd8e
                            • Instruction Fuzzy Hash: A4F09B732552654FC3139A29A8955D537599F45660B0100B7EE01CF2A3EB31CC83C7D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCA58 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8958d28820dfc91a1e98d23c630015d932c65e56e1d15e25cf60340126acc354
                            • Instruction ID: dd4234ebc7e3a8309c46e0d05ccef6d35269b2820aff4c8da879213e30395de5
                            • Opcode Fuzzy Hash: 8958d28820dfc91a1e98d23c630015d932c65e56e1d15e25cf60340126acc354
                            • Instruction Fuzzy Hash: 85F0A032A146056BCB10ABB5B804AEEB79E9FC062CB448D39E404CB284EF65DD008BE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCDAC Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab208cd6ef6c6d5f07fd953693df4ce0c585147ccd12bda50eba54316d64b6ca
                            • Instruction ID: df5028e4b3f09e31844b48fbf015acbacb532f412c4c3e116fe5c253069eb6af
                            • Opcode Fuzzy Hash: ab208cd6ef6c6d5f07fd953693df4ce0c585147ccd12bda50eba54316d64b6ca
                            • Instruction Fuzzy Hash: 68F030323500244BDB18AB7DE454B6E37ABAFC9B11F1044AAE109CB7A5CD75DC018BD5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8152 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 982dae770518f863355b904ee18d2d824932112ae21b26c6afd14970f9c12a5b
                            • Instruction ID: 4afe59853a3e43cc147397ce838090457e9a164a3fb8bbf1ee9d4db7c4d9f05e
                            • Opcode Fuzzy Hash: 982dae770518f863355b904ee18d2d824932112ae21b26c6afd14970f9c12a5b
                            • Instruction Fuzzy Hash: F3E09233B483425FEB2019A5B8D13E97763DBE1335FA0027AD04C8B5C3DA73488B8650
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DAB10 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6a03d81cff633795fc33c6c0f8fc7c8bcb43d8b3bf649578ec21d66f7ed98dd
                            • Instruction ID: f8354382cafaa4394f530954c11d60149cf62778f1ef9485934c6013e8038a14
                            • Opcode Fuzzy Hash: a6a03d81cff633795fc33c6c0f8fc7c8bcb43d8b3bf649578ec21d66f7ed98dd
                            • Instruction Fuzzy Hash: 90E04F337041145BA778B23BBD10E7B62CF9BC1664B4988399909EB295DEA09C0387A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D4570 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070a4e661ab126d08e305899b3ebabddb9089d6a803df3b2bcc0fefc7f7e5802
                            • Instruction ID: ae74c1131e22cf9811696efc0b4f154015411b22135ed2ff4606735fbb2d1546
                            • Opcode Fuzzy Hash: 070a4e661ab126d08e305899b3ebabddb9089d6a803df3b2bcc0fefc7f7e5802
                            • Instruction Fuzzy Hash: C8E0D8333442284BC3109A7DE440AA6739EAF946A4B018077FB00CB360EF32DC41C7D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9C88 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d462fb1e76f0de40c6016626d28ef4061d3ce795abcbbc9947da6e88d4f06c9
                            • Instruction ID: e48153064a6f47e049d00bcfab23b993cd35ef9a96c06f71aa816e7b95bdaec2
                            • Opcode Fuzzy Hash: 6d462fb1e76f0de40c6016626d28ef4061d3ce795abcbbc9947da6e88d4f06c9
                            • Instruction Fuzzy Hash: 8BF0E5316297614FD7527768A8492CA3B60EB86211F000076D104DF292EA24D90787D6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D8330 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09f5122e44ba255743c26bf9f05d8705e2e3fed82001531595f8a6e9e07fa49a
                            • Instruction ID: f93182688fe58afd6d9b7e5a75c9df2cdbd5c2dca12dca35cc10643b6e05a87b
                            • Opcode Fuzzy Hash: 09f5122e44ba255743c26bf9f05d8705e2e3fed82001531595f8a6e9e07fa49a
                            • Instruction Fuzzy Hash: 2CF0A0727842408FD7A1ABB5BA447A53BDEAB12346F880C5AD601E71D2DBA4D4A4DB20
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D40D0 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e709381a864da656d2c0ae961ae9bcb491b21a6ab49572cc868cdceae1269d0f
                            • Instruction ID: 1361a3c2b3ffaa24b6e7d0d9647dd82f61d04cfe9a157f84da6f269724a19cf7
                            • Opcode Fuzzy Hash: e709381a864da656d2c0ae961ae9bcb491b21a6ab49572cc868cdceae1269d0f
                            • Instruction Fuzzy Hash: 22E03970D513089FCB58EFF4B9196AEBAB8EB46306F1019ACC909A3240DB315960CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D4528 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1a3ddd1d609752553d0f64bd90d04efb547fcdc3bde419daa49e1a93b00c2d7
                            • Instruction ID: ef63acdc5b1f16d532ea2681ca58a42340ead1af851c36fc17e2686c802c4384
                            • Opcode Fuzzy Hash: c1a3ddd1d609752553d0f64bd90d04efb547fcdc3bde419daa49e1a93b00c2d7
                            • Instruction Fuzzy Hash: C3E086313401142BD214566FAC55F67B6DEDBC9678F554079F208EB3A5CDA2AC0142A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06971201 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0cd60887a222c0bd6ef4067ccae0c78328f1030c0ba099aa8d3c4a33cdef7a9f
                            • Instruction ID: aaec0b2564838a7d36c2d2f3c66f61d9d977e1e10e91901d389f77627b052534
                            • Opcode Fuzzy Hash: 0cd60887a222c0bd6ef4067ccae0c78328f1030c0ba099aa8d3c4a33cdef7a9f
                            • Instruction Fuzzy Hash: 55E06831A2A3C04BE3B5426441063963BE8EF0262CF28087EE943C6881C3DDE54EC210
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970C64 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa8cbd0f454e0258fe0bb9cb990d6334ff641231f41113ff6d168ecc6be4279c
                            • Instruction ID: 985fe372404d9c64c729bb3ba5152f33010e75d9ecf2d928bb7021da3ab77162
                            • Opcode Fuzzy Hash: aa8cbd0f454e0258fe0bb9cb990d6334ff641231f41113ff6d168ecc6be4279c
                            • Instruction Fuzzy Hash: 98E0D83165175007DBB496A452063A773DCAB4172CF280C2EE847C1C00C7EEE8458254
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DFA00 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7b4fc7f6a40667d3f14fd2faa67841a0391ca2b0adba8139f731bbbef0086ee
                            • Instruction ID: 65709a17a3bfe2c3efc95d07a0a094293938e0ad2d1957934e1e3b573fc9c69b
                            • Opcode Fuzzy Hash: b7b4fc7f6a40667d3f14fd2faa67841a0391ca2b0adba8139f731bbbef0086ee
                            • Instruction Fuzzy Hash: 43E0D876F052958FD716AFB8F58554B7B90DF0125870180E2E204DF753D224D9078FC5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970512 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e748b653e23f7568f0f2a54cbf467b0938496c9ddc9b05be75214fc4c7a34909
                            • Instruction ID: 7a560e7a440d921e3e6b464491e517c27e7820512bc00160cf7bae030aebb129
                            • Opcode Fuzzy Hash: e748b653e23f7568f0f2a54cbf467b0938496c9ddc9b05be75214fc4c7a34909
                            • Instruction Fuzzy Hash: 54F0F23AE002099FDB00CB95E940ACDB7B2EF89324F258222E5057B210E731BA529B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DCAB0 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 314d05936f682f078803ddcbc6bd45558512b81a210a1e18a9c68852d1ce8413
                            • Instruction ID: ee4b6fb79b3426eb30105e7cdee81050c1545a53df5f22415a54b517220f0576
                            • Opcode Fuzzy Hash: 314d05936f682f078803ddcbc6bd45558512b81a210a1e18a9c68852d1ce8413
                            • Instruction Fuzzy Hash: A8E0C2667251A20FE359B6E47C517DB3386DB9224871904B5D608CF3D2FA14CC0787D5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970E7E Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44b082c27533d2a9c26d6ff26a67f845be1e8c301f8f51b71cc07c1b11b4ac0a
                            • Instruction ID: c282e33afa52d7af578d3ed714a62347ae819613705aeda2bf7bdd6804440f95
                            • Opcode Fuzzy Hash: 44b082c27533d2a9c26d6ff26a67f845be1e8c301f8f51b71cc07c1b11b4ac0a
                            • Instruction Fuzzy Hash: 21F0A535A00218CFCF49DB94D8849ECB3B6FF88218B154895E815AB765DB36ED51CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D41E9 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4344535a0fce951bf26c8470ffb6e8bd195e7d705d0dd6b7800d358ae357ce11
                            • Instruction ID: 97f99659da6fbb3e44f8e2002782d5105ad91f78f44208c1c96f0770e3166c85
                            • Opcode Fuzzy Hash: 4344535a0fce951bf26c8470ffb6e8bd195e7d705d0dd6b7800d358ae357ce11
                            • Instruction Fuzzy Hash: ACD02E627880B00FC38221A878426DF3B4ACAC0350384C0ABE644CB28BC8288C0383E3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D9C98 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3231cbf1d7fa64f714c4b7db2325b3c6631ecf3ccd69d65d5008f19f5db38346
                            • Instruction ID: 835d7ca5fcfd02eee80e1a3b237dcf2d658eb4c032fa374301110ce2cc2c27dd
                            • Opcode Fuzzy Hash: 3231cbf1d7fa64f714c4b7db2325b3c6631ecf3ccd69d65d5008f19f5db38346
                            • Instruction Fuzzy Hash: 44E0C231A01B148BD7507BB8F80879B37A8EB86326F004175E209AB354EE39D94587E2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970261 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1b9e69bb35f5e57024e60b0f340d76015dfd1db99eb52cdde683666b3122f25
                            • Instruction ID: 73b036b0e2122b68b36c7bf9499bc7d29d11c9f6993a804310114d12f595844f
                            • Opcode Fuzzy Hash: b1b9e69bb35f5e57024e60b0f340d76015dfd1db99eb52cdde683666b3122f25
                            • Instruction Fuzzy Hash: 00D0A97165D3859FEB522A742C1A2643F22DB02104F1800AFE286EA083CA69E9068352
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DFA10 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81c5d77c335942cb222660c529cbd91a99829711496deada32b4f78ac92f06a3
                            • Instruction ID: cf5514730e08cb943e1018f3938ef92a3d8865c6ec79961f741255a1ca43175b
                            • Opcode Fuzzy Hash: 81c5d77c335942cb222660c529cbd91a99829711496deada32b4f78ac92f06a3
                            • Instruction Fuzzy Hash: B8D0C231B002188B8720BBB9F400606B3C8DB0129870040A0E208DB701C624EC028BC5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D5497 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 760fed9e4f68f7a059af1b57e3c920d7f724647f2b9fd2c2c0ad5360e285b648
                            • Instruction ID: 68dc1a8e45adbf69e0698cb91856c8d59a6a86b013d569790e5bd929b2b97020
                            • Opcode Fuzzy Hash: 760fed9e4f68f7a059af1b57e3c920d7f724647f2b9fd2c2c0ad5360e285b648
                            • Instruction Fuzzy Hash: EBD01731E0531CCEEB18CBA0D4183ADB3B2FB8431EFA0486DC00ABA294CB359845CB11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06970270 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bbe990a0979134a2541b77d4c2ce93072610e5f3d25385398a5b02586ec3a693
                            • Instruction ID: 77e6f435b3ddecb9fa233c96ed5514a5687cc56b65411b1634108adfb9f33317
                            • Opcode Fuzzy Hash: bbe990a0979134a2541b77d4c2ce93072610e5f3d25385398a5b02586ec3a693
                            • Instruction Fuzzy Hash: DEB092352543089BDB9826B4A90BB263B9DE748A00F50442AB30A991859EBAA8104654
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 069709E0 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.893310562.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_6970000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 18d7602642cb2ed6fec85d908f3802a39fe71ab3bbaf916e79b39cdaf7f4a056
                            • Instruction ID: 6ff0049c3c95c5b357ae9be10dd2cf1487db6618e6d56180c020531bcec0372e
                            • Opcode Fuzzy Hash: 18d7602642cb2ed6fec85d908f3802a39fe71ab3bbaf916e79b39cdaf7f4a056
                            • Instruction Fuzzy Hash: A7B012333113184B9718F7757C0002A325F5BC120C3488CBD500D0B200DC36A841C590
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 023D707D Relevance: .8, Instructions: 807COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ea77b6652fd0a030cbf16592ae54047812c506ed7adc91ac40d7a79f0bff268
                            • Instruction ID: 90e4b682207767a0cacf1c307e2225404f0140d290b09addb2383cfe08135f86
                            • Opcode Fuzzy Hash: 1ea77b6652fd0a030cbf16592ae54047812c506ed7adc91ac40d7a79f0bff268
                            • Instruction Fuzzy Hash: EF829D75A412288FCB64DF24D890BEEF7B2BB89304F5195D6C909A7345DB70AE81CF84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023D712A Relevance: .5, Instructions: 539COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 62a2c2dc647f27612489b791b2f9426c3bc06b79831fbf93eb1b68a08c662df3
                            • Instruction ID: 33e05c77a31c189ef30b9a6a6cb769cdc71af5a673e4a913bd15c15a7717ee01
                            • Opcode Fuzzy Hash: 62a2c2dc647f27612489b791b2f9426c3bc06b79831fbf93eb1b68a08c662df3
                            • Instruction Fuzzy Hash: B7428E75E452288FDB64DF24D890BEEB7B2AF89304F5085EAC949A7354DB315E81CF80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 023DD07C Relevance: .3, Instructions: 265COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.880837668.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_23d0000_evilnominatuscrypto.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2420a4f03c44f3f0c3d9e2759a6c413751f9ac9fd6e3e898dfab31cbe494bb3a
                            • Instruction ID: c42b7a8a8353335e1baffd9678bde3d3a267733c8225a1177f29c584dee05a00
                            • Opcode Fuzzy Hash: 2420a4f03c44f3f0c3d9e2759a6c413751f9ac9fd6e3e898dfab31cbe494bb3a
                            • Instruction Fuzzy Hash: E8A18E36E002098FCF15DFB5D8845DDBBB6FF88304B15856AE806BB260EB35A915CF40
                            Uniqueness

                            Uniqueness Score: -1.00%