Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
evilnominatuscrypto

Overview

General Information

Sample Name:evilnominatuscrypto (renamed file extension from none to exe)
Analysis ID:572441
MD5:7cdf50ee4f3d0febc70dd36298ed07da
SHA1:0170c2deae4486a43894c202ea92d43556218e1c
SHA256:69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef
Tags:evilnominatuscryptoexefilecodermsilransomwarescreenlocker
Infos:

Detection

Voidcrypt
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Yara detected Voidcrypt Ransomware
Sigma detected: Copying Sensitive Files with Credential Data
Creates files in the recycle bin to hide itself
Obfuscated command line found
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
Deletes files inside the Windows folder
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • evilnominatuscrypto.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\evilnominatuscrypto.exe" MD5: 7CDF50EE4F3D0FEBC70DD36298ED07DA)
    • cmd.exe (PID: 6832 cmdline: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6956 cmdline: "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7004 cmdline: "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7052 cmdline: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 7092 cmdline: vssadmin delete shadows /all /quiet MD5: 7E30B94672107D3381A1D175CF18C147)
  • OpenWith.exe (PID: 5772 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
evilnominatuscrypto.exeDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
  • 0x492a:$x2: delete shadows /all /quiet

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VoidcryptYara detected Voidcrypt RansomwareJoe Security
    Process Memory Space: evilnominatuscrypto.exe PID: 6516JoeSecurity_VoidcryptYara detected Voidcrypt RansomwareJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.evilnominatuscrypto.exe.170000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
      • 0x492a:$x2: delete shadows /all /quiet
      1.0.evilnominatuscrypto.exe.170000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
      • 0x492a:$x2: delete shadows /all /quiet

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
      Source: Process startedAuthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin delete shadows /all /quiet , CommandLine: vssadmin delete shadows /all /quiet , CommandLine|base64offset|contains: vh, Image: C:\Windows\SysWOW64\vssadmin.exe, NewProcessName: C:\Windows\SysWOW64\vssadmin.exe, OriginalFileName: C:\Windows\SysWOW64\vssadmin.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7052, ProcessCommandLine: vssadmin delete shadows /all /quiet , ProcessId: 7092
      Sigma detected: Copying Sensitive Files with Credential Data
      Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, CommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\evilnominatuscrypto.exe" , ParentImage: C:\Users\user\Desktop\evilnominatuscrypto.exe, ParentProcessId: 6516, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete, ProcessId: 7052
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf, CommandLine: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\evilnominatuscrypto.exe" , ParentImage: C:\Users\user\Desktop\evilnominatuscrypto.exe, ParentProcessId: 6516, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf, ProcessId: 6832

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: evilnominatuscrypto.exeVirustotal: Detection: 51%Perma Link
      Source: evilnominatuscrypto.exeMetadefender: Detection: 29%Perma Link
      Source: evilnominatuscrypto.exeReversingLabs: Detection: 44%
      Source: evilnominatuscrypto.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: evilnominatuscrypto.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: d:\again\SharpDevelop Projects\RInjector\TRS\obj\Debug\EvilNominatusCrypto.pdb source: evilnominatuscrypto.exe, evilnominatuscrypto.exe, 00000001.00000000.344369361.0000000000172000.00000002.00000001.01000000.00000003.sdmp
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: evilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comld
      Source: evilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: evilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comv
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358231059.0000000005396000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn-%
      Source: evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/_$
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.361520866.000000000538D000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: evilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krim
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: evilnominatuscrypto.exe, 00000001.00000003.358343551.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358456672.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358185463.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358058935.00000000053B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com8
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Yara detected Voidcrypt Ransomware
      Source: Yara matchFile source: 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: evilnominatuscrypto.exe PID: 6516, type: MEMORYSTR
      Deletes shadow drive data (may be related to ransomware)
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: evilnominatuscrypto.exeBinary or memory string: vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: evilnominatuscrypto.exe, 00000001.00000002.893504133.0000000007120000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: evilnominatuscrypto.exe, 00000001.00000000.344369361.0000000000172000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf{vssadmin delete shadows /all /quiet && wmic shadowcopy deletegLoading please wait.... don't turn on the antivirus
      Source: evilnominatuscrypto.exe, 00000001.00000002.879977207.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy deleteSC:\Windows\System32\cmd.exeWinsta0\DefaultLLU=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Inputs\CurrentVersion\Policies\ExplorerommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program File\\REGISTRY\MACHINE\Software\WOW6432N\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Inputrogram Filesc
      Source: evilnominatuscrypto.exe, 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: m=vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet
      Source: cmd.exe, 0000000B.00000002.398098474.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy deleteC:\Windows\System32\cmd.exeWinsta0\Default:
      Source: cmd.exe, 0000000B.00000002.398098474.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exexevssadmin delete shadows /all /quiet ffvssadmin delete shadows /all /quiet Winsta0\DefaultROF=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommon\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideierss\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\Modules;C:\g

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: evilnominatuscrypto.exe, type: SAMPLEMatched rule: Detects destructive malware Author: Florian Roth
      Source: 1.2.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
      Source: 1.0.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
      Source: evilnominatuscrypto.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: evilnominatuscrypto.exe, type: SAMPLEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.0.evilnominatuscrypto.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: evilnominatuscrypto.exe, 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs evilnominatuscrypto.exe
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile deleted: C:\Windows\crx\getPagesSource.js.bakJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D3880
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D69EA
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D707D
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023DD07C
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_023D712A
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeCode function: 1_2_06972011
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess Stats: CPU usage > 98%
      Source: evilnominatuscrypto.exeVirustotal: Detection: 51%
      Source: evilnominatuscrypto.exeMetadefender: Detection: 29%
      Source: evilnominatuscrypto.exeReversingLabs: Detection: 44%
      Source: evilnominatuscrypto.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: unknownProcess created: C:\Users\user\Desktop\evilnominatuscrypto.exe "C:\Users\user\Desktop\evilnominatuscrypto.exe"
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet
      Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_01
      Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\autorun.infJump to behavior
      Source: classification engineClassification label: mal88.rans.evad.winEXE@16/4@0/0
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: evilnominatuscrypto.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: evilnominatuscrypto.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: evilnominatuscrypto.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: d:\again\SharpDevelop Projects\RInjector\TRS\obj\Debug\EvilNominatusCrypto.pdb source: evilnominatuscrypto.exe, evilnominatuscrypto.exe, 00000001.00000000.344369361.0000000000172000.00000002.00000001.01000000.00000003.sdmp

      Data Obfuscation

      barindex
      Obfuscated command line found
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Google Chrome.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\05 - Music.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\06 - Pictures.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\07 - Videos.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\09 - Network.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Quick Assist.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Check For Updates.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x64).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x86).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\SciTE Script Editor.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Computer Management.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Configuration.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help File.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBScript Examples.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Database Compare 2016.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Upload Center.lnk-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Spreadsheet Compare 2016.lnk-LockedJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Creates files in the recycle bin to hide itself
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeFile created: C:\$Recycle.Bin\S-1-5-18\desktop.ini-LockedJump to behavior
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer
      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mxC:\\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\vfpext.sys
      Source: evilnominatuscrypto.exe, 00000001.00000003.684484684.000000000DF4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: m\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mpC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\*.*
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: myC:\\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\vfpctrl.exe
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mxC:\\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\vfpapi.dll
      Source: evilnominatuscrypto.exe, 00000001.00000003.684484684.000000000DF4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mnC:\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mnC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\.
      Source: evilnominatuscrypto.exe, 00000001.00000003.684484684.000000000DF4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: moC:\\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3P#
      Source: evilnominatuscrypto.exe, 00000001.00000003.687785447.000000000F077000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mnC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\*
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin delete shadows /all /quiet
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Users\user\Desktop\evilnominatuscrypto.exe VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11712.1001.23.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformation
      Source: C:\Users\user\Desktop\evilnominatuscrypto.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Command and Scripting Interpreter      		1
      Registry Run Keys / Startup Folder      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Query Registry      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Registry Run Keys / Startup Folder      		1
      Disable or Modify Tools      		LSASS Memory1
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Deobfuscate/Decode Files or Information      		NTDS12
      System Information Discovery      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Hidden Files and Directories      		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common11
      File Deletion      		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 572441 Sample: evilnominatuscrypto Startdate: 15/02/2022 Architecture: WINDOWS Score: 88 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Voidcrypt Ransomware 2->35 37 3 other signatures 2->37 7 evilnominatuscrypto.exe 502 2->7         started        10 OpenWith.exe 27 17 2->10         started        process3 signatures4 39 Obfuscated command line found 7->39 41 Creates files in the recycle bin to hide itself 7->41 43 Deletes shadow drive data (may be related to ransomware) 7->43 12 cmd.exe 1 7->12         started        15 cmd.exe 2 7->15         started        17 cmd.exe 1 7->17         started        19 cmd.exe 1 7->19         started        process5 signatures6 45 Deletes shadow drive data (may be related to ransomware) 12->45 21 conhost.exe 12->21         started        23 vssadmin.exe 1 12->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        process7

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      evilnominatuscrypto.exe51%VirustotalBrowse
      evilnominatuscrypto.exe29%MetadefenderBrowse
      evilnominatuscrypto.exe44%ReversingLabsByteCode-MSIL.Ransomware.WannaCry

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com80%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.zhongyicts.com.cnva0%URL Reputationsafe
      http://www.fontbureau.comld0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.sandoll.co.krim0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.fontbureau.comv0%URL Reputationsafe
      http://www.founder.com.cn/cn-%0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/_$0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designersGevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.tiro.com8evilnominatuscrypto.exe, 00000001.00000003.358343551.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358456672.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358185463.00000000053B5000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358058935.00000000053B6000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.tiro.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.goodfont.co.krevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comlevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/cTheevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnevilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-jones.htmlevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.zhongyicts.com.cnvaevilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comldevilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.commevilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sandoll.co.krimevilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers8evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comvevilnominatuscrypto.exe, 00000001.00000002.892448776.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn-%evilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358231059.0000000005396000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.358287424.000000000539A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/_$evilnominatuscrypto.exe, 00000001.00000003.358113326.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357784973.0000000005395000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000003.357597980.0000000005392000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sandoll.co.krevilnominatuscrypto.exe, 00000001.00000003.356657263.0000000005394000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseevilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnevilnominatuscrypto.exe, 00000001.00000003.358651789.000000000539A000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comevilnominatuscrypto.exe, 00000001.00000003.361520866.000000000538D000.00000004.00000800.00020000.00000000.sdmp, evilnominatuscrypto.exe, 00000001.00000002.892987211.0000000006592000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:572441
                          Start date:15.02.2022
                          Start time:10:00:59
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 12m 50s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:evilnominatuscrypto (renamed file extension from none to exe)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:33
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal88.rans.evad.winEXE@16/4@0/0
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 0.1% (good quality ratio 0%)
                          • Quality average: 56%
                          • Quality standard deviation: 39.6%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for sample files taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, VSSVC.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                          • Execution Graph export aborted for target evilnominatuscrypto.exe, PID 6516 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateFile calls found.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:05:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini-Locked
                          10:05:35API Interceptor1x Sleep call for process: OpenWith.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm6B05.tmp (copy)

                          Download File
                          Process:C:\Windows\System32\OpenWith.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):0.020297149862451055
                          Encrypted:false
                          SSDEEP:3:tn1lIlF:y
                          MD5:B710BC2FE0046515794A3E2977E9A15E
                          SHA1:833EF452338434B5EB757F488DC7E993F9391C82
                          SHA-256:2B79AF0DD12B22F34483108837981FBBADBB604367FCDA8B0A41807E8049A62E
                          SHA-512:33C446E80358AFDACE96A393E13B5A76FDE58B7D60B17FF74FD6B2E8D1C69C685C9893295D57376F57D4BA4DFF2824DED5D23638CB26A160AAA4A429557E0093
                          Malicious:false
                          Reputation:low
                          Preview:..0 IMMM ...............e...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

                          Download File
                          Process:C:\Windows\System32\OpenWith.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):24
                          Entropy (8bit):1.408222675578688
                          Encrypted:false
                          SSDEEP:3:d:d
                          MD5:419A089E66B9E18ADA06C459B000CB4D
                          SHA1:ED2108A58BA73AC18C3D2BF0D8C1890C2632B05A
                          SHA-256:C48E42E9AB4E25B92C43A7B0416D463B9FF7C69541E4623A39513BC98085F424
                          SHA-512:BBD57BEA7159748E1B13B3E459E2C8691A46BDC9323AFDB9DBF9D8F09511750D46A1D98C717C7ADCA07D79EDC859E925476DD03231507F37F45775C0A79A593C
                          Malicious:false
                          Preview:CMMM ...................

                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

                          Download File
                          Process:C:\Windows\System32\OpenWith.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):7416
                          Entropy (8bit):0.020297149862451055
                          Encrypted:false
                          SSDEEP:3:tn1lIlF:y
                          MD5:B710BC2FE0046515794A3E2977E9A15E
                          SHA1:833EF452338434B5EB757F488DC7E993F9391C82
                          SHA-256:2B79AF0DD12B22F34483108837981FBBADBB604367FCDA8B0A41807E8049A62E
                          SHA-512:33C446E80358AFDACE96A393E13B5A76FDE58B7D60B17FF74FD6B2E8D1C69C685C9893295D57376F57D4BA4DFF2824DED5D23638CB26A160AAA4A429557E0093
                          Malicious:false
                          Preview:..0 IMMM ...............e...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\Desktop\autorun.inf

                          Download File
                          Process:C:\Windows\SysWOW64\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):65
                          Entropy (8bit):4.255167483172791
                          Encrypted:false
                          SSDEEP:3:ItI6dFOcNt1HjWVFOcNtv:eIG1KVFv
                          MD5:FBEFA88E6B51C05DD63D97DFDBEB3589
                          SHA1:67E09918D878C6615BEFAB5DC9194439027F268D
                          SHA-256:3861ACEDFFD29452D2FDB96728F7347652BDE9353915D3873A7414843F49B8B1
                          SHA-512:58F8C1A64F2EB21BE7B96DB335D1ADE0CE0878566A8386B3689B650132CA28E14761B20FDFE50F2AF9915DFF2BDD3A5B07F6F3ED082E4E6998EC5F0CD052F12F
                          Malicious:false
                          Preview:[autorun] ..open=KasperskyScan.exe ..execute=KasperskyScan.exe ..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):4.218587302420799
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:evilnominatuscrypto.exe
                          File size:32768
                          MD5:7cdf50ee4f3d0febc70dd36298ed07da
                          SHA1:0170c2deae4486a43894c202ea92d43556218e1c
                          SHA256:69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef
                          SHA512:370023f24390173044b2b32546b5ff68bc8786edfcd8784d0adfb9cede550d40a744df184303ccd16f277595d319671445e5f1c070f0e453d1b94b1dc70d7a28
                          SSDEEP:384:AjdXpgpMf76oJgkB4nokwFwA4Ep/0VUx/Nx9DPxmB++6iCjGnLBs0Rr:adZgpCOagkBRp/0ut9Y++6iCjs2wr
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<..b.................P... ......>i... ........... ....................................`................................

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x693e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x0
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                          Time Stamp:0x6209133C [Sun Feb 13 14:18:36 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00002000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x68ec0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x820.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x67b40x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x49440x5000False0.504150390625data5.53179387013IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x80000x8200x1000False0.229248046875data3.05099161152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xa0000xc0x1000False0.0087890625data0.0131269437212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0x80a00x2ecdata
                          RT_MANIFEST0x83900x489XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright 2022
                          Assembly Version1.0.8079.11358
                          InternalNameEvilNominatusCrypto.exe
                          FileVersion1.0.8079.11358
                          ProductNameTRS
                          ProductVersion1.0.8079.11358
                          FileDescriptionTRS
                          OriginalFilenameEvilNominatusCrypto.exe

                          Network Behavior

                          No network behavior found

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:10:01:56
                          Start date:15/02/2022
                          Path:C:\Users\user\Desktop\evilnominatuscrypto.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\evilnominatuscrypto.exe"
                          Imagebase:0x170000
                          File size:32768 bytes
                          MD5 hash:7CDF50EE4F3D0FEBC70DD36298ED07DA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000001.00000002.880899143.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:5
                          Start time:10:02:12
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:6
                          Start time:10:02:14
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:7
                          Start time:10:02:15
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:8
                          Start time:10:02:16
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:9
                          Start time:10:02:17
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:10
                          Start time:10:02:18
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:11
                          Start time:10:02:19
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
                          Imagebase:0x2a0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:12
                          Start time:10:02:19
                          Start date:15/02/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff61de10000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:13
                          Start time:10:02:20
                          Start date:15/02/2022
                          Path:C:\Windows\SysWOW64\vssadmin.exe
                          Wow64 process (32bit):true
                          Commandline:vssadmin delete shadows /all /quiet
                          Imagebase:0xca0000
                          File size:110592 bytes
                          MD5 hash:7E30B94672107D3381A1D175CF18C147
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:30
                          Start time:10:05:34
                          Start date:15/02/2022
                          Path:C:\Windows\System32\OpenWith.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                          Imagebase:0x7ff730d40000
                          File size:111120 bytes
                          MD5 hash:D179D03728E95E040A889F760C1FC402
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          No disassembly