Windows Analysis Report
lQao7mmqva.exe

Overview

General Information

Sample name:	lQao7mmqva.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	33d43a6f5930c25e3f0fb7656d716d6323fee5de0d6c877a2806ae7a43c8a94d
Analysis ID:	1502152
MD5:	9ca62be8cc46eb148f6d758e41e65f50
SHA1:	c0299514ef98f3ba819380a43ca6376d912a4a69
SHA256:	33d43a6f5930c25e3f0fb7656d716d6323fee5de0d6c877a2806ae7a43c8a94d
Infos:

Detection

Score:	45
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

May drop file containing decryption instructions (likely related to ransomware)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lQao7mmqva.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: lQao7mmqva.exe	ReversingLabs: Detection: 58%
Source: lQao7mmqva.exe	Virustotal: Detection: 53%			Perma Link

Uses 32bit PE files

Source: lQao7mmqva.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lQao7mmqva.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Spam, unwanted Advertisements and Ransom Demands

May drop file containing decryption instructions (likely related to ransomware)

Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3254474048.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3254474048.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327927242.0000000001224000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.2628668752.00000000068CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt

Uses 32bit PE files

Source: lQao7mmqva.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal45.rans.winEXE@1/0@1/0

Source: lQao7mmqva.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lQao7mmqva.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lQao7mmqva.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lQao7mmqva.exe	ReversingLabs: Detection: 58%
Source: lQao7mmqva.exe	Virustotal: Detection: 53%

Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: playtodevice.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\lQao7mmqva.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE054212-3535-4430-83ED-D501AA6680E6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: lQao7mmqva.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: lQao7mmqva.exe, 00000000.00000003.2819860206.0000000006947000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: lQao7mmqva.exe, 00000000.00000003.2157430246.00000000012AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}11ee-8c18-806e6f6e6963}#00
Source: lQao7mmqva.exe, 00000000.00000003.3036280988.000000000694D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: lQao7mmqva.exe, 00000000.00000003.3036713604.0000000006949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036713604.0000000006949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#Cdv
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s\f
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.2819860206.0000000006947000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D0:
Source: lQao7mmqva.exe, 00000000.00000003.2819757586.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}VV
Source: lQao7mmqva.exe, 00000000.00000003.2158143159.0000000001289000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036280988.000000000694D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}000C5E500000#{53f5630d-b6b
Source: lQao7mmqva.exe, 00000000.00000003.3059369411.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f~~
Source: lQao7mmqva.exe, 00000000.00000003.3252982197.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD0:
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: lQao7mmqva.exe, 00000000.00000003.2602292122.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: lQao7mmqva.exe, 00000000.00000003.2602584603.000000000126B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.2602584603.000000000126B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%%

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
18.31.95.13.in-addr.arpa	unknown	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lQao7mmqva.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: lQao7mmqva.exe	ReversingLabs: Detection: 58%
Source: lQao7mmqva.exe	Virustotal: Detection: 53%			Perma Link

Uses 32bit PE files

Source: lQao7mmqva.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lQao7mmqva.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Spam, unwanted Advertisements and Ransom Demands

May drop file containing decryption instructions (likely related to ransomware)

Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3328798965.00000000068CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3254474048.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3254474048.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.3277063594.00000000068CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327927242.0000000001224000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000002.3327650745.0000000000F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt
Source: lQao7mmqva.exe, 00000000.00000003.2628668752.00000000068CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: How to decrypt files.txt

Uses 32bit PE files

Source: lQao7mmqva.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal45.rans.winEXE@1/0@1/0

Source: lQao7mmqva.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lQao7mmqva.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lQao7mmqva.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lQao7mmqva.exe	ReversingLabs: Detection: 58%
Source: lQao7mmqva.exe	Virustotal: Detection: 53%

Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: playtodevice.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Section loaded: mfperfhelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\lQao7mmqva.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE054212-3535-4430-83ED-D501AA6680E6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK
Source: C:\Users\user\Desktop\lQao7mmqva.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: lQao7mmqva.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lQao7mmqva.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: lQao7mmqva.exe, 00000000.00000003.2819860206.0000000006947000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: lQao7mmqva.exe, 00000000.00000003.2157430246.00000000012AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}11ee-8c18-806e6f6e6963}#00
Source: lQao7mmqva.exe, 00000000.00000003.3036280988.000000000694D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: lQao7mmqva.exe, 00000000.00000003.3036713604.0000000006949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036713604.0000000006949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#Cdv
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s\f
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.2819860206.0000000006947000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D0:
Source: lQao7mmqva.exe, 00000000.00000003.2819757586.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}VV
Source: lQao7mmqva.exe, 00000000.00000003.2158143159.0000000001289000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036280988.000000000694D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}000C5E500000#{53f5630d-b6b
Source: lQao7mmqva.exe, 00000000.00000003.3059369411.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f~~
Source: lQao7mmqva.exe, 00000000.00000003.3252982197.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD0:
Source: lQao7mmqva.exe, 00000000.00000003.3036750988.0000000001288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: lQao7mmqva.exe, 00000000.00000003.2602292122.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.3254322301.000000000695E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000002.3328120893.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: lQao7mmqva.exe, 00000000.00000003.2602584603.000000000126B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lQao7mmqva.exe, 00000000.00000003.2602584603.000000000126B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%%

ID:	1502152
Product:	CloudBasic
Start time:	08:32:38
Start date:	31.08.2024
Sample:	lQao7mmqva
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9ca62be8cc46eb148f6d758e41e65f50
SHA1:	c0299514ef98f3ba819380a43ca6376d912a4a69
SHA256:	33d43a6f5930c25e3f0fb7656d716d6323fee5de0d6c877a2806ae7a43c8a94d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
lQao7mmqva.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report lQao7mmqva.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
lQao7mmqva.exe