Windows Analysis Report
O4oLJdI3gs.exe

Overview

General Information

Sample name: O4oLJdI3gs.exe
renamed because original name is a hash value
Original sample name: bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4.exe
Analysis ID: 1592724
MD5: 6e90358d70a4a4c6d49dab693267a381
SHA1: 86b0d17461a208a6190f7da925c8cb14cf33784e
SHA256: bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4
Tags: encrypthub-orgexeuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: O4oLJdI3gs.exe Avira: detected
Found malware configuration
Source: O4oLJdI3gs.exe Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednw"}
Multi AV Scanner detection for submitted file
Source: O4oLJdI3gs.exe Virustotal: Detection: 60% Perma Link
Source: O4oLJdI3gs.exe ReversingLabs: Detection: 79%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: O4oLJdI3gs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: O4oLJdI3gs.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wkernel32.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1320892051.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320764383.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329792086.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329710354.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1321573930.0000000002E80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329967486.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1330138187.0000000004BE0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1317639787.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1317934834.0000000002E50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328764375.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328500088.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1319265493.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320509224.0000000002E00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329322444.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329503285.0000000004B60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1317639787.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1317934834.0000000002E50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328764375.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328500088.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1319265493.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320509224.0000000002E00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329322444.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329503285.0000000004B60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1320892051.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320764383.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329792086.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329710354.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1321573930.0000000002E80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329967486.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1330138187.0000000004BE0000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_00541B09 FindFirstFileExW, 0_2_00541B09
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\fontdrvhost.exe Code function: 4x nop then dec esp 4_2_000001C181C00511

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.249:3637 -> 192.168.2.7:49715
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 154.216.19.249 3637 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednw
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49715 -> 154.216.19.249:3637
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.249
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000003.00000002.1384254461.000000000290C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1383233892.00000000001FC000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 00000004.00000002.1603782046.000001C181C00000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednw
Source: svchost.exe, 00000003.00000002.1384254461.000000000290C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1603782046.000001C181C00000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednwkernelbasentdllkernel32GetProcessMitigation
Source: svchost.exe, 00000003.00000002.1383233892.00000000001FC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednwx
Source: svchost.exe, 00000003.00000003.1346612962.000000000299F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000003.00000003.1346612962.000000000299F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Creates a DirectInput object (often for capturing keystrokes)
Source: O4oLJdI3gs.exe, 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_9f683816-9
Installs a raw input device (often for capturing keystrokes)
Source: O4oLJdI3gs.exe, 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_d10d6efe-b
Yara detected Keylogger Generic
Source: Yara match File source: 3.3.svchost.exe.4be0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.O4oLJdI3gs.exe.2c60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.O4oLJdI3gs.exe.2e80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.49c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1330138187.0000000004BE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1329967486.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1321573930.0000000002E80000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: O4oLJdI3gs.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7644, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Windows\System32\fontdrvhost.exe Code function: 4_2_000001C181C01AA4 NtAcceptConnectPort,NtAcceptConnectPort, 4_2_000001C181C01AA4
Source: C:\Windows\System32\fontdrvhost.exe Code function: 4_2_000001C181C01CF4 NtAcceptConnectPort,CloseHandle, 4_2_000001C181C01CF4
Source: C:\Windows\System32\fontdrvhost.exe Code function: 4_2_000001C181C015C0 NtAcceptConnectPort, 4_2_000001C181C015C0
Source: C:\Windows\System32\fontdrvhost.exe Code function: 4_2_000001C181C00AC8 NtAcceptConnectPort,NtAcceptConnectPort, 4_2_000001C181C00AC8
Detected potential crypto function
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_005481D2 0_2_005481D2
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053C231 0_2_0053C231
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053C400 0_2_0053C400
Source: C:\Windows\System32\fontdrvhost.exe Code function: 4_2_000001C181C00C70 4_2_000001C181C00C70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: String function: 0053CD90 appears 33 times
One or more processes crash
Source: C:\Windows\System32\fontdrvhost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7720 -s 136
Sample file is different than original file name gathered from version info
Source: O4oLJdI3gs.exe, 00000000.00000003.1320892051.0000000002D80000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000000.1306175757.000000000058C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCFF Explorer.exe: vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1317934834.0000000002FD6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1320509224.0000000002F2D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1317639787.0000000002DD8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1320764383.0000000002CF2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1320764383.0000000002C60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1320892051.0000000002DD0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1321573930.0000000003061000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe, 00000000.00000003.1319265493.0000000002D83000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs O4oLJdI3gs.exe
Source: O4oLJdI3gs.exe Binary or memory string: OriginalFilenameCFF Explorer.exe: vs O4oLJdI3gs.exe
Uses 32bit PE files
Source: O4oLJdI3gs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/5@0/1
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-b77a18e2-37d1-4836d5-27a100f471a2}
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7720
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a48ffb32-82df-4f75-9fda-993a167e6566 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: O4oLJdI3gs.exe Virustotal: Detection: 60%
Source: O4oLJdI3gs.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\O4oLJdI3gs.exe "C:\Users\user\Desktop\O4oLJdI3gs.exe"
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7720 -s 136
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" Jump to behavior
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: O4oLJdI3gs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: O4oLJdI3gs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: O4oLJdI3gs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: O4oLJdI3gs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: O4oLJdI3gs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: O4oLJdI3gs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: O4oLJdI3gs.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: O4oLJdI3gs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1320892051.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320764383.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329792086.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329710354.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1321573930.0000000002E80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329967486.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1330138187.0000000004BE0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1317639787.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1317934834.0000000002E50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328764375.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328500088.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1319265493.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320509224.0000000002E00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329322444.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329503285.0000000004B60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1317639787.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1317934834.0000000002E50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328764375.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1328500088.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: O4oLJdI3gs.exe, 00000000.00000003.1319265493.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320509224.0000000002E00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329322444.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329503285.0000000004B60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1320892051.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1320764383.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329792086.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329710354.00000000049C0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: O4oLJdI3gs.exe, 00000000.00000003.1321289818.0000000002C60000.00000004.00000001.00020000.00000000.sdmp, O4oLJdI3gs.exe, 00000000.00000003.1321573930.0000000002E80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1329967486.00000000049C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1330138187.0000000004BE0000.00000004.00000001.00020000.00000000.sdmp
Source: O4oLJdI3gs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: O4oLJdI3gs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: O4oLJdI3gs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: O4oLJdI3gs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: O4oLJdI3gs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: O4oLJdI3gs.exe Static PE information: section name: .textbss
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_0054BC39 push ecx; ret 0_3_0054BC59
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_0054A0F9 push FFFFFF82h; iretd 0_3_0054A0FB
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_0054D2FB push edi; ret 0_3_0054D2CC
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_0054B8EC push edi; ret 0_3_0054B8F8
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_0054FE8F push esi; ret 0_3_0054FEA1
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_00549F6A push eax; ret 0_3_00549F75
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_0054DD01 push esi; ret 0_3_0054DD6A
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_0054B1DC push eax; ret 0_3_0054B1DD
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0054A0F9 push FFFFFF82h; iretd 0_2_0054A0FB
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0054B8EC push edi; ret 0_2_0054B8F8
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_00548904 push ecx; ret 0_2_00548917
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0054B1DC push eax; ret 0_2_0054B1DD
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0054D2FB push edi; ret 0_2_0054D2CC
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0054BC39 push ecx; ret 0_2_0054BC59
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0054DD01 push esi; ret 0_2_0054DD6A
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0054FE8F push esi; ret 0_2_0054FEA1
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_00549F6A push eax; ret 0_2_00549F75
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_0043225C push eax; ret 3_3_0043225D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_00432CB9 push ecx; ret 3_3_00432CD9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_0043296C push edi; ret 3_3_00432978
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_0043437B push edi; ret 3_3_0043434C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_00431179 push FFFFFF82h; iretd 3_3_0043117B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_00436F0F push esi; ret 3_3_00436F21
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_00430FEA push eax; ret 3_3_00430FF5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_00434D81 push esi; ret 3_3_00434DEA
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\svchost.exe API/Special instruction interceptor: Address: 4C7B83A
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: O4oLJdI3gs.exe Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: O4oLJdI3gs.exe Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU2P
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TORUNS.EXEDUMPCAP.EXEDE4
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_00541B09 FindFirstFileExW, 0_2_00541B09
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000003.00000002.1383755192.0000000002843000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000003.00000002.1384099046.000000000285C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWRSVP UDPv6 Service Provider
Source: svchost.exe, 00000003.00000002.1383755192.0000000002812000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000003.00000003.1330138187.0000000004BE0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 00000003.00000003.1330138187.0000000004BE0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053CB32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0053CB32
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_3_00549277 mov eax, dword ptr fs:[00000030h] 0_3_00549277
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_00549277 mov eax, dword ptr fs:[00000030h] 0_2_00549277
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_3_00430283 mov eax, dword ptr fs:[00000030h] 3_3_00430283
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053BEFA GetProcessHeap,HeapAlloc,HeapFree,HeapFree,VirtualFree,HeapFree, 0_2_0053BEFA
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053CB32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0053CB32
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053CCC5 SetUnhandledExceptionFilter, 0_2_0053CCC5
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_00541508 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00541508
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053CFC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0053CFC3

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 154.216.19.249 3637 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053CDD5 cpuid 0_2_0053CDD5
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\O4oLJdI3gs.exe Code function: 0_2_0053CA19 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0053CA19
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000003.00000002.1384254461.0000000002900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OllyDbg.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000000.00000003.1316388292.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1327246826.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1384522457.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1327276238.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000000.00000003.1316388292.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1327246826.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1384522457.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1327276238.0000000000A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592724 Sample: O4oLJdI3gs.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 21 Suricata IDS alerts for network traffic 2->21 23 Found malware configuration 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 5 other signatures 2->27 8 O4oLJdI3gs.exe 1 2->8         started        process3 signatures4 29 Switches to a custom stack to bypass stack traces 8->29 11 svchost.exe 8->11         started        process5 dnsIp6 19 154.216.19.249, 3637, 49715 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 11->19 31 System process connects to network (likely due to code injection or exploit) 11->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->33 35 Switches to a custom stack to bypass stack traces 11->35 15 fontdrvhost.exe 11->15         started        signatures7 process8 process9 17 WerFault.exe 20 16 15->17         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.19.249
 unknown Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://154.216.19.249:3637/4b5f27f1f9aa29/ax406g6n.eednw true
  • Avira URL Cloud: safe
 unknown