Windows Analysis Report
OMHGCG.exe

Overview

General Information

Sample Name: OMHGCG.exe
Analysis ID: 756309
MD5: fae47086c34007307f6e2cd0c47a97d8
SHA1: 00caba8b2c7d23a2acc78f54155db976d902f2c4
SHA256: 00973673a54cfd2a206c7695fa86077d1a1803629d7207b1e5fb295255a25ae2
Tags: exeLodaRat
Infos:

Detection

LodaRAT
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected LodaRAT
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Creates a start menu entry (Start Menu\Programs\Startup)
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: OMHGCG.exe ReversingLabs: Detection: 75%
Source: OMHGCG.exe Virustotal: Detection: 55% Perma Link
Antivirus / Scanner detection for submitted sample
Source: OMHGCG.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Avira: detection malicious, Label: HEUR/AGEN.1215448
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windata\update.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Virustotal: Detection: 55% Perma Link
Uses 32bit PE files
Source: OMHGCG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004339B6
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452492
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442886
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_004788BD
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 0_2_0045CAFA
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00431A86
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD27
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045DE8F FindFirstFileW,FindClose, 0_2_0045DE8F
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8B
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 13_2_00452492
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 13_2_00442886
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 13_2_004339B6
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 13_2_00431A86
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 13_2_0044BD27
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 13_2_0044BF8B

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: test202022.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TE-ASTE-ASEG TE-ASTE-ASEG
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 197.42.186.178:5552
Source: OMHGCG.exe, 00000000.00000002.514343033.000000000404A000.00000004.00000800.00020000.00000000.sdmp, OMHGCG.exe, 00000000.00000002.515666003.00000000041DC000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000D.00000002.478932417.0000000003CFE000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000D.00000003.475182772.0000000003CF7000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491301522.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491570140.0000000003DF7000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491376732.0000000003DEF000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000002.494453244.0000000003DF7000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491443893.0000000003DF7000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000F.00000002.515363500.0000000003ED7000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000F.00000002.514337061.0000000003D8B000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000012.00000002.515327441.0000000003D9A000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000012.00000002.514281424.0000000003C53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.amazonaws.com/
Source: update.exe, 0000000E.00000003.491908903.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491857087.0000000003CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.amazonaws.com/D
Source: OMHGCG.exe, 00000000.00000002.513500694.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000D.00000003.477067833.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.492835145.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000012.00000002.513247187.0000000003B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-score.com/checkip/
Source: update.exe, 0000000F.00000002.513239652.0000000003C30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-score.com/checkip/=Xp0
Source: OMHGCG.exe, 00000000.00000002.514752018.00000000040C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3
Source: update.exe, 0000000D.00000003.475219101.0000000003D0F000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000D.00000003.475148079.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000D.00000002.478947115.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.493084290.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491837776.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491729664.0000000003CCC000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491878276.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3%%
Source: update.exe, 00000012.00000002.514281424.0000000003C53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3D
Source: update.exe, 0000000F.00000002.514401378.0000000003DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3GK
Source: unknown DNS traffic detected: queries for: test202022.ddns.net
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile, 0_2_004422FE
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046DC80
Creates a DirectInput object (often for capturing keystrokes)
Source: update.exe, 0000000D.00000002.478748796.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx, 0_2_0047C81C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput, 0_2_0044C37A
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0045A10F
Uses 32bit PE files
Source: OMHGCG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004333BE
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 13_2_004333BE
Detected potential crypto function
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004096A0 0_2_004096A0
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0042200C 0_2_0042200C
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00404170 0_2_00404170
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0041A217 0_2_0041A217
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00412216 0_2_00412216
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0042435D 0_2_0042435D
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004033C0 0_2_004033C0
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044F430 0_2_0044F430
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004125E8 0_2_004125E8
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044663B 0_2_0044663B
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00413801 0_2_00413801
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0042096F 0_2_0042096F
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004129D0 0_2_004129D0
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004119E3 0_2_004119E3
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0041C9AE 0_2_0041C9AE
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0047EA6F 0_2_0047EA6F
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0040FA10 0_2_0040FA10
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044EB5F 0_2_0044EB5F
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00423C81 0_2_00423C81
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00411E78 0_2_00411E78
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00442E0C 0_2_00442E0C
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00420EC0 0_2_00420EC0
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044CF17 0_2_0044CF17
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00444FD2 0_2_00444FD2
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0042200C 13_2_0042200C
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00404170 13_2_00404170
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0041A217 13_2_0041A217
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0042435D 13_2_0042435D
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004033C0 13_2_004033C0
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044663B 13_2_0044663B
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004096A0 13_2_004096A0
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00413801 13_2_00413801
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0042096F 13_2_0042096F
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004119E3 13_2_004119E3
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0040FA10 13_2_0040FA10
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00423C81 13_2_00423C81
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00442E0C 13_2_00442E0C
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00420EC0 13_2_00420EC0
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044CF17 13_2_0044CF17
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00444FD2 13_2_00444FD2
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: String function: 00445AE0 appears 65 times
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: String function: 00416C70 appears 34 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,73926290,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle, 0_2_00446313
Contains functionality to call native functions
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 0_2_0046A07E
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004710F1 NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 0_2_004710F1
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045034C GetParent,NtdllDialogWndProc_W, 0_2_0045034C
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044036A NtdllDialogWndProc_W, 0_2_0044036A
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00440306 NtdllDialogWndProc_W, 0_2_00440306
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0047132F NtdllDialogWndProc_W, 0_2_0047132F
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00440338 NtdllDialogWndProc_W, 0_2_00440338
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W, 0_2_0046A38E
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W, 0_2_0045039B
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W, 0_2_004404E8
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044048E NtdllDialogWndProc_W, 0_2_0044048E
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044786A NtdllDialogWndProc_W, 0_2_0044786A
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx, 0_2_0047C81C
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx, 0_2_004478AC
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W, 0_2_004479A0
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W, 0_2_004629B7
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0047EA6F NtdllDialogWndProc_W, 0_2_0047EA6F
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00447ABC SendMessageW,NtdllDialogWndProc_W, 0_2_00447ABC
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00447B4E NtdllDialogWndProc_W, 0_2_00447B4E
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00454CFC NtdllDialogWndProc_W, 0_2_00454CFC
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00454D4A NtdllDialogWndProc_W, 0_2_00454D4A
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W, 0_2_0042FDA6
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0042FE05 NtdllDialogWndProc_W, 0_2_0042FE05
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 0_2_00470E96
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044036A NtdllDialogWndProc_W, 13_2_0044036A
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00440306 NtdllDialogWndProc_W, 13_2_00440306
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00440338 NtdllDialogWndProc_W, 13_2_00440338
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W, 13_2_0045039B
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W, 13_2_004404E8
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044048E NtdllDialogWndProc_W, 13_2_0044048E
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044786A NtdllDialogWndProc_W, 13_2_0044786A
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx, 13_2_004478AC
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W, 13_2_004479A0
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00447ABC SendMessageW,NtdllDialogWndProc_W, 13_2_00447ABC
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00447B4E NtdllDialogWndProc_W, 13_2_00447B4E
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00454CFC NtdllDialogWndProc_W, 13_2_00454CFC
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00454D4A NtdllDialogWndProc_W, 13_2_00454D4A
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W, 13_2_0042FDA6
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0042FE05 NtdllDialogWndProc_W, 13_2_0042FE05
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00431BE8
Source: OMHGCG.exe ReversingLabs: Detection: 75%
Source: OMHGCG.exe Virustotal: Detection: 55%
Source: C:\Users\user\Desktop\OMHGCG.exe File read: C:\Users\user\Desktop\OMHGCG.exe Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\OMHGCG.exe C:\Users\user\Desktop\OMHGCG.exe
Source: C:\Users\user\Desktop\OMHGCG.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn ZFZRCN.exe /tr C:\Users\user\AppData\Roaming\Windata\update.exe /sc minute /mo 1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ZFZRCN.exe /tr C:\Users\user\AppData\Roaming\Windata\update.exe /sc minute /mo 1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windata\update.exe C:\Users\user\AppData\Roaming\Windata\update.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windata\update.exe "C:\Users\user\AppData\Roaming\Windata\update.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windata\update.exe "C:\Users\user\AppData\Roaming\Windata\update.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windata\update.exe "C:\Users\user\AppData\Roaming\Windata\update.exe"
Source: C:\Users\user\Desktop\OMHGCG.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn ZFZRCN.exe /tr C:\Users\user\AppData\Roaming\Windata\update.exe /sc minute /mo 1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ZFZRCN.exe /tr C:\Users\user\AppData\Roaming\Windata\update.exe /sc minute /mo 1 Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: ZFZRCN.lnk.0.dr LNK file: ..\..\..\..\..\Windata\update.exe
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004333BE
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464EAE
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 13_2_004333BE
Source: C:\Users\user\Desktop\OMHGCG.exe File created: C:\Users\user\AppData\Roaming\Windata Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@10/2@3/2
Source: C:\Users\user\Desktop\OMHGCG.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D619
Source: update.exe, 00000012.00000002.513247187.0000000003B00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM moz_cookies;ET+i~/
Source: update.exe, 0000000D.00000003.475657623.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM cookies;x99
Source: update.exe, 0000000D.00000003.477067833.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM moz_cookies;P9
Source: update.exe, 0000000E.00000003.492835145.0000000003B69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM moz_cookies;ET
Source: OMHGCG.exe, 00000000.00000002.514343033.000000000404A000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000F.00000002.514128715.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000012.00000002.513619788.0000000003B7C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM cookies;
Source: update.exe, 0000000E.00000003.491977816.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM cookies;a
Source: OMHGCG.exe, 00000000.00000002.513500694.0000000003F40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM moz_cookies;
Source: OMHGCG.exe, 00000000.00000002.514343033.000000000404A000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000D.00000003.475657623.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.491977816.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000012.00000002.513619788.0000000003B7C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM logins;
Source: update.exe, 0000000F.00000002.514128715.0000000003D4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM logins;T_F1*
Source: update.exe, 0000000F.00000002.513239652.0000000003C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM moz_cookies;(
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044AF6C GetLastError,FormatMessageW, 0_2_0044AF6C
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00433EE0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_00433EE0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043305F
Source: C:\Users\user\Desktop\OMHGCG.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\OMHGCG.exe Unpacked PE file: 0.2.OMHGCG.exe.400000.0.unpack aHc:EW;Security:EW;.rsrc:W; vs aHc:ER;Security:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Unpacked PE file: 13.2.update.exe.400000.0.unpack aHc:EW;Security:EW;.rsrc:W; vs aHc:ER;Security:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Unpacked PE file: 14.2.update.exe.400000.0.unpack aHc:EW;Security:EW;.rsrc:W; vs aHc:ER;Security:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Unpacked PE file: 15.2.update.exe.400000.0.unpack aHc:EW;Security:EW;.rsrc:W; vs aHc:ER;Security:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Unpacked PE file: 18.2.update.exe.400000.0.unpack aHc:EW;Security:EW;.rsrc:W; vs aHc:ER;Security:ER;.rsrc:W;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0048217D push 825074CBh; iretd 0_2_00482182
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0048222C push eax; retf 0_2_00482232
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004822CD push ecx; retf 0_2_004822CE
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004822D4 push esp; retf 0_2_004822D6
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004822F0 push edi; retf 0_2_004822F6
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004822B9 push esp; retf 0_2_004822BA
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004822B4 push ebp; iretd 0_2_004822B6
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00482350 push eax; retf 0_2_00482352
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00482355 push esi; retf 0_2_00482356
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00482368 push esi; retf 0_2_0048236A
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0048236C push eax; retf 0_2_0048236D
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0048232C push esi; retf 0_2_0048232E
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00482339 push edx; retf 0_2_0048233E
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00482389 push eax; retf 0_2_0048238A
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0048238D push esp; retf 0_2_0048238E
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00482384 push eax; retf 0_2_00482385
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00482391 push edi; retf 0_2_004823A6
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00416CB5 push ecx; ret 13_2_00416CC8
PE file contains sections with non-standard names
Source: OMHGCG.exe Static PE information: section name: aHc
Source: OMHGCG.exe Static PE information: section name: Security
Source: update.exe.0.dr Static PE information: section name: aHc
Source: update.exe.0.dr Static PE information: section name: Security
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress, 0_2_0040EBD0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: Security
Source: initial sample Static PE information: section name: Security entropy: 7.899875991527048
Source: initial sample Static PE information: section name: Security entropy: 7.899875991527048
Drops PE files
Source: C:\Users\user\Desktop\OMHGCG.exe File created: C:\Users\user\AppData\Roaming\Windata\update.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ZFZRCN.exe /tr C:\Users\user\AppData\Roaming\Windata\update.exe /sc minute /mo 1
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\OMHGCG.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZFZRCN.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\OMHGCG.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZFZRCN.lnk Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZFZRCN Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZFZRCN Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_0047A330
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00434418
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 13_2_00434418
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\OMHGCG.exe TID: 3108 Thread sleep time: -39260s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe TID: 4468 Thread sleep count: 2243 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe TID: 3076 Thread sleep count: 2284 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe TID: 5216 Thread sleep count: 2456 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe TID: 5080 Thread sleep count: 2005 > 30 Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\OMHGCG.exe Thread sleep count: Count: 3926 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Thread sleep count: Count: 2243 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Thread sleep count: Count: 2284 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Thread sleep count: Count: 2456 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Thread sleep count: Count: 2005 delay: -10 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\OMHGCG.exe Window / User API: threadDelayed 3926 Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Window / User API: foregroundWindowGot 420 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Window / User API: threadDelayed 2243 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Window / User API: threadDelayed 2284 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Window / User API: threadDelayed 2456 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Window / User API: threadDelayed 2005 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\OMHGCG.exe API coverage: 5.3 %
Source: C:\Users\user\AppData\Roaming\Windata\update.exe API coverage: 5.3 %
Source: C:\Users\user\Desktop\OMHGCG.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_0040E500
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004339B6
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452492
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442886
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_004788BD
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 0_2_0045CAFA
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00431A86
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD27
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045DE8F FindFirstFileW,FindClose, 0_2_0045DE8F
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8B
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 13_2_00452492
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 13_2_00442886
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 13_2_004339B6
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 13_2_00431A86
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 13_2_0044BD27
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 13_2_0044BF8B
Source: C:\Users\user\Desktop\OMHGCG.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Windata\update.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D590
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress, 0_2_0040EBD0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_004238DA
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0045A370 BlockInput, 0_2_0045A370
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0041F250 SetUnhandledExceptionFilter, 0_2_0041F250
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041A208
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00417DAA
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_0041A208
Source: C:\Users\user\AppData\Roaming\Windata\update.exe Code function: 13_2_00417DAA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00417DAA
Contains functionality to query the security center for anti-virus and firewall products
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: select * from antivirusproduct
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_pagedown
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __tcpiptoname_szstringread
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __gdiplus_extractfileext13}
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_pageup83
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dwmwa_extended_frame_bounds#3
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dwmwa_extended_frame_bounds*3
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_scrollcaret
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _gdiplus_imagesavetofile
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_scrollcarety3
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _screencapture_capturewndty`3
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _screencapture_capturewndd3
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __tcpiptoname_szstringreado3
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _screencapture_capturewnd
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_classname
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_linedown?2
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_lineup
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_linedown
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_lineup|2
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: __editconstant_sb_pagedowng2
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _screencapture_setjpgqualityn2
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: int colordepth;int compressionp
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: hkey_classes_root\clsid\{e88dcce0-b7b3-11d1-a9f0-00aa0060fa31}d
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: lse before submitting\
Source: OMHGCG.exe, 00000000.00000002.514203667.0000000004022000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: this is for debugging only, set the debug variable to false before submittings
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicl
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: noniclethernet0-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicf
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicfethernet0-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicj
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicjethernet0-wfp 802.3 mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local area connection* 6-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicd
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicdlocal area connection* 6-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local area connection* 7-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicdlocal area connection* 7-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local area connection* 8-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicdlocal area connection* 8-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic4
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic4ethernet (kernel debugger)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ethernet0
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 6
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 7
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 8
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 5
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic6
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic6loopback pseudo-interface 1
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicb
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicbteredo tunneling pseudo-interface
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicj
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonicjmicrosoft ip-https platform interface
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6to4 adapter
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 1
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 2
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 3
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nonic0local area connection* 4
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {bb556c50-98d0-4585-a1ed-b2838757ae1b}
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ethernet0intel(r) 82574l gigabit network connection{bb556c50-98d0-4585-a1ed-b2838757ae1b}al
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {e6e9dfc2-98f2-11e9-90ce-806e6f6e6963}
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: loopback pseudo-interface 1software loopback interface 1{e6e9dfc2-98f2-11e9-90ce-806e6f6e6963}
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ethernet_32769loopback_0cc
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-f153403ba56273f362
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-f153403ba56273f362xx
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-15ec2d395e9e58d4d3
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lrpc-15ec2d395e9e58d4d3+
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ntel(r) 82574l gigabit network connection-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: intel(r) 82574l gigabit network connection-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: intel(r) 82574l gigabit network connection-wfp 802.3 mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |wan miniport (ip)-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vwan miniport (ip)-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wan miniport (ipv6)-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zwan miniport (ipv6)-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wan miniport (network monitor)-wfp native mac layer lightweight filter-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pwan miniport (network monitor)-qos packet scheduler-0000
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lmicrosoft kernel debug network adapter
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tintel(r) 82574l gigabit network connection
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "wan miniport (ip)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &wan miniport (ipv6)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <wan miniport (network monitor)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (wan miniport (pppoe)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :software loopback interface 1
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dmicrosoft teredo tunneling adapter
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fmicrosoft ip-https platform adapter
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,microsoft 6to4 adapter
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &wan miniport (sstp)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (wan miniport (ikev2)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &wan miniport (l2tp)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &wan miniport (pptp)
Source: OMHGCG.exe, 00000000.00000003.443856116.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ethernet_32769loopback_0((
Source: OMHGCG.exe, 00000000.00000002.516983670.000000000485E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: yw`jyw0-
Source: OMHGCG.exe, 00000000.00000002.516983670.000000000485E000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: +s++@c
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: nnnjb
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: 4vs_version_info
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: stringfileinfo
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: 080904b0(
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: filedescription6
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: fileversion3, 3, 8, 1^
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: compiledscriptautoit v3 script: 3, 3, 8, 1d
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: varfileinfo$
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: translation
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestversion="1.0">
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <trustinfo xmlns="urn:schemas-microsoft-com:asm.v3">
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <security>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <requestedprivileges>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <requestedexecutionlevel level="asinvoker" uiaccess="false"></requestedexecutionlevel>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: </requestedprivileges>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: </security>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: </trustinfo>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <dependency>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <dependentassembly>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: <assemblyidentity type="win32" name="microsoft.windows.common-controls" version="6.0.0.0" language="*" processorarchitecture="*" publickeytoken="6595b64144ccf1df"></assemblyidentity>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: </dependentassembly>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: </dependency>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: </assembly>
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: &up.t
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: w0psup
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: advapi32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: comctl32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: comdlg32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: gdi32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: kernel32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: mpr.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: ole32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: oleaut32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: psapi.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: shell32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: user32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: userenv.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: version.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: wininet.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: winmm.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: wsock32.dll
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: getace
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: imagelist_remove
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: getsavefilenamew
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: lineto
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: exitprocess
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: getprocaddress
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: loadlibrarya
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: virtualprotect
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: wnetgetconnectionw
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: coinitialize
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: enumprocesses
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: dragfinish
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: getdc
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: loaduserprofilew
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: verqueryvaluew
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: ftpopenfilew
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: timegettime
Source: OMHGCG.exe, 00000000.00000002.512616082.00000000004BD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: ysadvapi32.dllcomctl32.dllcomdlg32.dllgdi32.dllkernel32.dllmpr.dllole32.dlloleaut32.dllpsapi.dllshell32.dlluser32.dlluserenv.dllversion.dllwininet.dllwinmm.dllwsock32.dllgetaceimagelist_removegetsavefilenamewlinetoexitprocessgetprocaddressloadlibraryavirtualprotectwnetgetconnectionwcoinitializeenumprocessesdragfinishgetdcloaduserprofilewverqueryvaluewftpopenfilewtimegettime
Source: update.exe Binary or memory string: filereadline
Source: update.exe Binary or memory string: sendattachmode
Source: update.exe Binary or memory string: elseif
Source: update.exe Binary or memory string: processclose
Source: update.exe Binary or memory string: sendcapslockmode
Source: update.exe Binary or memory string: mydocumentsdir
Source: update.exe Binary or memory string: fileread
Source: update.exe Binary or memory string: is most likely the result of calling an msil-compiled (/clr) function from a native constructor or from dllmain.
Source: update.exe Binary or memory string: fileopendialog
Source: update.exe Binary or memory string: rspwj
Source: update.exe Binary or memory string: instance
Source: update.exe Binary or memory string: pluginopen
Source: update.exe Binary or memory string: until
Source: update.exe Binary or memory string: filerecycleempty
Source: update.exe Binary or memory string: mustdeclarevars
Source: update.exe Binary or memory string: processlist
Source: update.exe Binary or memory string: desktopcommondir
Source: update.exe Binary or memory string: class
Source: update.exe Binary or memory string: l$<qj
Source: update.exe Binary or memory string: insert
Source: update.exe Binary or memory string: processgetstats
Source: update.exe Binary or memory string: classnn
Source: update.exe Binary or memory string: while
Source: update.exe Binary or memory string: pixelcoordmode
Source: update.exe Binary or memory string: regexpclass
Source: update.exe Binary or memory string: processexists
Source: update.exe Binary or memory string: appdatacommondir
Source: update.exe Binary or memory string: t$(rj
Source: update.exe Binary or memory string: filerecycle
Source: update.exe Binary or memory string: endif
Source: update.exe Binary or memory string: \ at end of pattern
Source: update.exe Binary or memory string: no error
Source: update.exe Binary or memory string: %.15g
Source: update.exe Binary or memory string: fileinstall
Source: update.exe Binary or memory string: active
Source: update.exe Binary or memory string: delete
Source: update.exe Binary or memory string: pixelchecksum
Source: update.exe Binary or memory string: filegetversion
Source: update.exe Binary or memory string: setexitcode
Source: update.exe Binary or memory string: \c at end of pattern
Source: update.exe Binary or memory string: sv
Source: update.exe Binary or memory string: [active
Source: update.exe Binary or memory string: false
Source: update.exe Binary or memory string: handle=
Source: update.exe Binary or memory string: backspace
Source: update.exe Binary or memory string: filegettime
Source: update.exe Binary or memory string: %4d%02d%02d%02d%02d%02d
Source: update.exe Binary or memory string: unrecognized character follows \
Source: update.exe Binary or memory string: [handle:
Source: update.exe Binary or memory string: tcptimeout
Source: update.exe Binary or memory string: pluginclose
Source: update.exe Binary or memory string: commonfilesdir
Source: update.exe Binary or memory string: u$@pj
Source: update.exe Binary or memory string: fileopen
Source: update.exe Binary or memory string: sendkeydelay
Source: update.exe Binary or memory string: filemove
Source: update.exe Binary or memory string: escape
Source: update.exe Binary or memory string: programfilesdir
Source: update.exe Binary or memory string: pixelsearch
Source: update.exe Binary or memory string: [last
Source: update.exe Binary or memory string: enter
Source: update.exe Binary or memory string: sendkeydowndelay
Source: update.exe Binary or memory string: pixelgetcolor
Source: update.exe Binary or memory string: d%.15g
Source: update.exe Binary or memory string: rj~py
Source: update.exe Binary or memory string: incorrect parameters to object property !
Source: update.exe Binary or memory string: [class:
Source: update.exe Binary or memory string: filegetshortcut
Source: update.exe Binary or memory string: missing terminating ] for character class
Source: update.exe Binary or memory string: script paused
Source: update.exe Binary or memory string: r6032 - not enough space for locale information
Source: update.exe Binary or memory string: trayiconhide
Source: update.exe Binary or memory string: close all
Source: update.exe Binary or memory string: filegetpos
Source: update.exe Binary or memory string: objname
Source: update.exe Binary or memory string: blank
Source: update.exe Binary or memory string: traymenumode
Source: update.exe Binary or memory string: rh$ah
Source: update.exe Binary or memory string: qh,ah
Source: update.exe Binary or memory string: handle
Source: update.exe Binary or memory string: objget
Source: update.exe Binary or memory string: regexp=
Source: update.exe Binary or memory string: onautoitexitunregister
Source: update.exe Binary or memory string: d100m0
Source: update.exe Binary or memory string: [regexptitle:
Source: update.exe Binary or memory string: trayautopause
Source: update.exe Binary or memory string: filegetsize
Source: update.exe Binary or memory string: numbers out of order in {} quantifier
Source: update.exe Binary or memory string: filegetshortname
Source: update.exe Binary or memory string: extended
Source: update.exe Binary or memory string: onautoitexitregister
Source: update.exe Binary or memory string: trayicondebug
Source: update.exe Binary or memory string: number too big in {} quantifier
Source: update.exe Binary or memory string: l_traywnd
Source: update.exe Binary or memory string: 8xu`j
Source: update.exe Binary or memory string: classname=
Source: update.exe Binary or memory string: shell_traywnd
Source: update.exe Binary or memory string: error
Source: update.exe Binary or memory string: line:
Source: update.exe Binary or memory string: objcreate
Source: update.exe Binary or memory string: filegetattrib
Source: update.exe Binary or memory string: windetecthiddentext
Source: update.exe Binary or memory string: ^ error
Source: update.exe Binary or memory string: autoit3gui
Source: update.exe Binary or memory string: nothing to repeat
Source: update.exe Binary or memory string: msgbox
Source: update.exe Binary or memory string: vwy
Source: update.exe Binary or memory string: winsearchchildren
Source: update.exe Binary or memory string: fileflush
Source: update.exe Binary or memory string: mousewheel
Source: update.exe Binary or memory string: operand of unlimited repeat could match the empty string
Source: update.exe Binary or memory string: ugwj
Source: update.exe Binary or memory string: mouseup
Source: update.exe Binary or memory string: win32_nt
Source: update.exe Binary or memory string: @exitcode
Source: update.exe Binary or memory string: container
Source: update.exe Binary or memory string: filefindnextfile
Source: update.exe Binary or memory string: %s (%d) : ==> %s: %s %s
Source: update.exe Binary or memory string: invalid escape sequence in character class
Source: update.exe Binary or memory string: regexptitle
Source: update.exe Binary or memory string: objevent
Source: update.exe Binary or memory string: filegetlongname
Source: update.exe Binary or memory string: objcreateinterface
Source: update.exe Binary or memory string: title
Source: update.exe Binary or memory string: question
Source: update.exe Binary or memory string: thumbnailclass
Source: update.exe Binary or memory string: range out of order in character class
Source: update.exe Binary or memory string: filegetencoding
Source: update.exe Binary or memory string: trayoneventmode
Source: update.exe Binary or memory string: r6031 - attempt to initialize the crt more than once. this indicates a bug in your application.
Source: update.exe Binary or memory string: warning
Source: update.exe Binary or memory string: %s (%d) : ==> %s:
Source: update.exe Binary or memory string: win_2008
Source: update.exe Binary or memory string: unrecognized character after (? or (?-
Source: update.exe Binary or memory string: wintitlematchmode
Source: update.exe Binary or memory string: mousedown
Source: update.exe Binary or memory string: t$0rj
Source: update.exe Binary or memory string: @gui_ctrlhandle
Source: update.exe Binary or memory string: filedelete
Source: update.exe Binary or memory string: win_vista
Source: update.exe Binary or memory string: t$ rj
Source: update.exe Binary or memory string: posix named classes are supported only within a class
Source: update.exe Binary or memory string: win_2003
Source: update.exe Binary or memory string: mouseclickdrag
Source: update.exe Binary or memory string: filecreateshortcut
Source: update.exe Binary or memory string: win_xpe
Source: update.exe Binary or memory string: @tray_id
Source: update.exe Binary or memory string: winwaitdelay
Source: update.exe Binary or memory string: mousemove
Source: update.exe Binary or memory string: @exitmethod
Source: update.exe Binary or memory string: filefindfirstfile
Source: update.exe Binary or memory string: @gui_ctrlid
Source: update.exe Binary or memory string: win_2008r2
Source: update.exe Binary or memory string: internal error: unexpected repeat
Source: update.exe Binary or memory string: wintextmatchmode
Source: update.exe Binary or memory string: win_8
Source: update.exe Binary or memory string:
Source: update.exe Binary or memory string: mousegetpos
Source: update.exe Binary or memory string: mousegetcursor
Source: update.exe Binary or memory string: fileexists
Source: update.exe Binary or memory string: @gui_winhandle
Source: update.exe Binary or memory string: d1r1,2
Source: update.exe Binary or memory string: win_7
Source: update.exe Binary or memory string: winwaitclose
Source: update.exe Binary or memory string: isstring
Source: update.exe Binary or memory string: erroffset passed as null
Source: update.exe Binary or memory string: r6028 - unable to initialize heap
Source: update.exe Binary or memory string: fileclose
Source: update.exe Binary or memory string: system\currentcontrolset\control\nls\language
Source: update.exe Binary or memory string: 255.255.255.255
Source: update.exe Binary or memory string: isobj
Source: update.exe Binary or memory string: isptr
Source: update.exe Binary or memory string: winwaitactive
Source: update.exe Binary or memory string: filechangedir
Source: update.exe Binary or memory string: unknown option bit(s) set
Source: update.exe Binary or memory string: isnumber
Source: update.exe Binary or memory string: @com_eventobj
Source: update.exe Binary or memory string: mouseclick
Source: update.exe Binary or memory string: win_xp
Source: update.exe Binary or memory string: r6030 - crt not initialized
Source: update.exe Binary or memory string: accept
Source: update.exe Binary or memory string: win_2000
Source: update.exe Binary or memory string: missing )
Source: update.exe Binary or memory string: callargarray
Source: update.exe Binary or memory string: filecreatentfslink
Source: update.exe Binary or memory string: reference to non-existent subpattern
Source: update.exe Binary or memory string: memgetstats
Source: update.exe Binary or memory string: autoitcallvariable%d
Source: update.exe Binary or memory string: prune
Source: update.exe Binary or memory string: commit
Source: update.exe Binary or memory string: winwaitnotactive
Source: update.exe Binary or memory string: filecopy
Source: update.exe Binary or memory string: installlanguage
Source: update.exe Binary or memory string: envget
Source: update.exe Binary or memory string: control panel\appearance
Source: update.exe Binary or memory string: isdllstruct
Source: update.exe Binary or memory string: dllstruct
Source: update.exe Binary or memory string: winsetstate
Source: update.exe Binary or memory string: array
Source: update.exe Binary or memory string: iswow64process
Source: update.exe Binary or memory string: getprocesswindowstation
Source: update.exe Binary or memory string: winsetontop
Source: update.exe Binary or memory string: dummyspeedtest
Source: update.exe Binary or memory string: getnativesysteminfo
Source: update.exe Binary or memory string: failed to get memory
Source: update.exe Binary or memory string: clsid
Source: update.exe Binary or memory string: unmatched parentheses
Source: update.exe Binary or memory string: reference
Source: update.exe Binary or memory string: isdeclared
Source: update.exe Binary or memory string: drivestatus
Source: update.exe Binary or memory string: arabic
Source: update.exe Binary or memory string: isbool
Source: update.exe Binary or memory string: object
Source: update.exe Binary or memory string: 3, 3, 8, 1
Source: update.exe Binary or memory string: getuserobjectinformationw
Source: update.exe Binary or memory string: winmove
Source: update.exe Binary or memory string: struct
Source: update.exe Binary or memory string: execute
Source: update.exe Binary or memory string: int32
Source: update.exe Binary or memory string: iskeyword
Source: update.exe Binary or memory string: missing ) after comment
Source: update.exe Binary or memory string: winwait
Source: update.exe Binary or memory string: parentheses nested too deeply
Source: update.exe Binary or memory string: r6027 - not enough space for lowio initialization
Source: update.exe Binary or memory string: winsettrans
Source: update.exe Binary or memory string: int64
Source: update.exe Binary or memory string: winsettitle
Source: update.exe Binary or memory string: ishwnd
Source: update.exe Binary or memory string: schemelangid
Source: update.exe Binary or memory string: isint
Source: update.exe Binary or memory string: double
Source: update.exe Binary or memory string: envupdate
Source: update.exe Binary or memory string: envset
Source: update.exe Binary or memory string: isfloat
Source: update.exe Binary or memory string: string
Source: update.exe Binary or memory string: kernel32.dll
Source: update.exe Binary or memory string: regular expression is too large
Source: update.exe Binary or memory string: qpv)7
Source: update.exe Binary or memory string: winmenuselectitem
Source: update.exe Binary or memory string: inputbox
Source: update.exe Binary or memory string: ulong_ptr
Source: update.exe Binary or memory string: canadian_aboriginal
Source: update.exe Binary or memory string: lookbehind assertion is not fixed length
Source: update.exe Binary or memory string: icmpcreatefile
Source: update.exe Binary or memory string: userdnsdomain
Source: update.exe Binary or memory string: buhid
Source: update.exe Binary or memory string: iniwritesection
Source: update.exe Binary or memory string: drivesetlabel
Source: update.exe Binary or memory string: e+000
Source: update.exe Binary or memory string: icmpclosehandle
Source: update.exe Binary or memory string: malformed number or name after (?(
Source: update.exe Binary or memory string: winlist
Source: update.exe Binary or memory string: drivemapget
Source: update.exe Binary or memory string: default
Source: update.exe Binary or memory string: uint_ptr
Source: update.exe Binary or memory string: carian
Source: update.exe Binary or memory string: icmpsendecho
Source: update.exe Binary or memory string: winkill
Source: update.exe Binary or memory string: iniwrite
Source: update.exe Binary or memory string: getsystemwow64directoryw
Source: update.exe Binary or memory string: r6025 - pure virtual function call
Source: update.exe Binary or memory string: -t@.t
Source: update.exe Binary or memory string: cherokee
Source: update.exe Binary or memory string: lparam
Source: update.exe Binary or memory string: software\classes\
Source: update.exe Binary or memory string: getlastactivepopup
Source: update.exe Binary or memory string: avestan
Source: update.exe Binary or memory string: isbinary
Source: update.exe Binary or memory string: r6026 - not enough space for stdio initialization
Source: update.exe Binary or memory string: winminimizeallundo
Source: update.exe Binary or memory string: internal error: code overflow
Source: update.exe Binary or memory string: armenian
Source: update.exe Binary or memory string: object
Source: update.exe Binary or memory string: keyword
Source: update.exe Binary or memory string: bamum
Source: update.exe Binary or memory string: unrecognized character after (?<
Source: update.exe Binary or memory string: drivespacetotal
Source: update.exe Binary or memory string: idispatch
Source: update.exe Binary or memory string: balinese
Source: update.exe Binary or memory string: userprofile
Source: update.exe Binary or memory string: wparam
Source: update.exe Binary or memory string: winminimizeall
Source: update.exe Binary or memory string: binary
Source: update.exe Binary or memory string: bopomofo
Source: update.exe Binary or memory string: userdomain
Source: update.exe Binary or memory string: getactivewindow
Source: update.exe Binary or memory string: isarray
Source: update.exe Binary or memory string: bengali
Source: update.exe Binary or memory string: icmp.dll
Source: update.exe Binary or memory string: dword_ptr
Source: update.exe Binary or memory string: user32.dll
Source: update.exe Binary or memory string: buginese
Source: update.exe Binary or memory string: messageboxw
Source: update.exe Binary or memory string: isadmin
Source: update.exe Binary or memory string: drivespacefree
Source: update.exe Binary or memory string: braille
Source: update.exe Binary or memory string: r6024 - not enough space for _onexit/atexit table
Source: update.exe Binary or memory string: egyptian_hieroglyphs
Source: update.exe Binary or memory string: null pointer assignment
Source: update.exe Binary or memory string: complete object locator'
Source: update.exe Binary or memory string: handle
Source: update.exe Binary or memory string: stdcall
Source: update.exe Binary or memory string: (?r or (?[+-]digits must be followed by )
Source: update.exe Binary or memory string: inireadsection
Source: update.exe Binary or memory string: georgian
Source: update.exe Binary or memory string: drivegetserial
Source: update.exe Binary or memory string: wingetprocess
Source: update.exe Binary or memory string: ubyte
Source: update.exe Binary or memory string: ethiopic
Source: update.exe Binary or memory string: glagolitic
Source: update.exe Binary or memory string: hkey_local_machine
Source: update.exe Binary or memory string: class hierarchy descriptor'
Source: update.exe Binary or memory string: greek
Source: update.exe Binary or memory string: rhh)h
Source: update.exe Binary or memory string: hresult
Source: update.exe Binary or memory string: iniread
Source: update.exe Binary or memory string: wingetpos
Source: update.exe Binary or memory string: drivegetlabel
Source: update.exe Binary or memory string: gothic
Source: update.exe Binary or memory string: autoit.error
Source: update.exe Binary or memory string: coptic
Source: update.exe Binary or memory string: conditional group contains more than two branches
Source: update.exe Binary or memory string: wingettitle
Source: update.exe Binary or memory string: sedebugprivilege
Source: update.exe Binary or memory string: -tpz2t
Source: update.exe Binary or memory string: common
Source: update.exe Binary or memory string: lresult
Source: update.exe Binary or memory string: drivemapdel
Source: update.exe Binary or memory string: \clsid
Source: update.exe Binary or memory string: drivemapadd
Source: update.exe Binary or memory string: cypriot
Source: update.exe Binary or memory string: inirenamesection
Source: update.exe Binary or memory string: cuneiform
Source: update.exe Binary or memory string: long_ptr
Source: update.exe Binary or memory string: int_ptr
Source: update.exe Binary or memory string: deseret
Source: update.exe Binary or memory string: wingettext
Source: update.exe Binary or memory string: cyrillic
Source: update.exe Binary or memory string: wingetstate
Source: update.exe Binary or memory string: assertion expected after (?(
Source: update.exe Binary or memory string: \ipc$
Source: update.exe Binary or memory string: inireadsectionnames
Source: update.exe Binary or memory string: drivegettype
Source: update.exe Binary or memory string: winapi
Source: update.exe Binary or memory string: devanagari
Source: update.exe Binary or memory string: can't install a new errorhandler when one is still active.
Source: update.exe Binary or memory string: this version of pcre is not compiled with pcre_utf8 support
Source: update.exe Binary or memory string: inetgetinfo
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00436CD7 LogonUserW, 0_2_00436CD7
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00434418
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D590
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn ZFZRCN.exe /tr C:\Users\user\AppData\Roaming\Windata\update.exe /sc minute /mo 1 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_0043333C
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00446124
Source: update.exe, 00000012.00000002.513247187.0000000003B00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Class:Shell_TrayWnd]I
Source: update.exe, 0000000D.00000003.476746236.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Class:Shell_TrayWnd]D
Source: OMHGCG.exe, 00000000.00000002.515898839.0000000004200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: OMHGCG.exe, update.exe Binary or memory string: Shell_TrayWnd
Source: OMHGCG.exe, 00000000.00000002.513500694.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.492650465.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, update.exe, 0000000E.00000003.492605560.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Class:Shell_TrayWnd]
Source: OMHGCG.exe, 00000000.00000002.515898839.0000000004200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerJC
Source: OMHGCG.exe, 00000000.00000002.512057888.0000000000401000.00000040.00000001.01000000.00000003.sdmp, update.exe, 0000000D.00000002.477728772.0000000000401000.00000040.00000001.01000000.00000007.sdmp, update.exe, 0000000E.00000002.493581378.0000000000401000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: OMHGCG.exe, 00000000.00000002.515898839.0000000004200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManageriC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\OMHGCG.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW, 0_2_004720DB
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_0041E364
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_0040E500
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00472C3F GetUserNameW, 0_2_00472C3F
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\OMHGCG.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LodaRAT
Source: Yara match File source: Process Memory Space: OMHGCG.exe PID: 3460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 4124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 5112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 588, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OMHGCG.exe PID: 3460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 4124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 5112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 588, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: update.exe, 00000012.00000002.513247187.0000000003B00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_XPK:
Source: update.exe, 0000000F.00000002.513239652.0000000003C30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_XP
Source: OMHGCG.exe, 00000000.00000002.513500694.0000000003F40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_VISTAB
Source: update.exe, 00000012.00000002.512110822.0000000000401000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: update.exe, 00000012.00000002.513247187.0000000003B00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_XPe
Source: OMHGCG.exe, 00000000.00000002.513500694.0000000003F40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_XPc
Source: update.exe, 00000012.00000002.513247187.0000000003B00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_VISTA
Source: update.exe, 0000000E.00000003.492774001.0000000003B7D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_XPeg
Source: update.exe Binary or memory string: WIN_7
Source: update.exe, 0000000F.00000002.515363500.0000000003ED7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected LodaRAT
Source: Yara match File source: Process Memory Space: OMHGCG.exe PID: 3460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 4124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 5112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: update.exe PID: 588, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,GetActiveObject, 0_2_0046CEF3
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_004652BE
Source: C:\Users\user\Desktop\OMHGCG.exe Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00476619
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756309 Sample: OMHGCG.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 96 28 test202022.ddns.net 2->28 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected LodaRAT 2->38 40 Uses dynamic DNS services 2->40 8 OMHGCG.exe 1 3 2->8         started        13 update.exe 2->13         started        15 update.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 30 test202022.ddns.net 197.42.186.178, 5552 TE-ASTE-ASEG Egypt 8->30 32 192.168.2.1 unknown unknown 8->32 26 C:\Users\user\AppData\Roaming\...\update.exe, PE32 8->26 dropped 44 Detected unpacking (changes PE section rights) 8->44 19 cmd.exe 1 8->19         started        46 Antivirus detection for dropped file 13->46 48 Multi AV Scanner detection for dropped file 13->48 file6 signatures7 process8 signatures9 42 Uses schtasks.exe or at.exe to add and modify task schedules 19->42 22 conhost.exe 19->22         started        24 schtasks.exe 1 19->24         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
197.42.186.178
 test202022.ddns.net Egypt
8452 TE-ASTE-ASEG true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
test202022.ddns.net 197.42.186.178 true