Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-3qwgnsbd42
Target 71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334
SHA256 71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334

Threat Level: Known bad

The file 71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 23:43

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 23:43

Reported

2024-05-20 23:46

Platform

win7-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 2668 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2892 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2892 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2892 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2476 wrote to memory of 3004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2476 wrote to memory of 3004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2476 wrote to memory of 3004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2476 wrote to memory of 3004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2476 wrote to memory of 3004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2476 wrote to memory of 3004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3004 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe

"C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe"

C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe

C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2084-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2084-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2668-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2668-1-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebcc24739e0a7d9e58933740fa51301c
SHA1 d4e90d7ce2ce1b09e409b3a10d0c69563f5894cd
SHA256 0cfdb74c5403174c13743764010701b08f1430b645aaf50e5a9a56394428f78a
SHA512 8f3850bfb7c8cc7fc73588d3cb14751f0ca8151d3a75862f6d2fa2f03d92bc22d02d426473cece57668fd376cb2d1db80c2d158e6f3a59eed1ce21a3ebd2551a

memory/2668-14-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2632-22-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2632-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2892-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2892-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2892-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2892-45-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 6a1d8884635b35cd3de486c745535dab
SHA1 21cc2cfc1500334b791b5397ea277b53517fb686
SHA256 2093cc35d356471621faa7af4d0546266f285b350974783c55fa5fed24bb42f9
SHA512 73ac41df6edc93d05d3c46ce25d937962b5a72daa21e4e9be1b35c60b610ca6e94ffeb15a1355aba77f1af6bd704a9c90ced0f6f9fe0a57e2c8cb23606e4d41e

memory/2892-48-0x00000000002A0000-0x00000000002C3000-memory.dmp

memory/2892-56-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2476-65-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e1135a7483d9c32dff330e7ea60e1efa
SHA1 de5abbd542cb59fcb1112807cd20db4269b17700
SHA256 53efd2996f6919dc39d037b0929800810f73fcc438f2eaa96963b12389e5ff3e
SHA512 8f7f54c0cd439cb9c6322579789b5895d6842d80ccedfcd7503842fbb928dac2296c38f5133379b41b4e28f1134de09042bfe5f32943e608b7936280dd539606

memory/3004-72-0x0000000000230000-0x0000000000253000-memory.dmp

memory/3016-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3016-87-0x0000000000400000-0x0000000000423000-memory.dmp

memory/868-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/868-93-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 23:43

Reported

2024-05-20 23:46

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3288 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 3288 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 3288 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 3288 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 3288 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe
PID 3152 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3152 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3152 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 408 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 408 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 408 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 408 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 408 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4008 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4008 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4008 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4092 wrote to memory of 4388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4092 wrote to memory of 4388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4092 wrote to memory of 4388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4092 wrote to memory of 4388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4092 wrote to memory of 4388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4388 wrote to memory of 4004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4388 wrote to memory of 4004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4388 wrote to memory of 4004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe

"C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe"

C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe

C:\Users\Admin\AppData\Local\Temp\71d1635596b110485925fbee97ed545f5fde4a82a0186ebdf024f36d70988334.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3288 -ip 3288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 408 -ip 408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 300

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4092 -ip 4092

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 304

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4004 -ip 4004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3288-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3152-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3152-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3152-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3152-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebcc24739e0a7d9e58933740fa51301c
SHA1 d4e90d7ce2ce1b09e409b3a10d0c69563f5894cd
SHA256 0cfdb74c5403174c13743764010701b08f1430b645aaf50e5a9a56394428f78a
SHA512 8f3850bfb7c8cc7fc73588d3cb14751f0ca8151d3a75862f6d2fa2f03d92bc22d02d426473cece57668fd376cb2d1db80c2d158e6f3a59eed1ce21a3ebd2551a

memory/408-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4008-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4008-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3288-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4008-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4008-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4008-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4008-27-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4008-30-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 aa7542baf807b70083dbbed09b3a4a7b
SHA1 766642c37a42df58ca455fe9c5777d1f42534bba
SHA256 3f1f744a7fa036cabedf76fafe0b5f633149a9686c38d17a7be907ce5812b984
SHA512 f496688d2729b4ec10ea997a60c5e0675a07b6d231485b63eb1cc7b1e4fc691f2e3d1134f49e59008fc82b07978706a7622cd94a7c1c0d3228fc219024fd7f6f

memory/4092-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4388-40-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b5ab6dda7f1f9df33db2aede047c3902
SHA1 407ae0846f3b86086f2d62a6a58e143ded00700e
SHA256 a02425938a1cf73a7041c31656e56d738c1b941788643f952e50a155a842e46b
SHA512 642bfc40bd716b113a4388944ac047dcb915485f163d20205b93ff5593306016d14ffb5820296bfb8cc1139330f0e4342d4294c8b28aa18a4f2437ae7cc88e99

memory/4388-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4388-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4004-45-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4352-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4352-51-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4092-53-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4004-54-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4352-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4352-58-0x0000000000400000-0x0000000000429000-memory.dmp