Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-cxqlwsfa23
Target a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04
SHA256 a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04

Threat Level: Known bad

The file a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 02:27

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 02:27

Reported

2024-05-21 02:30

Platform

win7-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2424 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2424 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2424 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2424 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2424 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1796 wrote to memory of 1516 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 1516 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 1516 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 1516 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe

"C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe"

C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe

C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2424-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2424-8-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2188-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2188-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2188-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2188-9-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1cbda766f5a296c2c95eac51159cdd26
SHA1 07c6dcd230a8e38064ca348c6eaa381d3e5cddf9
SHA256 eaa2384add1d129045612b383b67aebf486192d7f6a09a9630779038f414097b
SHA512 3f84afb86ac478bf1bb97ebc57176e3e6cc90718f3e1957fdc70557673abbbd9035f3d357a4e9c4f926de794ffa935da34c88d7f2212ac080ed37e4c7e0fd767

memory/2188-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2708-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2708-32-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2708-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2664-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2664-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2664-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2664-44-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b30f9fc7f465a05b8028277265be7602
SHA1 fc98f8ec9fec5f8f710c11080145aca71a9b3657
SHA256 32b5c0b82d97a1b55c45ff547ae6689417cf97cb4a3935e7f25bcc0dbe315781
SHA512 4a7669e51f27089dbac3026016151701109045922f26d017bcc65a8a0539f66a1531258fe5940cc4d754f518091f880ab51c0335c41ccb91feab71660b106cdf

memory/2664-47-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/2664-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1288-57-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7150ee568458c030b4977e5f373e3a79
SHA1 aabc91eff981f707697019ec3d9ee49a07dd3014
SHA256 15213bf017025dbb8da55271b989ea4f64d1043b836b40a9aa1ec3e3087c1993
SHA512 0788f60ac1c6af88e52237eafdbe8d64e2da317ca3dd084f8cf1efe40121f6add48c116d4c75ed2a6821b193a0d673c999a13bec3172831a7ded3e91bf13ff07

memory/1288-67-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1516-79-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1516-86-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2112-89-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2112-92-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 02:27

Reported

2024-05-21 02:30

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2020 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2020 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2020 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2020 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe
PID 2264 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2264 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 404 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5096 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5096 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5096 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3972 wrote to memory of 1320 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3972 wrote to memory of 1320 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3972 wrote to memory of 1320 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3972 wrote to memory of 1320 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3972 wrote to memory of 1320 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1320 wrote to memory of 4188 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1320 wrote to memory of 4188 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1320 wrote to memory of 4188 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4188 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4188 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4188 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4188 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4188 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe

"C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe"

C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe

C:\Users\Admin\AppData\Local\Temp\a89d831a733c9cb0b00755ccc18c0fb687e4492d967e0bfadcc5998f12dcfa04.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3972 -ip 3972

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4188 -ip 4188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2020-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2264-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2264-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2264-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2264-1-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1cbda766f5a296c2c95eac51159cdd26
SHA1 07c6dcd230a8e38064ca348c6eaa381d3e5cddf9
SHA256 eaa2384add1d129045612b383b67aebf486192d7f6a09a9630779038f414097b
SHA512 3f84afb86ac478bf1bb97ebc57176e3e6cc90718f3e1957fdc70557673abbbd9035f3d357a4e9c4f926de794ffa935da34c88d7f2212ac080ed37e4c7e0fd767

memory/404-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5096-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5096-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2020-17-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5096-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5096-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5096-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5096-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5096-33-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 c5082b0aff87a8a0d03df299264585b9
SHA1 4904750bb321241de61ec6d5687d7787bd941bb0
SHA256 2e1c4dcd2469a6dacee59ea9b387d0573935de3be9dc619a5b7e44373995c032
SHA512 cf59d5a8ec44978ce387d9f5d780fc45dc78b1ad77f96b864dcd6712132887177a14e46eb152e368c4f6396bbe6dca7019f33f9001fd643638eb0db62937409b

memory/3972-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1320-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1320-40-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b64e373c206a9d91fd905c349debe3e5
SHA1 cd39c1a40cc95a1caa987d70d427d12176a6405a
SHA256 fb25e21052a8850ce6049499613cbf6280a354665615d1844596beb687c24457
SHA512 ad5cffd121ee7064973134c9c0641b25f8044f9b3d789101553bc968f6de978c006ee5912f047070ac843bb3bac76f0bb7bb288f61878609de1fc369a99d2275

memory/4188-45-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1320-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2248-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2248-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4188-52-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2248-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2248-56-0x0000000000400000-0x0000000000429000-memory.dmp