Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-ey9r9she4s
Target cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8
SHA256 cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8

Threat Level: Known bad

The file cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 04:22

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 04:22

Reported

2024-05-21 04:24

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 2424 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2068 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2648 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2648 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2648 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2648 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1852 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1852 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1852 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1852 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1852 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1852 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2816 wrote to memory of 1688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2816 wrote to memory of 1688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2816 wrote to memory of 1688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2816 wrote to memory of 1688 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe

"C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe"

C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe

C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2228-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2424-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2424-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2424-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2228-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2424-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2068-21-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 91f58296923686367a684f2fd42565af
SHA1 89cdb5be1770ab1dae8a794b74840c6693046084
SHA256 14a5870fc38eb0bbb1edfe6ff32f93837c64a123cf59f2ef277435a1026d16cc
SHA512 a1fb9fd7f85b25a3a12e713c4dbf96f0ad6598a31668c71c892ab4aef379ebd856574da7a2d6dae1ca2c9c4a545bddf1fc91497ac18a91f67622a29dec1b4226

memory/2424-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2068-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

memory/2068-32-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2648-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2648-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2648-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2648-44-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 1adfdf85325f31d270cfa4895d9e2963
SHA1 3e7a23603266cfddc33debf79dbd7fdb2e16888e
SHA256 513154be962edacbd52d91ecdded96b47c696cfb62084d60f3100dd265c2da98
SHA512 2b01e893823f274dfc7fbda4b7b496cec482c803ef9c21521cc7dc49536915d08d09fadfda4813f4ce82cd6852272de2f39d892f39dad34dbd6345a9ba6fb06f

memory/2648-47-0x0000000000290000-0x00000000002B3000-memory.dmp

memory/2648-56-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1852-57-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1852-66-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d8b91c98870a872c53597c9929ea3bad
SHA1 88065fdb6d44bad66bfe001b9237f7114bd2a9ba
SHA256 ed670e07ced6d5ac12dc23dada2d6608565b7c28cdd365cb5bb817cf9623edc9
SHA512 6391fe1ea02453300caf9923369839c009518225edd02d7d8e4a8308c1f382b1ccf5f8e0e080269064279b5e5e049aba9882efbb651498e90ef961a5796c45e4

memory/2816-72-0x00000000003C0000-0x00000000003E3000-memory.dmp

memory/1688-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1688-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1300-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1300-93-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 04:22

Reported

2024-05-21 04:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 4200 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 4200 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 4200 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 4200 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe
PID 4832 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4832 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4832 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3464 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3464 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3464 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3464 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3464 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1116 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1116 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1116 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2948 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2948 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2948 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2948 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2948 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2204 wrote to memory of 1476 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2204 wrote to memory of 1476 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2204 wrote to memory of 1476 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1476 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1476 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1476 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1476 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1476 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe

"C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe"

C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe

C:\Users\Admin\AppData\Local\Temp\cf0c85daf46fca43c3a55f4be39c20ff50051e1ef66d4d7193d8ece1f3cc25b8.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 284

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3464 -ip 3464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2948 -ip 2948

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 296

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/4200-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4832-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4832-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4832-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4832-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 91f58296923686367a684f2fd42565af
SHA1 89cdb5be1770ab1dae8a794b74840c6693046084
SHA256 14a5870fc38eb0bbb1edfe6ff32f93837c64a123cf59f2ef277435a1026d16cc
SHA512 a1fb9fd7f85b25a3a12e713c4dbf96f0ad6598a31668c71c892ab4aef379ebd856574da7a2d6dae1ca2c9c4a545bddf1fc91497ac18a91f67622a29dec1b4226

memory/3464-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1116-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1116-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4200-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1116-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1116-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1116-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1116-26-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 2beb9e69d6d75cdeaf52188268a5e31a
SHA1 0a3a1eb6c37da4fda485a91e4105ae48e1d037f0
SHA256 6ea501f08e4537b5eb457baa1bcfbade573691f49351cf772d08dde8ba02c87c
SHA512 7e06286b7c6de0f3fc228c34a732882832725f35d373f48e87d1ee84537fb10889cff7544577748573853f37dfc02f75b9927d8f748be7fa796efe6eeaed3088

memory/2948-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1116-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2204-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2204-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2204-39-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f1c7737c55aa31eca17e01d0ed2b2bd5
SHA1 cf433805f64a91965325dbd4fef6c9fbbb301a51
SHA256 edd6355e498a9810018215f078f4027ed52ae3e79b1012359378093444e8557d
SHA512 ea79edf3769a8425dc7c109b126d1b35298c775957746a3e09806d91af9a09a64437a54770e78d239a5eaba58a4ef536beaf281faf7321a966768702fc7b985b

memory/1476-44-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4004-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4004-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1476-51-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4004-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4004-55-0x0000000000400000-0x0000000000429000-memory.dmp