Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-jtcdesdg41
Target 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics
SHA256 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a

Threat Level: Known bad

The file 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 07:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 07:57

Reported

2024-05-21 08:38

Platform

win7-20240221-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 2732 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 2732 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 2732 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 2732 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 2732 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 2828 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2568 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2568 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2568 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2568 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 828 wrote to memory of 1432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 828 wrote to memory of 1432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 828 wrote to memory of 1432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 828 wrote to memory of 1432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 828 wrote to memory of 1432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 828 wrote to memory of 1432 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1432 wrote to memory of 2260 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 2260 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 2260 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 2260 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2732-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2828-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2828-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2828-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2828-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2732-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2828-5-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6a8c8a73b03450d86d4c97f3529fa3e5
SHA1 b44d79345d0e4084c6dbc847c17dc9fad5d6771d
SHA256 a12ab56994ee18450c824c471e765909453754e70e01af6f30e693cc1e3ee3b0
SHA512 cf84248d40548f7019ff4a03b86762d155cb1513e7c3fd3a2902b8a4761b03b2f8288f9e8116011e632f68ea33e094d47d35c13778439136a6468fb80e65d3ef

memory/2828-21-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2776-23-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2828-19-0x0000000000230000-0x0000000000253000-memory.dmp

memory/2776-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2568-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2568-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2568-43-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2568-46-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 f526abddb6fec7600212d4d7274def18
SHA1 9e0a57d6a3cd90cb8c153f66277962ec4d1a07a7
SHA256 cf519c76c1e21a602a6983d1734ae3e579b95fc035307369ce602787603a02fd
SHA512 282494beb306fbb9d92dd4ee84ddb7ace95f2ca62bda3a089ddf935f3b1764a840de8e0fd0c5cef3e001a943cc4e63e4cc67810a56f4e1a97784e957798741ae

memory/2568-49-0x0000000002380000-0x00000000023A3000-memory.dmp

memory/2568-57-0x0000000000400000-0x0000000000429000-memory.dmp

memory/828-59-0x0000000000400000-0x0000000000423000-memory.dmp

memory/828-69-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 58c2442275c7b29002230fd04a02e091
SHA1 010b64d8acfe08c70edbed4faf49bce9a581c3d7
SHA256 0704ba0210e50b1329e566c93092dbe7df161e2ca6556209d3a9c392b8c4c790
SHA512 517d52e5e798873e72134258ca32f1cb599e7892d335c761289a1aa16e91609e85d3f404060593d2b155b4b071bcec2ba1db3a9c80cfbd4c430428855b158265

memory/2260-81-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2260-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2064-91-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2064-94-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 07:57

Reported

2024-05-21 08:39

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 5088 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 5088 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 5088 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 5088 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
PID 912 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 912 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 912 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1116 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1840 wrote to memory of 664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1840 wrote to memory of 664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1840 wrote to memory of 664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 664 wrote to memory of 2784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2784 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2548 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2548 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2548 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2548 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2548 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 292

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 664 -ip 664

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 296

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/5088-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/912-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/912-2-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6a8c8a73b03450d86d4c97f3529fa3e5
SHA1 b44d79345d0e4084c6dbc847c17dc9fad5d6771d
SHA256 a12ab56994ee18450c824c471e765909453754e70e01af6f30e693cc1e3ee3b0
SHA512 cf84248d40548f7019ff4a03b86762d155cb1513e7c3fd3a2902b8a4761b03b2f8288f9e8116011e632f68ea33e094d47d35c13778439136a6468fb80e65d3ef

memory/912-7-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1116-10-0x0000000000400000-0x0000000000423000-memory.dmp

memory/912-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1840-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1840-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1116-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5088-19-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1840-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1840-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1840-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1840-27-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f526abddb6fec7600212d4d7274def18
SHA1 9e0a57d6a3cd90cb8c153f66277962ec4d1a07a7
SHA256 cf519c76c1e21a602a6983d1734ae3e579b95fc035307369ce602787603a02fd
SHA512 282494beb306fbb9d92dd4ee84ddb7ace95f2ca62bda3a089ddf935f3b1764a840de8e0fd0c5cef3e001a943cc4e63e4cc67810a56f4e1a97784e957798741ae

memory/1840-31-0x0000000000400000-0x0000000000429000-memory.dmp

memory/664-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2784-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2784-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2784-40-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 58c2442275c7b29002230fd04a02e091
SHA1 010b64d8acfe08c70edbed4faf49bce9a581c3d7
SHA256 0704ba0210e50b1329e566c93092dbe7df161e2ca6556209d3a9c392b8c4c790
SHA512 517d52e5e798873e72134258ca32f1cb599e7892d335c761289a1aa16e91609e85d3f404060593d2b155b4b071bcec2ba1db3a9c80cfbd4c430428855b158265

memory/2548-45-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4124-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4124-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4124-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4124-56-0x0000000000400000-0x0000000000429000-memory.dmp