Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-k341gafg8t
Target 28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics
SHA256 28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5

Threat Level: Known bad

The file 28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 09:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 09:08

Reported

2024-05-21 09:11

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 1916 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 1916 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 1916 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 1916 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 1916 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 2184 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 2224 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 2224 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 2224 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 2224 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 2224 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 2224 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2224 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2224 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2224 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2224 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1916-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2184-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1916-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2184-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2184-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2184-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2184-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b17cc954a8e77773d50450ba03a6be22
SHA1 c12ca6ad777c0a97b256d728a483c8f1822b6a5f
SHA256 c0e522c2fd0944179f2aaa26006a8ef5ce47e6b476583f7dae193d22361e98fb
SHA512 33105c388bd70b370433ef543516488425707fcd5ab761937f40d11367b7f7c46c796210a20b4006b7fbf0809ccd725c1c31fcc48bfa2b9c1a6e716f81a13973

memory/2184-14-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/3020-22-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3020-25-0x00000000003B0000-0x00000000003D3000-memory.dmp

memory/3020-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2140-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2140-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2140-42-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2140-45-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 2c976e036e4a08a28f0336d7b672fd5f
SHA1 8aaf1db3ff1ae3cf89d7cadb445363449c44105c
SHA256 06f5e4e54f3d3d89b0074019a525231d0ebfd75c893c68ada55aa6f48d4da85c
SHA512 72a19083b9ff1bdb23e2f86f176aa1e87aabcbe408972a0ffe234a6d1b59729e62184c1bb8d790246228cafa322ced00b5dcd6669c0d66489da4665be13b4803

memory/2140-48-0x0000000000290000-0x00000000002B3000-memory.dmp

memory/2140-56-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2808-58-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2808-66-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 70545e8f1dfe3ad7edbf06146148aca7
SHA1 843869d99b93c9193b7a0ac87941d8efaef722f6
SHA256 7c2083927cd5f31496bfa0e85f94e53222021746b14e5a2a189aac6733e16dea
SHA512 1ca8aeebeccff49f9e2536840ff49c47caf06eb260c05dd8325a914d77a30af03bf1c8cdfc9502beadc6e3f4152cddf444566e7fd9871aeb56b4e8a9692483b6

memory/2224-73-0x0000000000230000-0x0000000000253000-memory.dmp

memory/1924-81-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1924-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1764-91-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1764-94-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 09:08

Reported

2024-05-21 09:11

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe
PID 4868 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4868 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4868 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4444 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4444 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4444 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4444 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4444 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2488 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2488 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2488 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1372 wrote to memory of 3652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1372 wrote to memory of 3652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1372 wrote to memory of 3652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1372 wrote to memory of 3652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1372 wrote to memory of 3652 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3652 wrote to memory of 2188 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3652 wrote to memory of 2188 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3652 wrote to memory of 2188 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\28b978601ab736e4a017e39dc265d12d4cf2d25549e7539c9a50bed7e1fb2ce5_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 4736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1372 -ip 1372

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2188 -ip 2188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/4736-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4868-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4868-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4868-4-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b17cc954a8e77773d50450ba03a6be22
SHA1 c12ca6ad777c0a97b256d728a483c8f1822b6a5f
SHA256 c0e522c2fd0944179f2aaa26006a8ef5ce47e6b476583f7dae193d22361e98fb
SHA512 33105c388bd70b370433ef543516488425707fcd5ab761937f40d11367b7f7c46c796210a20b4006b7fbf0809ccd725c1c31fcc48bfa2b9c1a6e716f81a13973

memory/4444-9-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4868-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2488-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2488-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4444-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2488-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2488-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2488-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2488-27-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2488-30-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 a2fda3306e2fcf8e27be40a31f17f3e2
SHA1 db20c45b8c82ef467b34c06e9db0172b527f0e06
SHA256 9b9e8a6c9f56eb1a8c485a145fa0ccbce4826d4b1b73803f0f6983bc45372ee0
SHA512 14983d979990dc68eb781c321c7461e9bd361a303be3fb845c1da55b1a3c3232b558c380760abb12ffd6a318214bc033056253c810a6417c04f22c5e824bcdb6

memory/1372-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3652-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3652-37-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ae96e018b83686fadd9ca702030a580e
SHA1 b6c5887c6ccfb6100677d666c853232f10181e6f
SHA256 ce62f1a8c5c07d36cdc3bf2bb664949433384adddc999f465efc451022da4c88
SHA512 339abeae32f095e7d66d853e7c9b39e6cff33d330c1d5ae44e4bc6924f695d93a8888b2e9bbe42333269836bbe1c36b0ff6d24d69dc82de179beb8d5c7f19b98

memory/2188-45-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3652-44-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1428-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1428-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1428-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1428-56-0x0000000000400000-0x0000000000429000-memory.dmp