Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-pvzg8seb4w
Target 4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics
SHA256 4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511

Threat Level: Known bad

The file 4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 12:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 12:39

Reported

2024-05-21 12:42

Platform

win7-20231129-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 2356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 2356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 2356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 2356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 2356 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 2368 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3012 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3012 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3012 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3012 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1512 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1512 wrote to memory of 1764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1512 wrote to memory of 1764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1512 wrote to memory of 1764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1512 wrote to memory of 1764 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1764 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1764 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1764 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1764 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1764 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1764 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2356-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2368-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2368-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2368-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2356-8-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2368-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2368-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 62837c7633f7b6d0d1a5462454e4f1de
SHA1 899cc1e39c8371ae676a7f69e8036d633fa08356
SHA256 bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0
SHA512 9d011c0e0ed32f9d5455a492974e9d02eca3630af4e76b2e43167f38cd80ebbe613d4e11e1e0d306fb314ef99ff4fb063cf166309b34cbae6f76ce576b918e6c

memory/2212-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2212-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3012-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3012-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3012-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3012-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 212b51b3b91a4fd08b15a8a9535d547a
SHA1 828714adf775bf6083829056f36abc347e3b2707
SHA256 6e3aabd8345f32d84ef215c356075792a3ee6245408f1060c09509aff207aeec
SHA512 e61f18e7ba661d72601d4d3cbef14b2734d4e4f5019bacaa072b024dfd6741ca7eb2c1f638b1a2b54de8583e2ac517c1ed5dc7de11b8bd38895948d86cc0ce7d

memory/3012-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2780-55-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2780-63-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 344ec6da564aa2cbb7113ea16998f8da
SHA1 762d8963c53136e17d4abcff449ddd3baa1d92db
SHA256 31264f3cdd2a98eb7b5e167bb5bb51e4cdd9a3786914acc85af18111aa44f96b
SHA512 2cdf4f2ece220875217f141092edcb18e5f0975448689a4084182a94e1b3273298bac7bc51db0df84c4ee3617503412b3d14a5e5d57f30fdc64b2ace8579621a

memory/1512-70-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/1764-78-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1764-85-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2232-88-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2232-91-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 12:39

Reported

2024-05-21 12:42

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 1948 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 1948 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 1948 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 1948 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe
PID 2200 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4928 wrote to memory of 244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4928 wrote to memory of 244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4928 wrote to memory of 244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4928 wrote to memory of 244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4928 wrote to memory of 244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 244 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 244 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 244 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3360 wrote to memory of 3728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3360 wrote to memory of 3728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3360 wrote to memory of 3728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3360 wrote to memory of 3728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3360 wrote to memory of 3728 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3728 wrote to memory of 3828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3728 wrote to memory of 3828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3728 wrote to memory of 3828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3828 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\4cc059f48cb3fec4846325141cbce38eeff71f0bf07e3cba164dbe65bb79b511_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3360 -ip 3360

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 276

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3828 -ip 3828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1948-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2200-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2200-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2200-4-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4928-9-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2200-11-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 62837c7633f7b6d0d1a5462454e4f1de
SHA1 899cc1e39c8371ae676a7f69e8036d633fa08356
SHA256 bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0
SHA512 9d011c0e0ed32f9d5455a492974e9d02eca3630af4e76b2e43167f38cd80ebbe613d4e11e1e0d306fb314ef99ff4fb063cf166309b34cbae6f76ce576b918e6c

memory/244-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/244-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1948-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4928-19-0x0000000000400000-0x0000000000423000-memory.dmp

memory/244-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/244-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/244-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/244-27-0x0000000000400000-0x0000000000429000-memory.dmp

memory/244-30-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 71cc937fdd2acde0a07af854396baced
SHA1 6eeea3ed236b555d3a189f2ae756968d640600c4
SHA256 5e1d67cc24cb8f43cab6b6c3a14baf159775f078f232352649f5cd4e7002d5c6
SHA512 c7c3266e14355df3e62922cef336ca562c2bffedaac9d87b561266ab0151d759bb99c8a1ba52b421b64a5d8d61e1081812a9ed53b6b2542a7c7cb21f4b055f36

memory/3360-34-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3728-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-37-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c0b1cf0a288d30b3853d07a4d8b08bd4
SHA1 f34436cac735c73ad2e8f17346a5a20f15bc7f4a
SHA256 c4f2ea3fbb0d6dee81beefcfb80297884835619dadd0d833ab9d1beef78e5dda
SHA512 f473f7ab6a777c5e629002bc5991fcb3e0a7eb17f831fedf554179f0fa62d46cf029277e78579db4fc9963eefffa3b3fbe1b11562cb326207f9cf1067c4a3b1e

memory/3828-44-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3728-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1396-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1396-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3828-51-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3360-53-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1396-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1396-57-0x0000000000400000-0x0000000000429000-memory.dmp