Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-q8cfasgd4z
Target 5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics
SHA256 5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7

Threat Level: Known bad

The file 5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 13:55

Reported

2024-05-21 13:58

Platform

win7-20240221-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2128 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2128 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2128 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2128 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2128 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1676 wrote to memory of 1408 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1676 wrote to memory of 1408 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1676 wrote to memory of 1408 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1676 wrote to memory of 1408 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1676 wrote to memory of 1408 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1676 wrote to memory of 1408 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1408 wrote to memory of 780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2128-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2412-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2412-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2412-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2128-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2412-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2412-11-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c7eca22c4fbc64caf2d407fdda14b26d
SHA1 bff2f85d20044abb885a6c884c907950e4997b4f
SHA256 0517017c39a884cdc909f12bb59a5b22b6c8e01fa3c576755c53e3d3e01f7832
SHA512 7b18d35a0dac481f88f1cd492f531b8ceda2f4a1431a4c2d63c267a75b7dc5a9e5aad89463d1086fd62efbf5d331a7464daee8e70b14735319769f92c8fadac3

memory/2624-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2624-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2544-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2544-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2544-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2544-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 39baeca4b18ca2991e8181435e8cdb1c
SHA1 752156b5bc0eb3c06ac372ac49eace500e460a5a
SHA256 c0886e86056bcab23c29f140e3ce68098ce6f7c0e38ce8994f3dcd46d4e4e91e
SHA512 9e4dc9d0b100bd8a89723c17c68a3fd65342c9d1ffee784c34b2ebdee85c507c94b72709f46a94d864aad2c3f6d6941b237c7f207b801f4fa76f2f97021158d4

memory/2544-46-0x0000000000310000-0x0000000000333000-memory.dmp

memory/2544-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1676-56-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1676-66-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f85a49105d8819c30cf5dbc07f569306
SHA1 6fc259f80ebdcb88f516108d29b62355dbde32cd
SHA256 d662ede1459c8951b6892537754b678854cb2846ccc51c30cabef4fb6e880a24
SHA512 939afc4d8a584b8fa09221ef6380d8a776d37703e1422efedb44f713bbe520914863f87082e55d7a79e5d40eeb5bd2697e50f6dfb7037f608bfe95f404d655f0

memory/780-78-0x0000000000400000-0x0000000000423000-memory.dmp

memory/780-85-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1276-88-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1276-91-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 13:55

Reported

2024-05-21 13:58

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2092 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2092 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2092 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 2092 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe
PID 412 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 412 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 412 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4820 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4820 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4820 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4820 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4820 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3608 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3608 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3608 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3764 wrote to memory of 4540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3764 wrote to memory of 4540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3764 wrote to memory of 4540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3764 wrote to memory of 4540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3764 wrote to memory of 4540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4540 wrote to memory of 4472 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4540 wrote to memory of 4472 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4540 wrote to memory of 4472 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4472 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\5a2eebc920da9dc455dd24ebf6904fc3d3d2e07ef5bcb0665d6368f0688fa9c7_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2092 -ip 2092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3764 -ip 3764

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2092-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/412-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/412-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/412-1-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c7eca22c4fbc64caf2d407fdda14b26d
SHA1 bff2f85d20044abb885a6c884c907950e4997b4f
SHA256 0517017c39a884cdc909f12bb59a5b22b6c8e01fa3c576755c53e3d3e01f7832
SHA512 7b18d35a0dac481f88f1cd492f531b8ceda2f4a1431a4c2d63c267a75b7dc5a9e5aad89463d1086fd62efbf5d331a7464daee8e70b14735319769f92c8fadac3

memory/412-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4820-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3608-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3608-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3608-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3608-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3608-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3608-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3608-30-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 9225491b8dd0620e63650170af44e8e8
SHA1 5529c4cdc1cda214d161608d6dc66fa37845af2e
SHA256 50c75cb565ec28ded756ae2057d1f4f801c9129b0c17519cde4b2476f439148d
SHA512 8946d5cf8b8ffee848ee667221a52a66def3f2bf858f14b8a47308cda4d0eafb3538f52b9b0d49a9e60df7efbed129972581fc9c15bee4ec748a7b9e9956642a

memory/3764-32-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4540-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4540-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4540-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4472-44-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f8b1e4ad96a1541071e8df2ca15d5910
SHA1 9cdc2e7a78446077035dcc813468d1962e7a9c6a
SHA256 cadb17022d6e1ddb49526fe58a8072235c84a884832da54bb4402019f83ae43e
SHA512 521888d35fc6f50e12fa158bc07e90c7ab135c44982da9bf3bbdb10dd70e1f274344258dbaefc3345e52c075d96cd2cc22def3e7ae8202e5f00b91127719ca3e

memory/868-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/868-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3764-52-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4472-53-0x0000000000400000-0x0000000000423000-memory.dmp

memory/868-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/868-57-0x0000000000400000-0x0000000000429000-memory.dmp