Malware Analysis Report

2024-11-16 13:01

Sample ID 240521-qhc9xafc3x
Target 533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics
SHA256 533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424

Threat Level: Known bad

The file 533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 13:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 13:15

Reported

2024-05-21 13:17

Platform

win7-20240221-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 2656 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 2656 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 2656 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 2656 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 2656 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 2832 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1924 wrote to memory of 1140 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1140 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1140 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 1140 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2656-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2832-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2656-7-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2832-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2832-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2832-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2832-10-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 34ac7f0ad2c8cca9928ddd2ecf3014cc
SHA1 8e811f4696df3c140375cefe659300a9da10d0c4
SHA256 c33ee4b77714afc67da261333e49f7c0c7cc64638e7079e66207a03dc84d91f3
SHA512 cf171104404726318b39ae39839b250e6321a087356fd7f8ae9a5e564dddeee5bd77cfea1403f0aeef0da26137e2447e3c7fa57205647d2e2ba94c18161d7198

memory/2540-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2540-23-0x00000000001C0000-0x00000000001E4000-memory.dmp

memory/2540-30-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2564-33-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2564-36-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2564-39-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2564-42-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 a98266f99109e2084b9cf14859960265
SHA1 069c9f7fb53735f78a3cab0c29ac3f67664d7ec8
SHA256 6e43ddc90ce7ed872340e6f38f739fda7381d06b3f1bc85262b069692c93d249
SHA512 a7e6a6e756bd3af515c0b631e0ea5d9e7f7e40a3149421a198362994a650a47294b68f3ab14cd4fdb61cacdf5bcd2a248e65d6aa755baa2b2e824fe551145c56

memory/2564-45-0x00000000002A0000-0x00000000002C4000-memory.dmp

memory/2564-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1944-55-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1944-64-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 50a44205118ad2df725fc1bea6ca034e
SHA1 873d4acdc7dd502fe0ae5a4a6f082ca0c262b389
SHA256 b549d32eb98607f9a981c104cf2d8ff00ee57abae0f27c97abc588b4c153d1b9
SHA512 e096ca799233da65fb6fdadad9756ff6b9c6e9057f88513b855ebe6389262d6d424abfa76f6eaeafb355ad5fa0490735cc27761f1b8c96a70be160247b912d76

memory/1924-75-0x00000000001C0000-0x00000000001E4000-memory.dmp

memory/1140-78-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1924-72-0x00000000001C0000-0x00000000001E4000-memory.dmp

memory/1140-86-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1464-87-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1464-90-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 13:15

Reported

2024-05-21 13:17

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 4420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 4420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 4420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 4420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe
PID 4060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4060 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2604 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2604 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2604 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2604 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2604 wrote to memory of 2736 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 4548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 4548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 4548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4548 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4548 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4548 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4548 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4548 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\533c252ca1525075953237d5aacce38836f7dfb971819e683699fab637986424_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4420 -ip 4420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 288

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2320 -ip 2320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4368,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2604 -ip 2604

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4420-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4060-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4060-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4060-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4060-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 34ac7f0ad2c8cca9928ddd2ecf3014cc
SHA1 8e811f4696df3c140375cefe659300a9da10d0c4
SHA256 c33ee4b77714afc67da261333e49f7c0c7cc64638e7079e66207a03dc84d91f3
SHA512 cf171104404726318b39ae39839b250e6321a087356fd7f8ae9a5e564dddeee5bd77cfea1403f0aeef0da26137e2447e3c7fa57205647d2e2ba94c18161d7198

memory/2320-10-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4608-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2320-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4608-17-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-27-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 3b3f706798bec4f0dedeb436f980835f
SHA1 21b6108ec4b8addf48549ef1af98fd2afd8f9be0
SHA256 78c2749952ca4f7d66aac8f1498c1a16f9f892789c9c22003444aa2931953d75
SHA512 dcf8761057c2b3d9e25561330d76b4a2c2f07db2f0d19f82c118d700313a1f283b02bfc4b8668849237d95fcb093a85801fa74c2ffa9620c0acaec54b72e30f3

memory/2604-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2736-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2736-39-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 31ab68f8caa8b3b1be77999cecc460a7
SHA1 7980977ebf143e0f04fffb0a027c377503471efd
SHA256 cc1f27f2516865b744012a6eec8853e0476882e11ad580e0d94fa1ce9898a765
SHA512 53ac4eb8725b566599508274d360dcbcdc8b5aed977cca10fdd97d78a6d28c0d8a558d20948ea6bf51ad87c3e72507c31e78c9fdf9a9a4e07068fe107e887313

memory/2736-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4548-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4056-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4056-46-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2604-48-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4056-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4056-52-0x0000000000400000-0x0000000000429000-memory.dmp