Malware Analysis Report

2024-11-16 12:59

Sample ID 240522-3hd8esdc45
Target 7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a
SHA256 7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a

Threat Level: Known bad

The file 7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 23:30

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 23:30

Reported

2024-05-22 23:33

Platform

win7-20240419-en

Max time kernel

141s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 2352 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2352 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2352 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2352 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2668 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2668 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2668 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1872 wrote to memory of 1436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1872 wrote to memory of 1436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1872 wrote to memory of 1436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1872 wrote to memory of 1436 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe

"C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe"

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1044-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2352-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2352-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2352-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2352-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1044-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2352-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2148-21-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 342c1f27b63f3dd81606fe21901ebb65
SHA1 e5438fc895f4c26b7fbd879f7442b19e3f6ed486
SHA256 d78f06f365ab3ce20d8ad4c742fa2d16f8b4cfe82356277a3f291c0ec8edb380
SHA512 590f1a0a7d3ce6b18c9329712bc8d7a1691cea326c898e043dc8520b29e2c98a2464df30e6c4c3d77218a40d6af57a2887d7ab18e1270e069aa8c435ad1a1d97

memory/2148-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

memory/2148-32-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2668-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-41-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2668-44-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 de06521985c90e93cf1bc3b9e5cc0d7c
SHA1 fa9c1fd2898442fbd212c253a791f7022070d7bc
SHA256 b0297f775479413c82d55762e1a97f409eb8cdd93e4b948e645f1280b819c4a5
SHA512 ff76a7fd58302b28c2cb1d187674250988e33e64e533bfd5884abf992213a8a064699dab6e3ba69e4d19974e594f5cf1be03b0f6a323a16a331877b1062163eb

memory/2668-47-0x0000000001FA0000-0x0000000001FC3000-memory.dmp

memory/1628-57-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2668-55-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1628-66-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1872-72-0x0000000000230000-0x0000000000253000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b5c4f93e9556e1bab078f380f2bb849f
SHA1 2bd76859b82b713fbe08bfee01cda9355d6ed1f8
SHA256 7436a298b9795942e8d034e20fe5468db4de8f80b96f78fbd2585be0df9d4bcc
SHA512 7cffcb00bf0558c822a49283e8bea1cb91d39f2119612771cb26fe9322fa54c89b005b03e6f410d5a4048303b85e4a1887635df943f9a75524bb84322829247c

memory/1436-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1436-88-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2108-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2108-93-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 23:30

Reported

2024-05-22 23:33

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 2132 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2132 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2132 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4364 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 964 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 956 wrote to memory of 3060 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 956 wrote to memory of 3060 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 956 wrote to memory of 3060 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3060 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3060 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3060 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3060 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3060 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe

"C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe"

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 852 -ip 852

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2864 -ip 2864

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/852-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2132-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2132-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2132-6-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2132-1-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 342c1f27b63f3dd81606fe21901ebb65
SHA1 e5438fc895f4c26b7fbd879f7442b19e3f6ed486
SHA256 d78f06f365ab3ce20d8ad4c742fa2d16f8b4cfe82356277a3f291c0ec8edb380
SHA512 590f1a0a7d3ce6b18c9329712bc8d7a1691cea326c898e043dc8520b29e2c98a2464df30e6c4c3d77218a40d6af57a2887d7ab18e1270e069aa8c435ad1a1d97

memory/4364-9-0x0000000000400000-0x0000000000423000-memory.dmp

memory/964-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/964-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/852-19-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4364-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/964-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/964-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/964-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/964-27-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 e1268c780e8e6bfaa2b333327814d898
SHA1 fe8f2e7a200d2ebf4e952c841159eb885641aa20
SHA256 a3d9414932dae1411388c8bb0aa56f00d0144dfe13ea4b2f7933dc421dd032f8
SHA512 e3b51b50190f99f4d780b700ba386d6da3e9bb3fc170da2346d9f20250681a9dbe6381e6f48f9a2028a417c3afe42ba61f88a4d8b6c36c7c79720e86c79c4e29

memory/964-31-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2864-32-0x0000000000400000-0x0000000000423000-memory.dmp

memory/956-38-0x0000000000400000-0x0000000000429000-memory.dmp

memory/956-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/956-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3060-45-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3bb9c444c5e4e3b0c1a700e4a1eb85de
SHA1 fedfa290358194f03b650aa5186eefee3422b9eb
SHA256 4837eee11d66048351b0af6cd9b15820d7bb172f35a7df4fdec219be69a4ca90
SHA512 a8c57ace27c781fe9e0b84ed27f48e2d226087f13f798f5bdc25ad16be023373a6036950e12a9e418dfaa389478744f507628d43ed63dc078625ccd2174075b0

memory/3512-50-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3512-49-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2864-52-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3512-53-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3512-56-0x0000000000400000-0x0000000000429000-memory.dmp