Malware Analysis Report

2024-11-16 13:00

Sample ID 240522-gyyq4sef44
Target bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0
SHA256 bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0

Threat Level: Known bad

The file bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 06:13

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 06:13

Reported

2024-05-22 06:15

Platform

win7-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 2428 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2428 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2428 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2428 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2648 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2648 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2648 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2648 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1420 wrote to memory of 1200 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 1200 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 1200 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 1200 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe

"C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe"

C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe

C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1776-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2428-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1776-7-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2428-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2428-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2428-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c4a260aaa40a732d97d50733f2f47a10
SHA1 6980207f7d2cfaf33431c66c5929173c2a04b5bb
SHA256 28f99d059a40c7e6eef9b76ea676d59377426dd0df0b242a14d1ca55f50a4cc5
SHA512 d127a4a6edf4c65bcc9cf465829711b974a83161ff7f8525fbf1af34a888627270b532c0c1e7bf3641ceffd37fd4be2319f5108c7e2f4d789d4cc1ccab287839

memory/1300-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2428-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1300-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2648-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2648-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2648-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2648-43-0x0000000000400000-0x0000000000429000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 a80d86648a758af8cd2f4b166e67a3ff
SHA1 0dd5f39775fc203a2c6146e2f8473dc78247221a
SHA256 1fb17ebe4c5ab335cef3143ac01f6078dcc4a8b0084db90ba2d742b6a7b25840
SHA512 8b14e0b43600b4f811d6d73136f7a5271abea80cc337950a492d9525e3c11211f524c9a1b8537d6787846d42e197aceba31b49491f0e3e07ea1c45c8bc566473

memory/2648-46-0x0000000000630000-0x0000000000653000-memory.dmp

memory/1992-56-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2648-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1992-64-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1420-71-0x0000000000230000-0x0000000000253000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 896810570a7067d7edc689415ac74a9a
SHA1 34313b3e16f76435cdd743e9d0ebd3b3d1d28aa6
SHA256 c64976a3a53d77815913004c0e297a61faf3bbd8986843e28ea58ee7dbf4b45e
SHA512 1738a8e021f042d8ed763c35c9a102f6f10cc52e690d6feb570d05cd98adf94dd90b1dd52d1b455d3615d091d2729d1a8ec6fbf399ba95447cce0fba03a538ed

memory/1200-79-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1200-87-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2080-89-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2080-92-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 06:13

Reported

2024-05-22 06:15

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 4728 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 4728 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 4728 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 4728 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe
PID 4608 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4608 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4608 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3596 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3596 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3596 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3680 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3680 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3680 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3680 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3680 wrote to memory of 2908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 5236 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 5236 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 5236 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe

"C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe"

C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe

C:\Users\Admin\AppData\Local\Temp\bc3a24b871881c766f0a1c1fa42c4c22a7ef1c54fdd478c0cc70e67fa7cdadd0.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4728 -ip 4728

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2556 -ip 2556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 288

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3680 -ip 3680

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 292

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5236 -ip 5236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 256

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4728-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4608-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-2-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4608-5-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c4a260aaa40a732d97d50733f2f47a10
SHA1 6980207f7d2cfaf33431c66c5929173c2a04b5bb
SHA256 28f99d059a40c7e6eef9b76ea676d59377426dd0df0b242a14d1ca55f50a4cc5
SHA512 d127a4a6edf4c65bcc9cf465829711b974a83161ff7f8525fbf1af34a888627270b532c0c1e7bf3641ceffd37fd4be2319f5108c7e2f4d789d4cc1ccab287839

memory/2556-11-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3596-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3596-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4728-18-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3596-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3596-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3596-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3596-26-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3596-30-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 cf9243f74b404b3b0adde888299a34da
SHA1 9186920681fb0f3b7fc6678fddd8e8cae0e6a5fd
SHA256 e5846937f03ae782fd092b133b7392bbefa4e60fdf5e2f6e96cfcf45b0fce93c
SHA512 149cc2f4a628a25301fc30db53bd6e1a02e73503b68234b423a7d8ab321bb9f4e10b03258eed861f34ce41166203b40f28e558e9f5354bf2b83b19932a10fd92

memory/3680-33-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2908-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2908-36-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 88a3f2fd465416135c2a5e811bf6d469
SHA1 eb58a85ea912dc9007d1abfeb9e6ad9a5f250ce2
SHA256 6dfc90dba379e07661498b7ae658b7780e870304506b36d97f1f866cfed12102
SHA512 0b87203bb7c806adb2c2c87dc0e6c8a8527a2c974dfa0effe5419a85b0985710978b97544f4fe54fe56683c15e3380b3829efacc8f52f30c95ded578953bed62

memory/2908-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5236-42-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-48-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2636-47-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3680-51-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-52-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2636-55-0x0000000000400000-0x0000000000429000-memory.dmp